Cybersecurity Deployment Process for Renewable Installations – Part 2

Implementation & Construction

This is the second post in a three-part series about the cybersecurity deployment process for renewable installations. In the previous post, we discussed the initial design and development phase. In this post, we will discuss the implementation and construction phase. Here are some of the primary considerations during this phase, including common pitfalls and core principles. 

Asset Management 

It might seem counterintuitive, but asset management begins during the construction phase. As you implement assets into the field during this process, they are built into the asset management system. 

Alignment & Coordination

Similar to the design stage, it’s vital that all parties understand their responsibilities during the implementation phase so that everyone remains on the same page. It’s not uncommon for there to be confusion when things that were planned begin to take form and impact ongoing operations. 

Firewall & ACLs

Firewall and Access Control List (ACL) rules that dictate where your traffic can and can’t go and the ways you’re segmented are implemented during this phase. It’s critical to design and implement these rules in a manner that delivers traffic on as-needed basis and avoid overly general permissions.

Change Freeze/Lock

Once you’ve achieved a meaningful configuration, you need to lock everyone out and “freeze” it. This is the beginning of  the change management program and it ensures that you are protecting your accomplishment and have the ability to roll back to this point in the future.


Here are some of the common pitfalls we encounter with clients as they move through the implementation and construction phase.

  • Backdoors Left Behind — Backdoors are often added during stages of construction so that engineers can go back in quickly to get something done. That doesn’t mean those backdoors can be left behind, but it happens often, and they create a security issue. These backdoors must be documented so that they can be removed. 
  • Temporary, Not Permanent — Any solutions implemented that are not part of the long-term plan must be noted and analyzed because they have the potential to include security weaknesses.

Core Principles

The core principles we follow during this phase of deployment include the following.

  • Must Yield True As-Built — At the end of the implementation and construction phase, the client should receive a drawing that depicts the true “as-built” condition of the system. It should include all changes and modifications made throughout the process. These drawings become the baseline for the future, it’s critical to have accuracy.
  • Acceptance is Key — The owner must sign off on each phase. If they don’t, it isn’t considered “complete.”
  • Avoid Installation of Convenience — Avoid installing quick fixes just to get things done and maintain momentum. Things need to be done right and to standards from beginning to end.

In the third post in our three-part series discussing the cybersecurity deployment process for renewable installations, we will talk about significant factors and challenges associated with the operations phase.

Complying with NERC standards is a significant undertaking for renewable facilities that fall into the established threshold. Failure to comply with NERC-CIP standards can lead to severe penalties for your business.

Radian Generation can help you manage your renewable energy assets and ensure that your business complies with NERC requirements. NERC’s thresholds are changing, and your business could be affected. If you’re unsure of whether or not your business will fall into the expanding umbrella, reach out to us. We will help you figure it out!