NREL Tool Provides Cybersecurity and Savings for Hydropower Plants

The Cybersecurity Value-at-Risk Framework Allows Hydropower Operators To Assess Their Risks and Make Informed Investments for Enhanced Cybersecurity

Nov. 1, 2021 | Contact media relations

Aerial photo of a hydropower plant with transmission lines on a river.
Photo courtesy of Rafael Kaup

With more variable renewables on the grid, hydropower could have new importance as a reliable baseline resource. However, the U.S. hydropower fleet is not fully up to the challenges from modern threats such as cybersecurity.

With support from the U.S. Department of Energy Water Power Technologies Office, a new National Renewable Energy Laboratory (NREL) and Argonne National Laboratory (ANL) tool named the Cybersecurity Value-at-Risk Framework (CVF) provides hydropower operators complete and customized assessments of their cybersecurity risks and demonstrates how different investments will help improve overall resilience.

“This is a much-needed framework for future security and resilience,” said Anuj Sanghvi, an NREL cybersecurity researcher who is helping develop the CVF. “Operators are eager to understand the right resilience investments for their systems, as well as the actual risks themselves. CVF can provide deep insight around how system-specific investments relate to cybersecurity and resilience.”

Hydropower, accounting for 37% of U.S. utility-scale renewable electricity, is challenged by diverse infrastructure and legacy devices that predate modern cybersecurity practices. New solutions cannot simply be bolted on to the antiquated technology, meaning there are not catch-all solutions for security available to the hydro industry. Instead, custom assessments can help reveal specific threats and risk probabilities for a system and reveal how those threats translate into new investments.

How CVF Works

The CVF is meant to be easy and accessible for a facility manager to use. As an online tool, CVF guides users through a detailed analysis of the plant’s operations. Users answer a series of questions, and their responses are then compared against multidimensional criteria for environmental, operational, and economic impact. Results and data from the CVF include specific risk probabilities and scores that are indicative of financial value and that require cybersecurity improvements to withstand future threats.

The CVF leverages lessons from the NREL-developed Distributed Energy Resource Cybersecurity Framework (DER-CF), a successful tool originating from the federal government to secure its facilities, but with wide applicability to sites of many sizes and functions. The CVF borrows the DER-CF’s standardized cyber evaluation method and extends the scope to perform risk, impact, and likelihood scoring all within the valuation platform, angling the assessment to hydro-specific applications. Both frameworks follow National Institute of Standards and Technology guidance for criteria like data handling, risk scores, and environmental footprint, which also aligns facilities with relevant federal regulation.

Current Status

The CVF is currently being validated on an initial case study at Delta Montrose Electric Association’s hydropower facilities. Other utilities and federal agencies are also implementing the CVF and advising on its design. As feedback comes in, NREL and ANL will continue to develop the framework for web release sometime in 2023.

NREL offers opportunities for hydropower industry, university, and government agency members to leverage our research expertise and state of-the-art capabilities in both cybersecurity and water power technologies. Join us in accelerating the movement to turn secure, renewable energy and energy efficient solutions into practical applications. Learn more about working with NREL, or connect with Anuj Sanghvi at

Tags: Energy Security and Resilience,Energy Systems Integration,Hydropower,Water