Small-Scale Generators
The hidden complexity in clean energy's distributed future
The rapid expansion of battery storage systems in states like California and Texas exemplifies how once-marginal energy producers can quickly evolve into critical infrastructure operators. In California, battery storage capacity surged by over 3,000 megawatts in just six months in 2024, reaching 13,391 megawatts, a 30% increase. This growth has allowed the state to store surplus solar energy generated during the day and release it during peak evening demand, effectively transforming intermittent renewable resources into reliable power sources. These batteries are now essential for maintaining grid stability during extreme weather events.
Similarly, Texas nearly tripled its battery storage capacity in 2024, adding over 4,300 megawatts to its grid. These systems have proven essential during periods of peak demand and extreme weather, such as winter storms and hurricanes. By balancing fluctuations in solar and wind energy production, battery storage has helped stabilize the grid and save hundreds of millions of dollars. Once considered supplementary technologies, these battery systems now play a crucial role in ensuring the reliability and resilience of Texas' energy infrastructure.
These examples illustrate a broader trend: As the clean energy transition progresses, we are transforming previously marginal energy producers into critical infrastructure operators overnight. A wave energy startup or agricultural waste processor that successfully scales becomes, by definition, essential to grid stability. This transformation creates new organizational and security challenges that our existing frameworks cannot manage.
The New Critical Infrastructure Operators
Small generators fundamentally differ from traditional utilities in organizational capacity, technical expertise, and business models. Consider CalWave, which harnesses ocean wave energy, or local agricultural waste processors like Anaergia, generating power from agricultural waste. These organizations often begin as technology companies focused on solving engineering challenges in renewable energy generation. Their core competency lies in developing and scaling novel energy production methods, not managing critical infrastructure or implementing comprehensive security programs.
This creates a skills mismatch: while these organizations may succeed in developing innovative clean energy solutions, they suddenly find themselves responsible for critical infrastructure security without the institutional knowledge, resources, or organizational structures typically associated with such responsibility.
Organizational Fault Lines
The security challenges faced by these new operators are not primarily technical—they are organizational. Small generators often cannot maintain dedicated security teams. When they must choose between hiring an additional engineer to improve generation efficiency or a security specialist, the business case frequently favors the former. This leads to systematic underinvestment in security expertise precisely when these organizations become essential to grid stability.
The issue extends beyond resource constraints. Small generators often lack the organizational maturity needed to implement security programs effectively. Security demands systematic thinking about threat models, incident response plans, and ongoing training—activities that may appear disconnected from the immediate challenges of scaling new energy production methods.
The talent market worsens these challenges: Security professionals with experience in operational technology and clean energy are hard to find. The global cybersecurity workforce has a 28% vacancy rate across all sectors, but the shortage is particularly intense in industrial fields. Between 91% and 94% of organizations in construction and manufacturing report security skills gaps. In clean energy, cybersecurity demands a unique mix of IT, OT, and domain-specific knowledge, which is rare and takes years to cultivate. Consequently, smaller generators must compete for this talent against traditional utilities and tech companies that provide higher salaries and clearer career paths… all while the market fails to incentivize these firms to invest in security!
Security Tensions in Energy Markets
Small generators must integrate with legacy grid systems while ensuring real-time market participation. This introduces technical complexity that can elevate security risks. For instance, when a biogas generator engages in real-time energy markets, its control systems must interact with various external systems, each representing a potential attack vector.
The distributed nature of these generators also presents new architectural challenges. Unlike traditional power plants, which function in physically secure locations with dedicated network infrastructure, small generators often depend on standard internet connectivity and might operate in easily accessible places. This broader attack surface necessitates security measures many small generators cannot implement.
Regulatory Misalignment
Current regulatory frameworks assume organizational capacities that small generators generally lack. Take California’s CPUC requirements, for example. While these standards offer valuable security guidance, they are intended for organizations with dedicated compliance teams and established security programs. These requirements can seem disconnected from operational realities when applied to small generators.1
The result is often checkbox compliance instead of effective security. A small generator might technically fulfill regulatory requirements while lacking critical security controls that are not included in compliance checklists. This disconnect between regulatory frameworks and organizational realities creates security gaps that could impact grid stability.
Toward Solutions
Addressing these challenges involves reevaluating how we enhance security in distributed energy systems. Several approaches deserve attention:
Security frameworks tailored for specific industries, considering scale and resource limitations, can assist small generators in prioritizing essential security controls without the need for extensive utility-scale security programs. These frameworks may focus on fundamental controls that deliver the greatest security benefits with the least organizational burden. For example, The National Renewable Energy Laboratory (NREL) has developed the DER-CF, which is specifically designed for distributed energy resources. The National Association of Regulatory Utility Commissioners (NARUC) has also developed cybersecurity baselines for electric distribution systems and distributed energy resources.
Of course, these frameworks still require expertise within generators to implement—solutions will still have to plug the expertise gap. Here, security resources among small generators could help. Regional security operations centers serving multiple small generators could offer economies of scale in security monitoring and incident response. In Texas, RSOCs have been established to address the increasing number of cybersecurity incidents impacting small local governments.
Building on this model, utilities could take on a larger role in providing security support to small generators within their distribution networks. This could utilize existing utility security expertise while ensuring uniform security practices across distributed energy resources. Of course, this approach raises concerns about utility liability and regulatory jurisdiction and would require careful implementation.
Looking Forward
As more small generators become operational, the systemic risks associated with their security practices will increase. We require institutional arrangements that can facilitate security in this distributed future without hindering the innovation that these new operators contribute to the clean energy transition.
This might involve new types of public-private partnerships, possibly regional security cooperatives that offer shared security resources to small generators. Alternatively, it may require rethinking regulatory frameworks to better align with the operational realities of small-scale generation.
We can't just apply traditional utility security models to these new operators. We need solutions that acknowledge small generators' unique challenges while safeguarding the security of our increasingly distributed critical infrastructure.
For example, the CPUC's General Order 167 exempts generating assets smaller than 50 megawatts from many detailed requirements. Still, it mandates that they operate in a “safe, reliable, and efficient manner” and be “reasonably available to meet the demand for electricity.” These broad directives can be challenging for small generators to interpret and implement without specialized resources. The interconnection procedures for small generators (20 megawatts or less) connecting to the California ISO grid have highlighted issues that subsequently required revisions, showcasing a similar mismatch between regulatory expectations and smaller entities’ capacities.