Cybersecurity Guidelines for Energy Resource Aggregation Business Revised

1. About the Cybersecurity Guidelines for ERAB Version 3.0

The guidelines set out the cybersecurity measures to be implemented by companies participating in the energy resource aggregation business (hereinafter referred to as “ERAB”), which makes use of demand side resources, such as small power sources, power storage systems, and demand response (hereinafter referred to as “DR”) programs. (Formulated in April 2017 and revised in November 2017 and in December 2019.)

2. Background and details of the latest revision

Recently, due to the expansion of ERAB and changes in the business environment, threats that were not assumed at the initial stage are increasing, along with the expanded use of DR company-equipment connection systems that do not use gateways and of IoT devices. Also, cyberthreats caused by the vulnerability of IoT devices have been on the increase, leading to progressive reviews of device security assessment systems and guidelines. In light of this situation, the Study Group on Next-Generation Distributed Power Systems carried out a review to revise the guidelines and compiled a draft for the Cybersecurity Guidelines for ERAB Version 3.0. Subsequently, public opinions were solicited for the draft during the period from Wednesday, December 25, 2024, to Friday, January 31, 2025.

Based on the opinions collected, a report on the Cybersecurity Guidelines for ERAB Version 3.0 (draft) was presented at the 12th meeting of the Study Group on Next-Generation Power Systems held on Monday, March 3, 2025, and the draft was finalized to become the Cybersecurity Guidelines for ERAB Version 3.0. Major revisions from the previous version are as follows.

Major revisions

• DR service provided without using a physical gateway
  While the previous version of the guidelines had assumed that DR devices were controlled mainly through physical gateways, measures were examined for cases in which devices are controlled through a cloud gateway or not through a gateway, and the results were incorporated into the new version.
• Threats caused by the vulnerability of terminal IoT devices
  Due to a dramatic increase in the number of IoT products connected to the Internet, cyberthreats caused by the vulnerability of IoT devices have also been on the rise. Accordingly, response measures were examined based on the IoT Product Security Conformity Assessment Scheme, and the results were incorporated into the new version.
• Risks posed by the information that aggregators obtain from devices
  There are concerns regarding the security risks caused by the diversification of information about the controlled devices and other related information, such as on how devices are utilized, based on which it can be guessed whether the user is present at the site or not. In response to these concerns, measures against these risks were examined, and the results were incorporated into the new version.

Related Materials (in Japanese)

• Cybersecurity Guidelines for Energy Resource Aggregation Business Ver 3.0

Related Links (in Japanese)

• Webpage that provides a link to the Cybersecurity Guidelines for Energy Resource Aggregation Business Ver 3.0
• Results about the process to solicit public opinions for the Cybersecurity Guidelines for Energy Resource Aggregation Business Ver. 3.0 (draft)
• Study Group on Next-Generation Distributed Power Systems

Division in Charge

Advanced Energy Systems and Structure Division, Energy Efficiency and Renewable Energy Department, Agency for Natural Resources and Energy