Cybersecurity for Behind-the-Meter Platforms
- May 8
- 5 min read
Last month, six federal agencies jointly issued Advisory AA26-097A, confirming active exploitation of internet-exposed industrial control systems (ICS) across U.S. critical infrastructure. Threat actors logged into programmable logic controllers using legitimate engineering software, tampered with configuration files, and manipulated operator displays — causing measurable operational disruption and financial loss.
On its face, the advisory targets bulk power assets covered by NERC's Critical Infrastructure Protection (CIP) standards. The threat techniques it documents, however, are not unique to those assets. For behind-the-meter (BTM) orchestration platforms, this advisory describes exactly how a compromised controller can convert a grid-edge asset into a system-level liability.
This insight covers four topics:
The advisory and the BTM perimeter — what AA26-097A applies to today, and where the boundary is moving.
The BTM cybersecurity standards landscape — IEEE 1547.3, NARUC/DOE Baselines, UL 2941.
Five design imperatives a BTM platform should already embed.
The regulatory trajectory through 2026–2029.
1. The Advisory and the BTM Perimeter
AA26-097A targets operational technology inside the bulk electric system, where NERC CIP applies mandatory cybersecurity requirements. Behind-the-meter (BTM) generation sits outside that perimeter today, with no mandatory federal cybersecurity standard.
That boundary is moving. NERC's IBR registration work is bringing previously unregistered Category 2 inverter-based resources into the registration framework, with a universal effective registration date of May 15, 2026 — the operational pathway that could ultimately bring some of these assets into low-impact CIP scope.
The threat techniques the advisory documents —valid credentials, internet-exposed devices, manipulation of control displays — apply to any networked OT, including the inverters, site controllers, and communications equipment in distributed energy portfolios. Most BTM portfolios are coordinated through cloud-based platforms that broker commands to those devices. Those platforms sit outside NERC CIP today, but they are exactly where AA26-097A techniques would be executed at scale.
The aggregation platform is the structural pivot. A single compromise at the cloud control layer can propagate to thousands of distributed assets simultaneously — converting a class of grid-edge devices into a coordinated attack surface. NERC's January 2026 CIP Roadmap confirms this structural gap explicitly, flagging low-impact systems and newly registered Category 2 IBRs as creating new avenues for adversaries to aggregate small compromises into large-scale effects.
BTM platforms that design to CIP‑class expectations will be better aligned with where requirements and investor scrutiny are heading, regardless of current formal scope.
2. The BTM Cybersecurity Standards Landscape
There is no federal mandate equivalent to NERC CIP for distribution-connected assets. But the building blocks for one are substantially in place. Three frameworks anchor the voluntary regime today and define what binding requirements will likely look like.
| IEEE 1547.3-2023 | NARUC/DOE Baselines | UL 2941 |
Role | The Foundation | The Access Model | The Verification |
Status | Published Dec 2023 — voluntary guide | Published Feb 2024 + Phase 2 in 2025 — voluntary, state-adoptable | First Edition Dec 10, 2025 — voluntary certification |
What it covers | Device identity, secure communications, protocol hardening, lifecycle governance for DERs. | MFA for remote access, IT/OT segmentation, 24-hour access revocation. Designed for assets outside NERC CIP. | Testable cybersecurity certification for DER and inverter-based resources, complementing UL 1741 (electrical safety). |
Trajectory | P1547 revision expected to incorporate cybersecurity, making it part of binding interconnection. | State adoption is the conversion path — Virginia PUR-2023-00069 is the leading indicator. | Procurement specs increasingly reference UL 2941. Likely interconnection-relevant as the regime hardens. |
Each is voluntary today. Together, they describe what mandatory BTM cybersecurity will look like once state regulators and the IEEE P1547 revision convert voluntary guidance into binding interconnection requirements. Platforms that embed these controls as native services now will face significantly lower retrofit costs as the regulatory floor rises.
3. Five Cybersecurity Design Requirements for BTM Platforms
BTM platforms cannot treat device‑level hardening as sufficient. They need a security model that assumes some sites, controllers, and vendors will repeat the failure patterns highlighted in AA26‑097A and still keeps the fleet safe. Taken together, the advisory, the NARUC/DOE Baselines, IEEE 1547.3, UL 2941, and NERC’s January 2026 CIP Roadmap point to five concrete cybersecurity design requirements:
What unifies these five imperatives is the assumption of partial compromise. The platform's job isn't to prevent every breach — it's to ensure no single failure propagates into class-wide control. That is the structural answer to the aggregation risk AA26-097A demonstrates: a platform enforcing all five makes the advisory's documented threat techniques structurally difficult to execute at scale.
4. The Regulatory Trajectory through 2026–2029
If cybersecurity moves from voluntary guide to interconnection requirement, compliance costs that today surface post-commissioning will need to enter the project pro forma at development. Two recent FERC actions sharpen the near-term picture:
FERC PJM Co-Location Order (Dec 18, 2025; Docket EL25-49-000) — analyzed in our PJM BTMG insight. Found PJM's existing BTMG rules no longer just and reasonable; directs three new transmission services and a three-year transition.
FERC Order Nos. 918 and 919 (Mar 19, 2026) — Order 918 finalizes CIP-003-11 (low-impact); Order 919 finalizes 11 virtualization-enabled CIP standards. Implementation: 36 months (CIP-003-11), 24 months (virtualization).
For BTM and co-located generation entering low-impact CIP scope through Category 2 IBR registration, these obligations define the compliance surface. The full 2023–2029 trajectory: Platforms that build NARUC/DOE Baselines and UL 2941 controls into default project templates today let developers treat cybersecurity as a predictable line item, not a bespoke retrofit — and that predictability itself becomes a competitive differentiator in deal underwriting.
Closing thoughts
AA26-097A did not create this regulatory trajectory. The standards and baselines were already published. The state proceedings were already underway. The NERC Roadmap had already flagged the gap. What the advisory does is confirm — with empirical evidence from active exploitation — that the threat model is real and current. The April 20, 2026 DPA determination on grid infrastructure adds a parallel signal: grid hardware fragility and cyber fragility are two faces of the same resilience problem. Multi-year hardware lead times make hardware-agnostic, modular architectures a security requirement — not just an operational preference. For developers and capital providers, the question isn't whether mandatory BTM cybersecurity is coming. It's whether current platforms are architected to absorb those requirements when they arrive — and whether that architecture is already a source of competitive differentiation today.
Comments