Hydroelectric power, which supplies 37% of U.S. utility-scale renewable electricity, is challenged by diverse infrastructure and legacy devices that predate modern cybersecurity practices. There is no single solution available to operators, who require custom assessments to reveal specific threats and risk probabilities for each system and highlight how those threats translate into new investments.

The Cybersecurity Value-at-Risk Framework (CVF) developed by the U.S. National Renewable Energy Laboratory (NREL) and U.S. Argonne National Laboratory provides such a tool. The online tool system guides users through a detailed analysis of a plant’s operations, comparing responses against multidimensional criteria for environmental, operational and economic impact. Results and data from the CVF include specific risk probabilities and scores that are indicative of financial value and that require cybersecurity improvements to withstand future threats.

The CVF leverages lessons from the NREL-developed Distributed Energy Resource Cybersecurity Framework (DER-CF), a successful tool originating from the federal government to secure its facilities, but with wide applicability to sites of many sizes and functions. The CVF borrows the DER-CF’s standardized cyber evaluation method and extends the scope to perform risk, impact and likelihood scoring all within the valuation platform, angling the assessment to hydro-specific applications.

The CVF is currently being validated on an initial case study at Delta Montrose Electric Association’s hydropower facilities in Colorado. Other utilities and federal agencies are also implementing the CVF and advising on its design. Developers are planning for a web release sometime in 2023.