11: the key to safeguarding a renewable future

Rafael Narezzi, chief technology officer at renewable energy cybersecurity company, Cyber Energia, looks at how and why the renewable energy sector lacks sufficient cybersecurity protection and how technical and behavioural aspects of operations expose critical assets to malicious attacks.

In 2020, renewable energy comprised almost a third (29%) of global electricity generation. In only three years, a further 3,700GW of new renewable capacity is due to come online, accounting for over 42% of the world’s electric power. Looking further forward, it is estimated that by mid-century, 70% of global power systems will be dependent on renewable energy – derived mainly from solar, wind, tidal and geothermal sources.

Despite the variation in renewable power sources, they all have in common a number of distinguishing factors – from being widely distributed, often geographically remote and relatively small scale, yet rapidly growing. Critically, they are often managed and operated using under-secured digital technologies that plug directly into the legacy infrastructure of national power grids, exposing big security gaps.

Have you read?
Harnessing AI in renewables, power and nuclear
Hydropower cybersecurity training course launches at Texas university

With almost half of the world’s electricity sources currently susceptible to cyberattacks from hostile actors, this is likely to rise considerably once energy sources are almost fully renewable by 2050. As such, defence against system violations has never been so mission-critical.

Smart grid technology and increased exposure to cyber threats

Grid technology and advanced operating procedures have revolutionised how renewable energy firms deliver cleaner, sustainable electric power.

The latest smart grid technology is enabling the efficient management and distribution of renewable energy sources by connecting a variety of distributed energy resource assets to the power grid - yet this connectivity can be the Achilles heel in renewable energy operations.

The relationship between the smart grid and renewable energy revolves around gathering data. For example, wind farms use mechanical gears that require each link to support multiple sensors. Each sensor is able to note current climate and environmental conditions. This information is then quickly sent though the grid to alert the asset owner of any issues, which improves the quality of service. At the same time, such advancements have exposed firms to greater potential security breaches.

Cyber Energia’s analysis indicates that there are as many as 880 million cyber risks across the renewables sector, with over 300 attempted security breaches at any one moment and up to 1,000 attacks per day.

To provide an indication of the serious exposure to UK renewable firms, Cyber Energia’s analysis also shows that in the wind sector alone, only 1% out of around 11,000 sites have any type of cyber solution.

Consequences of shutdowns caused by cyberattack can range from significant inconvenience to devastating operational impact. Such attacks can result in loss of production and revenue; damage to assets and infrastructure; leakage of sensitive commercial information; health and safety risks, as well as reputational damage.

And, renewable energy firms that are not sufficiently protected against cyber breaches are increasingly at risk of financial penalties from legislation.

Understanding the exposure risks

To build strong cyber-resilience into digital renewable energy systems, we need to look at the areas of risk – both from a technical and behavioural point of view.

One of the key areas of vulnerability lies with the commercial pressure to rapidly develop and implement software – at times, with less than optimal testing of security controls and a lack of specialists in cybersecurity. While some software developers are undoubtedly experts in coding, they may not have the relevant security experience to deliver a robust system against cyberattacks. Incomplete security controls will not only lead to constant cybersecurity threats, but will result in the company dealing with intrusive patching, downtime or service interruption.

Renewable energy sources are dispersed and often located in isolated locations, necessitating some form of remote access capability to share data and receive instructions and reports - for example, via cloud services or VPNs. Remote access services are notoriously vulnerable to cyberattack, so robust authentication and access measures are vital.

Another significant risk is the vast number of devices and systems on the network and the degree to which they are secured in relation to how they communicate with each other and the application programmes they help enable. Renewable energy facilities often provide employees with devices that are manufactured on an industrial scale and whose product development does not address or incorporate cybersecurity qualities or values. As such, additional safeguards such as network segmentation should be considered.

Traditional power plants are typically not connected to the internet and have, what is known as “air-gapped” infrastructure, essentially allowing them to act like an island – safe, secure and isolated from other networks. This massively reduces the risk of a cyberattack.

However, the connected nature of renewable energy facilities means that they generally don’t have this protection. All data that moves across the network should be monitored and encrypted. In connected power systems, the traffic between a device and the central application is often unencrypted and vulnerable to manipulation. Data can be intercepted by attackers, or the traffic systems overwhelmed in Denial of Service (DoS) attacks. 

Also of interest
US DOE $10m grant to support nation’s first regional cybersecurity center for grids
Keeping sensitive content locked within

API, or Application Programme Interface-based applications communicate and share data and functionality with other applications – both within the organisation, but also with third party apps developed externally. Therefore, web application security and firewalls are critical to prevent hackers from attempting to leverage APIs to steal data and infect devices.

There is also significant exposure from limited capabilities to monitor access to and from devices by authorised people and applications. Supervisory control and data acquisition (SCADA) systems - and other systems that import, analyse and visualise data from power sources - are top targets for cyberattacks as they allow bad actors to access the whole system, manipulate data, send instructions and more. Robust, multifactor authentication measures - combined with restricted access rights - are vital to ensuring only those with permission can gain access to the system. Authentication and restricted access rights also come into play when third party experts and contractors are needed onsite.

Dispersed and distributed renewable energy systems, particularly at scale, need constant monitoring and management to produce utilisation reports, lifetime patch status, recalls and other essential capabilities. Either a lack of automation, or automated systems that are not strongly monitored for suspicious traffic can also present threats. Security solutions that offer extended detection and response and specialist Internet-of-Things (IoT) security functionality can provide protection.

While there are multiple vulnerabilities to cyberattack from the technical viewpoint, there are also several “softer” behavioural factors that can equally put systems at risk.

Governance is rarely well established, especially in identity access management (IAM), change management and patch management - and often does not consider security properly. It is vital that there is full accountability and that roles and responsibilities in relation to cybersecurity are clearly defined. The importance of knowledge sharing and a well thought out generational succession plan will also avoid issues around a potentially limited pool of employees with inadequate security experience leading IT systems.

Additionally, response plans often do not address cyber events, with the focus more on maintenance and repair (MRO) operations.

Risks to your bottom line

For those renewable energy companies that have not only found themselves inconvenienced from cyberattack, but where the infiltration has had a serious knock-on effect to the electricity grid - and it can be demonstrated that this is due to a lack of cybersecurity protection - these firms can receive significant financial penalties.

In the UK, for example, operators come under both the NIS Regulations 2018 and the National Security and Investment Act 2021, which not only have powers of inspection, but carry monetary penalties up to £17 million ($21.3 million) for those contravening regulations. 

Organisations providing essential services in the European Union (EU) will also soon face considerably tougher cybersecurity regulation (NIS2.0) for failure for non-compliance, with punitive actions including higher fines, bans on management positions and even a withdrawal of the company’s license to operate.

In the US, there are several nationwide regulation bodies, including the Federal Trade Commission (FTC), which is responsible for enforcing cybersecurity regulations at the federal level, and the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) also have important roles.

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. In 2021, President Biden also signed an executive order to improve the nation’s cybersecurity. 

What’s next?

The renewable energy industry is predicated on high-tech competencies and connectivity, but these operational advances, combined with the inherent risks that a high-growth cycle can bring increased risks of cyberattacks.

The EU has classified the renewables industry as a “critical sector”, yet companies operating in this space are having to ward off new cybersecurity risks daily. Robust cybersecurity now needs to be built into the core business strategy, with management teams – including those at board level - ensuring they understand the risks and how to take the vital steps to mitigate the threats.