Q&A With Danish Saleem: A 'Bottomless Cyber Enthusiast' Works To Secure U.S. Power Grid Against Hackers
Manufacturing Masterminds Series
In late December 2022, residents of Buffalo, New York, woke up to find their city smothered in snow. A blizzard, which brought not just dangerous drifts but also frigid temperatures, froze everything from power stations to emergency services.
“They were sitting ducks,” said Danish Saleem, a senior energy systems cybersecurity researcher at the National Renewable Energy Laboratory (NREL) who constantly monitors the news for these kinds of power-related horror stories. The blizzard lasted about five days. Wind chill temperatures plunged below zero Fahrenheit. At one point, nearly 1.7 million people were left without power. By the end, the blizzard claimed close to 50 lives.
“New York state was not prepared for it,” Saleem said. “The same might happen if there’s a cyberattack.”
But Saleem hopes to change that—by preparing the U.S. power system for future attacks. Today, the U.S. power grid is made up of more than 7,300 power plants, which produce about 1.25 million megawatts and serve close to 160 million customers. As plant owners and operators digitize, modernize, and electrify their systems to increase efficiency and reduce carbon emissions, it has becoming more challenging—and necessary—to keep these digital systems secure.
“The more I talk to the manufacturers of wind turbines, solar inverters, and electric vehicles, or to the customers who buy these devices, the more I understand that our work in cyber will never be done,” Saleem said.
For more than six years, Saleem has focused primarily on distributed energy systems that, like rooftop solar panels, typically serve customers located nearby. As of 2021, these systems contribute about 740,000 megawatts to the U.S. power grid and are rapidly proliferating. And yet, there currently is no unified cybersecurity certification standard that these manufacturers must adhere to.
Now, Saleem hopes to implement what he calls “security by design,” or a way to build security into devices when they are manufactured. Through constant communication with distributed energy stakeholders and federal partners, he is helping develop cybersecurity standards to protect the country’s power grid from the rising threat of hackers.
In the latest Manufacturing Masterminds Q&A, Saleem shares his journey from irresponsible kid to cybersecurity maven; how a hacker could exploit one weakness to cut off power to hundreds of thousands of homes; and how he is helping manufacturers build security into their devices, including wind turbines and solar panels.
You’re kind of like a superhero for the grid, and all superheroes have an origin story—what’s yours?
When I was in high school, I was not a responsible kid at all. Just like most teenagers, I too spent a lot of time doing nonproductive things, getting into trouble, instigating sibling quarrels, and neglecting my academics. However, I knew that my uncle, who has been living in Yonkers, New York, for the last 25 years, is a very successful businessman and reputable person in our family. I wanted to be like him. He got his degree in mechanical engineering from one of the most prestigious universities of Pakistan, NED University of Engineering and Technology. So, I too wanted to enroll in the same university, but getting in was a challenge because the acceptance ratio was low.
And yet, you got in.
Yes. But in my four years at the university, I was constantly thinking about how to get higher education from the United States and follow my uncle’s footsteps. He completed his master’s in mechanical engineering from The University of Oklahoma.
Except your route took you to Florida instead of Oklahoma. What was it like to get your master’s degree from Florida International University?
I am a Pakistani American. And when you are a foreign national—or nonresident alien, as per the U.S. Citizenship and Immigration Services—pursuing your degree, you must have a job within three months after you graduate. Otherwise, per law, you are required to go back to the country you came from. This adds extra pressure, extreme nervousness, and hefty uncertainty on foreign national students that can feel like a weight hanging over our shoulders. And getting a job was not just a requirement; it was also a financial burden because the tuition cost for foreign national students can be up to three times more than in-state tuition fees.
Were you able to get a job before the three months were up?
Yes. I was hired in 2016 as a power systems cybersecurity intern at NREL and became a full-time cybersecurity researcher in six months.
So, why do we need cybersecurity for power systems? What’s the risk?
There are multiple risks. Complete loss of power and danger to human life are just a couple. What happened to the residents of Buffalo, New York, could be something that happens again in the case of a mega cybersecurity breach. If there were widespread disruption to the power grid, we could see loss of life from extremely cold temperatures without running heat.
So, like we saw in Buffalo, New York, a storm can knock out power. What can a cyberattack do?
An adversary doesn’t need to attack all the energy infrastructure; they just need to attack critical resources, and the rest will follow. Recently, a cyberattack knocked out the remote connection to 5,800 wind turbines (11 gigawatts) in Europe, resulting in up to 200,000 houses losing power for about a day. If a gigawatt power generator goes out, that power must be fed by some other generating source. If that one gets overloaded, it must be fed by another. This is called a cascading effect, and it can potentially lead to a blackout for several hours or even days.
That sounds scary.
It indeed is. That’s why it is very important to ensure that we’re as prepared as possible to respond to cyberattacks when they occur in the United States.
But how do you do that, make sure these attacks don’t happen here?
Together with the talented researchers at NREL and other national laboratories—and with support from several projects funded by the U.S. Department of Energy (DOE)—we are helping the distributed energy industry mitigate or reduce the probability of cyberattacks.
Some examples include supporting the development of a cyber certification standard for distributed energy resources, establishing public-private partnerships with industry to improve the cybersecurity of renewable energy technologies, and developing cutting-edge cybersecurity technologies, like advanced encryption between distributed energy resources and inverter-based resources (which include solar panels, wind turbines, and battery storage systems) and wider power system networks.
Tell me more. What’s the goal of this work?
In simple words, the goal is to help secure America's electric power generation, transmission, and distribution under rapid grid transformation and to advance cybersecurity controls for distributed energy resources and inverter-based resources as these continue to grow in the electricity ecosystem.
To support this goal, we need a national cybersecurity certification standard and a unified cybersecurity approach. Part of my work is to support the development of a national cybersecurity certification for distributed energy resources and for inverter-based resources, primarily funded by DOE’s Solar Energy Technologies Office. I also serve as vice chair for an Institute of Electrical and Electronics Engineers standards committee working group to help develop a cybersecurity guide for distributed energy resources. A few months ago, I led a Securing Solar for the Grid workshop at NREL, in which more than 50 renewable energy industry members and representatives from multiple federal organizations participated.
What’s next?
NREL recently became a strategic member of the Cybersecurity Manufacturing Innovation Institute, which is sponsored by DOE’s Advanced Materials and Manufacturing Technologies Office and co-managed by DOE’s Office of Cybersecurity, Energy Security, and Emergency Response. This research institute is led by the University of Texas at San Antonio, with strategic and managing partners from national labs and research universities that have deep knowledge of cybersecurity. The institute supports early-stage R&D to improve the competitiveness of American manufacturing, secure supply chains, and bolster cybersecurity in energy-efficient manufacturing. I am leading that engagement from the NREL side and am excited to work with the institute and its partners.
What advice would you give to a young scientist who’s following in your footsteps?
Try to make connections with industry so you can create a bridge between the research you have been hired to do and the impact that research is going to make. I also believe that experienced mid- to senior-level researchers at NREL have a responsibility to train and mentor early-career researchers so they can focus on important skills besides their isolated research bubble.
Interested in building a clean energy future? Be like Saleem and launch your career as an NREL intern, read other Q&As from NREL researchers in advanced manufacturing, and browse open positions to see what it is like to work at NREL.