Despite the variability of renewable power sources, they all have in common a number of distinguishing factors – including, being widely distributed, often geographically remote and relatively small scale, yet rapidly growing. Critically, they are often managed and operated using under-secured digital technologies that plug directly into the legacy infrastructure of national power grids, exposing big security gaps.
With almost half of the world’s electricity sources currently susceptible to cyber attacks from hostile actors, this vulnerability is likely to increase considerably once energy sources are almost fully renewable, by 2050. As such, defence against system violations has never been so mission-critical.
Smart grid technology and increased exposure to cyber threats
Grid technology and advanced operating procedures have revolutionised the way renewable energy suppliers deliver cleaner, sustainable electric power.
The latest smart grid technology is enabling the efficient management and distribution of renewable energy sources by connecting a variety of distributed energy resource assets to the power grid – yet this connectivity can be the Achilles heel of renewable energy generation.
The relationship between the smart grid and renewable energy revolves around gathering data. For example, wind farms use mechanical gears that require each link to support multiple sensors. Information from each sensor is sent through the grid to alert the asset owner to any issues, which improves the quality of service. At the same time, such advancements have exposed firms to greater potential security breaches.
Cyber Energia’s own analysis indicates that there are as many as 880 million cyber risks across the renewables sector, with over 300 attempted security breaches at any one moment and up to 1000 attacks per day.
To provide an indication of the serious exposure faced by renewable energy firms, Cyber Energia’s analysis shows that in the UK wind sector alone, only 1% of around 11 000 sites have any type of cyber solution.
Consequences of shut-downs caused by cyber attacks can range from significant inconvenience to devastating operational impact. Such attacks can result in loss of production and revenue, damage to assets and infrastructure, leakage of sensitive commercial information, health and safety risks, as well as reputational damage.
And, renewable energy firms which are not sufficiently protected against cyber breaches are increasingly at risk of financial penalties from legislation.
Understanding the exposure risks
To build strong cyber resilience into digital renewable energy systems, we need to look at the areas of risk – both from a technical and behavioural point of view.
One of the key areas of vulnerability lies with the commercial pressure to rapidly develop and implement software – at times, with less than optimal testing of security controls and a lack of specialists in cyber security. While some software developers are undoubtedly experts in coding, they may not have the relevant security experience to deliver a robust system against cyber attacks. Incomplete security controls will not only lead to constant cyber security threats, but will result in the company dealing with intrusive patching, downtime or service interruption.
Renewable energy sources are dispersed and often located in isolated locations, necessitating some form of remote access capability to share data and receive instructions and reports – for example, via cloud services or VPNs. Remote access services are notoriously vulnerable to cyber attack, so robust authentication and access measures are vital.
Another significant risk is the vast numbers of devices and systems on the network and the degree to which they are secured in relation to how they communicate with each other and the application programmes they help enable. Renewable energy facilities often provide employees with devices that are manufactured on an industrial scale, without the benefit of product development and not incorporating cyber security qualities or values. As such, additional safeguards such as network segmentation should be considered.
Traditional power plants are typically not directly connected to the internet and have, what is known as “air-gapped” infrastructure, essentially allowing them to act like an island – safe, secure and isolated from other networks. This massively reduces the risk of a cyber attack. However, the connected nature of renewable energy facilities means that they generally don’t have this protection.
All data that moves across the network should be monitored and encrypted. In connected power systems, the traffic between a device and the central application is often unencrypted and vulnerable to manipulation. Data can be intercepted by attackers, or the traffic systems overwhelmed in “denial of service” (DoS) attacks.
API, or “application programme interface”-based applications, communicate and share data and functionality with other applications – both within the organisation, but also with third-party apps developed externally. Therefore, web application security and firewalls are critical to prevent hackers from attempting to leverage APIs to steal data and infect devices.
There is also significant exposure from limited capabilities for monitoring access to and from devices by authorised people and applications. Supervisory, control and data acquisition (SCADA) systems – and other systems that import, analyse and visualise data from power sources – are top targets for cyberattacks as they allow bad actors to access the whole system, manipulate data, send instructions and more. Robust, multifactor authentication measures – combined with restricted access rights – are vital to ensuring only those with permission can gain access to the system. Authentication and restricted access rights also come into play when third-party experts and contractors are needed onsite.
Dispersed and distributed renewable energy systems, particularly at scale, need constant monitoring and management to produce utilisation reports, lifetime patch status, recalls and other essential capabilities. Either a lack of automation, or automated systems that are themselves not strongly monitored for suspicious traffic can also present threats. Security solutions that offer extended detection and response and specialist Internet-of-Things (IoT) security functionality can provide protection. While there are multiple vulnerabilities to cyber attack from the technical viewpoint, there are also several “softer” behavioural factors which can equally put systems at risk.
Governance is rarely well established, especially in identity access management (IAM), change management and patch management – and often does not consider security properly. It is vital that there is full accountability and that roles and responsibilities in relation to cyber security are clearly defined. The importance of knowledge sharing and a well-thought-out generational succession plan will also avoid issues around a potentially limited pool of employees with inadequate security experience leading IT systems.
Additionally, response plans often do not address cyber events, with the focus more on maintenance and repair (MRO) operations.
Risks to your bottom line
For those renewable energy companies that have not only found themselves inconvenienced from cyberattack, but where the infiltration has also had a serious knock-on effect on the electricity grid – and it can be demonstrated that this is due to a lack of cyber security protection, these firms can receive significant financial penalties. In the UK, for example, operators come under both the NIS Regulations 2018 and the National Security and Investment Act 2021, which not only have powers of inspection, but with monetary penalties up to £17 million for those contravening regulations.
Organisations providing essential services in the European Union (EU) will also soon face considerably tougher cyber security regulation (NIS2.0) for failure and non-compliance, with punitive actions including higher fines, bans on management positions and even a withdrawal of the company’s licence to operate.
In the US, there are several nationwide regulation bodies, including the Federal Trade Commission (FTC), which is responsible for enforcing cybersecurity regulations at the federal level. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) also have important roles.
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. In 2021, President Biden also signed an executive order to improve the nation’s cyber security.
What’s next?
Renewables are predicated on high-tech competencies and connectivity, but these operational advances, combined with the inherent risks that a high-growth cycle can bring, means increased risks of cyber attacks. The EU has classified the renewables industry as a “critical sector”, yet companies operating in this space are having to ward off new cyber security risks daily. Robust cyber security now needs to be built into the core business strategy, with management teams – including those at board level – ensuring they understand the risks and how to take the vital steps to mitigate the threats.
Author: Rafael Narezzi, Chief Technology Officer, Cyber Energia
This article first appeared in Modern Power Systems magazine.