DERs & Microgrids at Risk: How Adversaries Exploit Distributed Energy

Distributed Energy Resources (DERs) and microgrids are transforming how power is generated and consumed across industries. Electric utilities are integrating solar, wind, and storage at scale. Manufacturers, oil and gas operators, and data centers are adopting on-site microgrids to cut costs and ensure uptime. This shift expands resilience, but it also expands the cyber attack surface.

Adversary groups from VOLTZITE to botnet and ransomware operators are already targeting DER and microgrid assets. Common weaknesses, such as internet-exposed controllers, insecure vendor remote access, and unmonitored industrial protocols, provide multiple paths for disruption.

The consequence: DER and microgrids are now part of the threat landscape, and business disruption is the outcome when they are compromised. Defenders need OT-specific visibility, threat detection, and response readiness. Dragos brings these capabilities together in the Dragos Platform, operationalized WorldView threat intelligence, and OT security services to help organizations secure the distributed energy future.

Microgrids, often composed of solar panels, wind turbines, battery storage, and smart inverters, are designed to operate independently or in coordination with the main grid. Their modular design and ability to balance local energy needs make them ideal for remote sites, critical infrastructure, and renewable integration.

But DER and microgrids are not just an electric sector challenge. Their adoption is accelerating across industries:

• Manufacturing plants use on-site renewables to stabilize power costs. A compromise of DER controllers could halt production or damage equipment.
• Oil and gas operators deploy microgrids to power upstream and midstream operations. Disruption can immediately affect supply.
• Data centers rely on storage-backed microgrids for uptime. A compromised controller could cascade into widespread outages for customers.

As adoption expands, more industries inherit the same risks utilities already face. The interconnectedness that makes DER and microgrids valuable, such as remote access, real-time data, and automation, also makes them vulnerable. These features broaden the attack surface and create new opportunities for adversaries.

Several recurring conditions make DER and microgrids attractive targets:

• Geographic distribution. Renewable assets are widely dispersed, often with limited physical or cyber protection.
• Remote access. Vendor and OEM portals provide essential support but create third-party risk when unsecured.
• Firmware vulnerabilities. Malicious firmware updates can disable devices or embed persistent threats, with few mechanisms in place to verify firmware integrity.
• Legacy configurations. Many DER devices ship with default credentials or outdated firmware, including plaintext credential transmission and unencrypted communications.
• Protocol dependence. Standards such as IEC 61850, DNP3, and Modbus enable integration but can be misused for unauthorized shutdowns or misconfigurations.
• Shared ownership. Residential and commercial DERs may sit outside utility control but still affect grid stability, which may complicate management operations during increased periods of demand.

These weaknesses map directly to adversary tactics observed in the wild. When exploited, they enable persistence, disruption, and data theft.

The threat is not speculative. Dragos Intelligence has observed adversary groups probing DER and microgrid environments.

• VOLTZITE has exploited exposed firewalls and VPN appliances to steal engineering files and persist inside energy networks.
• KAMACITE continues phishing campaigns that harvest credentials, often acting as a staging point for more destructive groups.
• Ransomware operators such as Akira and RansomHub increasingly target energy and manufacturing organizations, leveraging downtime for extortion.
• Hacktivists scan for internet-facing inverters and controllers, posting screenshots of interfaces to exaggerate disruption and amplify propaganda.
• Low-barrier attacks, including techniques like device reconnaissance, denial-of-service (DoS), and packet replay require varying levels of skill but can cause cascading failures across the grid.

These campaigns show that distributed assets are not out of scope. They are now part of the active threat landscape.

Securing DER and microgrids requires a different lens than securing IT systems. Traditional approaches alone cannot answer questions like: Which DER assets do we actually have, and where are they located? Are our controllers communicating over secure channels, or are they exposed? Can we detect an abnormal command to an inverter before it takes effect?

This is where defenders need operational technology (OT) visibility and intelligence. Organizations must move beyond knowing that they are at risk to understanding how adversaries exploit DER environments, and what defenses make the most difference.
For example, Dragos has seen operators strengthen cyber resilience by:

• Using the Dragos Platform to build inventories of DER controllers and gateways and to monitor traffic for IEC 61850 and DNP3 misuse.
• Relying on Dragos WorldView threat intelligence operationalized inside the Platform, which provides continuous updates of detections, indicators, vulnerabilities, and protocol coverage tied to campaigns like VOLTZITE or ransomware intrusions.
• Leveraging OT Watch Complete for continuous monitoring and proactive threat hunting, giving defenders early warning of adversary behaviors in DER and microgrid environments.
• Working with Dragos experts to test incident response playbooks that include DER and microgrids, ensuring escalation paths with vendors and utilities are validated before a crisis.

These are practical steps organizations are already taking to reduce cyber risk and strengthen resilience as DER and microgrids become more central to operations.

Organizations across sectors should treat DER and microgrids as core OT assets. That means:

• Building defensible architectures that minimize internet exposure.
• Securing remote access with multi-factor authentication.
• Maintaining visibility into DER protocols and detecting abnormal commands.
• Prioritizing vulnerabilities based on operational impact.
• Testing incident response with DER in scope.

These steps align directly with the SANS 5 Critical Controls for ICS Cybersecurity. They also align with how Dragos customers are protecting distributed energy systems today.

DERs and microgrids are essential to the modern energy future, but they also expand the cyber perimeter. Adversaries from state-aligned groups to ransomware operators are already probing these environments. The exposures are known. The tactics are observed. The consequences are tangible.

Securing DER and microgrids requires OT visibility, threat-informed detection, and tested response. That is where Dragos makes the difference.

Download the full “Global Electric: Distributed Energy Resources (DER) & Microgrids” Threat Perspective to see how adversaries are targeting distributed assets and how organizations can best defend them.

Download Report