Interconnection Gets Teeth: Virginia Puts Cyber into the Rulebook

By Patrick Miller

Virginia moves cyber into DER interconnection. State Corporation Commission (SCC) Staff proposes adopting IEEE 1547.3-2023 and the NARUC/DOE Baselines, requiring utilities to publish minimum cybersecurity standards, audit & report annually, and align Technical Interconnection (TIIR) settings for secure comms/ports. Bottom line: meeting utility cyber controls becomes a condition of interconnection.

Overview

Virginia is about to make something long discussed in DER circles very real: cybersecurity will live inside the interconnection rules—not beside them. Staff at the State Corporation Commission (SCC) recommends adopting IEEE 1547.3-2023 and the NARUC/DOE Cybersecurity Baselines by reference, and then requiring each utility to publish, audit, and annually report against utility-specific minimum cyber standards for interconnecting customers.

What Changed

Beyond cybersecurity, the Staff proposal would streamline Virginia’s DER interconnection mechanics: clarify material modifications (one-time downsizing up to 75% before the Facilities Study Agreement; POI moves within the same protection zone not material; “daily production profile” changes still material), add queue-management guardrails (Project B waits until Project A reaches Facilities Study/executed IA), modernize dispute resolution (toll timelines; notify SCC staff after 20 business days), relax Level-1 insurance (no blanket pre-interconnection proof, provide on request), update definitions (IEEE 1547-2018 “DER” and an Energy Storage Systems definition), and tighten schedules/transparency (explicit study deadlines, 5-day delay warnings, revised forms/TIIR with preferred 1547 settings and comms/ports). Below, we focus on just the cyber-related issues.

• Standards in by reference. Virginia would incorporate IEEE 1547.3-2023 (DER cyber guide) and the NARUC Cybersecurity Baselines into Chapter 314 and Schedule 3 (Certification Codes and Standards), placing cyber expectations in the same paperwork stack as technical conformance.

• Utility minimums with accountability. Every utility must publish utility-specific minimum cybersecurity standards for interconnection customers based on, and not conflicting with 1547.3 and the Baselines, post them publicly, test/validate/audit at least annually, report annually to PUR Staff, and stand up an incident-notification pathway to the Commission.

• Preview of practice. One Virginia utility has supplied a draft Minimum Cybersecurity Standard as an example. Think: no internet-exposed ICS, MFA for remote admin, segmented networks with deny-by-default, central log collection/SOC review, patching cadence, backups, wireless hardened per NIST 800-82, a credible indicator of where “minimums” will land.

• No “one-size-fits-all,” but Commission oversight. Staff rejects making requirements “voluntary for utilities” while mandatory for developers; instead, Commission-overseen utility minimums set the bar; how audits happen (utility-led, self-certs, third-party) is flexible, but audits will definitely happen.

Why This Matters

• It moves cyber from guidance to gatekeeper: a utility can condition interconnection on meeting published cyber minimums harmonized to recognized standards.

• It aligns with state-level general direction: the NARUC/DOE Baselines have been created specifically for distribution and DERs.

IEEE 1547.3-2023 in Plain Language

1547.3 is the “how to secure it” companion to IEEE 1547 (what DERs must do) and 1547.1 (how we test). It focuses on device identity, secure comms/control paths, protocol hardening, and lifecycle governance across DERs, aggregators, and utilities. Staff explicitly frames 1547.3 as a best-practice guide for securing DER communications that references the protocol measures embedded in 1547/1547.1, now baked into Virginia’s process via Schedule 3.

IEEE’s description is straightforward: it’s a guide for cybersecurity of DERs interconnected with electric power systems. This is the exact scope you need at interconnection.

Translation: you’ll be expected to demonstrate cybersecurity controls such as secure enrollment and credentials, protected data-in-transit, least-privilege command/control, and defensible device configurations across the interconnection boundary, consistent with the utility’s published minimums.

NARUC/DOE Cybersecurity Baselines

The Cybersecurity Baselines for Electric Distribution Systems and DER are risk-based, non-prescriptive “minimums” for distribution systems and DERs. The Baselines were created by NARUC, DOE/CESER, and a wide spectrum of utilities and industry stakeholders. They’re mapped to, among other standards/regulations, the NIST CSF (Identify/Protect/Detect/Respond/Recover) and are specifically designed and packaged for commissions, utilities, and DER operators/aggregators to adopt. Expect requests like: asset inventory, unique credentials & MFA, segment/deny-by-default, no internet-exposed services, central logging/retention, backups/IR testing, and vendor vulnerability/incident reporting.

How Virginia Will Operationalize This

• Publish minimums (utility websites) tied to 1547.3 and the Baselines. The expectation is a set of testable controls that interconnecting customers must meet.

• Audit/assure annually (utility-led, self-cert, or third-party), with annual cyber performance reporting to Division of Public Utility Regulation (PUR) Staff and incident notification to the Commission.

• Integrate with TIIR. Utilities must file a Technical Interconnection and Interoperability Requirements (TIIR) doc for 1547 settings including comms protocols and ports, a natural place to specify secure protocol choices, open-port whitelists, and on-ramp controls for DER telemetry/control.

What It Means for Developers & Aggregators

Build an evidence package you can hand to any Virginia utility:

1. Asset inventory and network map for in-scope DER/ICS and data flows.

2. Network segmentation with deny-by-default, only required ports open; no services reachable from the public internet.

3. Access control: unique accounts, MFA for remote admin, rapid de-provisioning, rotated non-default credentials.

4. Secure comms end-to-end for ICS/DER data leaving the site; wireless hardened per NIST 800-82.

5. Central logging and retention (firewall and device logs) with alert triage and case tracking.

6. Patch/firmware hygiene and tested backups/restore for DER gateways, servers, and HMIs.

Pro tip: If you can show conformance to the utility’s posted minimums and map your controls to 1547.3/Baselines, you will reduce back-and-forth during witness testing and avoid “surprise” retests.

What It Means for Utilities

Your homework is due on your utility website. Draft and publish a Minimum Cybersecurity Standard that is (1) consistent with 1547.3 and the Baselines, (2) testable at interconnect, and (3) auditable annually.

Dominion’s draft offers a workable pattern: policy set, credential rules, segmentation, no internet-exposed ICS, MFA for remote access, SOC-visible logging, patching/backups, wireless controls, removable-media hygiene, and foreign-developed tech risk posture.

Then align your TIIR comms/ports section with those minimums. Don’t allow insecure protocols by default and keep the allowed-ports list tight and published.

How This Plays with Federal/NERC Activity

Stakeholders raised potential overlap with upcoming NERC Inverter-Based Resource (IBR) efforts and asked for federal precedence where applicable. Staff’s approach avoids conflict by referencing existing industry guidance (1547.3 & Baselines) and requiring utility-specific translations under state jurisdiction for distribution interconnections. Keep watching how NERC scopes IBR and whether any >=20 MW distribution-connected resources become dual-covered in practice.

Open Questions to Watch

• Scope/retroactivity: Will audits touch legacy interconnected DERs or only new/modified ones? Staff notes “how audits happen matters less than ensuring compliance,” but timing and scope need clarity in final rule language.

• Evidence expectations: What constitutes sufficient proof at witness testing? Will attestation, config export, packet capture, or third-party letter be sufficient evidence? Expect variation by utility.

• Protocol baselines: How will utilities specify secure protocol stacks (e.g., IEEE 2030.5 with profile constraints) inside TIIR?

Enforcement Status

Right now, it’s at the staff-recommendation stage. On January 21, 2025, PUR Staff filed a report in Case No. PUR-2023-00069 with proposed redlines to Chapter 314 and recommendations (including adopting IEEE 1547.3-2023 by reference and aligning with NARUC’s Cybersecurity Baselines). The filing attaches the draft redlines and a sample utility cybersecurity standard, but it is not an adopted regulation. Further Commission action is required (e.g., an order and rulemaking step) before anything becomes binding.

The Staff Report doesn’t set an effective/enforceable date. That would come only if/when the Commission issues an order adopting final regulations (and sets an effective date through the normal promulgation process).

Bottom Line

Virginia is making a clear move to turn “secure your DERs” from a whitepaper into a condition of interconnection. The new approach is anchored to IEEE 1547.3-2023 and the NARUC/DOE Baselines, with utility-published minimums, annual assurance, and incident reporting baked in. If you interconnect in Virginia, whether utility or developer, the smart move is to treat these as live requirements now and build your artifacts accordingly.

Featured Posts