27 February 2019


Distributed Generation Cyber security United States of America

A SunSpec CA Rule 21 PKI Primer

Author: SunSpec

On August 22, 2019, California interconnection Rule 21 Phase 2, and parts of Phase 3, become effective. At that time, most new residential and commercial Distributed Energy Resource (DER) systems comprised of PV only or PV + storage, must be ready to communicate to the host utility using a protocol called Institute of Electrical and Electronics Engineers Standard (IEEE Std.) 2030.5-2018. This protocol includes the requirement for Transport-Level Security (TLS) and strong encryption.

Inherent in the TLS standard is the need for Public Key Infrastructure (PKI). PKI is the preferred method for securing networked ecosystems due to its strength and scalability. Ecosystems as diverse as internet browsing, online banking, cable modems, and now DER systems, have adopted PKI to ensure trust around the globe. For embedded applications such as DER devices, advances in hardware and semiconductors allow for strong encryption using Elliptic Curve Cryptography (ECC) to be implemented in small devices economically, thus enhancing the value of PKI in this space.

The March 25 SunSpec CA Rule 21 workshop, cohosted by Solarplaza, will feature discussions related to the security requirements of IEEE 2030.5 and how they apply to California DER networks comprised of clients (including gateways and smart inverters with embedded communications), aggregators (and their “cousins” known as Energy Management Systems), and utility servers. The workshop will also describe cryptography options, credential management, revocation, the general concept of trust chains, and global supply chain implications.

California Rule 21 Impact
Distributed Energy Resources, including solar, energy storage, and electric vehicle (EV) charging infrastructure, are revolutionizing how electricity is generated and consumed across the globe. California is leading the energy revolution and has policies in place that require 100% of energy generated in California come from renewable sources by the year 2045. A significant portion of this capacity will come from DER installed on homes, commercial buildings, and campuses.

To achieve DER deployment goals, California modified interconnection Rule 21 to require that all systems installed after August 22, 2019 be capable of communicating with the host utility. The default DER-to-utility communication standard is IEEE 2030.5. Configuration options stipulated the Common Smart Inverter Profile (CSIP) document refine California requirements.

California Rule 21 states that products using the communication standard must be evaluated against the SunSpec Common Smart Inverter Profile Conformance Test Procedures that were published May 22, 2018.  These procedures define the functional criteria for CA Rule 21 data communication and interoperability testing.

Given state policy mandates, approximately 250,000 DER systems per year (those installed in Investor Owned Utility territory) will require SunSpec Certification to the IEEE 2030.5/CSIP standard. In just a few short years, millions of systems must comply to these standards.

SunSpec Official PKI

To address these critical needs, the SunSpec Alliance established the SunSpec Official PKI. The SunSpec Official PKI establishes the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. The PKI is the foundation that enables the use encryption across large populations of devices and users, and is essential for a secure and trusted environment.

The SunSpec Official PKI secures communications between DERs, which can include inverters, aggregators and servers, and the larger power grid.

The SunSpec Official PKI contributes to the security level of networks including DERs by ensuring:

  • Authentication: Validate identities to ensure only authorized users and devices have access to a server.
  • Encryption: Use a certificate to create an encrypted session, so information can be transmitted privately.
  • Data Integrity: Ensure any messages or data transferred to and from devices and servers are not altered.

PKI Hierarchy and Structure

PKIs are generally segregated into branches according to the type of element and the security properties characteristic of elements of that type. Each type of element is grouped under a separate sub-CA (Subordinate Certificate Authority) that issues certificates with data and properties appropriate for those element types. For example, end device elements might have a very long certificate validity period if they are deployed in the field and are difficult to update. Servers on the other hand, might have shorter life certificates because they are easier to update and are also potentially more vulnerable due to their dependency on software for key storage.

Customer PKI Implementation Process

The SunSpec Official PKI is designed to increase stakeholder confidence in Distributed Energy Resource communication solutions, including those enabling interoperability of smart inverters, smart PV modules, EV charging, and energy storage.

Any SunSpec member may access test certificates for product development. Once development is complete, companies seeking IEEE 2030.5/CSIP certification embed test certificates in their products prior to submitting them to a SunSpec Authorized Testing Laboratory for validation.

When testing is successfully completed, test results are passed to the SunSpec Alliance for validation and the product is listed as SunSpec Certified. SunSpec Certified products are then given access to the production PKI.

SunSpec Official PKI Technology Provider

On February 22, 2019, SunSpec announced Kyrio, a subsidiary of CableLabs®, as the SunSpec Official PKI Provider. Kyrio will deliver Public Key Infrastructure services to global member companies with SunSpec CertifiedTM software and hardware. Kyrio has a long history in the business and has served up billions of digital certificates

For more information about the SunSpec PKI program see and join us on March 25.

Join the workshop on March 25, one day before the pre-eminent Solar Asset Management North America 2019 conference, taking place in the high-powered and ambitious city of San Francisco.

Stay on top of the global solar market by joining one of our upcoming events.