Enquire about or register for Enlit Europe 2026 in Vienna
More info
Home
/
Renewable energy’s hidden risk: Cybersecurity gaps we can’t ignore

Renewable energy’s hidden risk: Cybersecurity gaps we can’t ignore

Guest/partner contributor
Posted on: 8 September 2025

Without urgent action, the next big renewables story may not be about progress to net zero - but about the fallout from a preventable cybersecurity attack, writes Martyn Williams of COPA-DATA UK.

Martyn Williams. Image credit: COPA-DATA UK

Cybersecurity in renewables is still treated as an afterthought. Without urgent action, the next big energy story may not be about progress to net zero - but about the fallout from a preventable cyber attack.

By Martyn Williams, managing director, COPA-DATA UK

It’s widely acknowledged in the sector that some renewable energy assets are still running on systems with known cybersecurity weaknesses. It’s not a comfortable truth, and it’s not always discussed openly, but it reflects the reality of where the industry is today.

That silence is dangerous. Because it’s not a question of if a serious cyber incident hits our renewables sector, it’s a question of when. And when it does, the fallout won’t just be technical. It will be reputational. Public trust in renewable energy, the very backbone of our net-zero ambitions, could take years to rebuild.

I’ve spoken to dozens of energy businesses over the last year, and what strikes me is how circular the conversation remains. Cybersecurity is a headline topic at conferences, it’s written into policy discussions in Westminster and Brussels, but on the ground progress is patchy. Too often, meaningful action only follows a crisis. That’s a cycle we cannot afford to repeat in energy.

Have you read?
Onshore wind sector ramps up AI investment to reduce risk
Modern day power outages: A wake-up call for modernising critical infrastructure

The legacy burden

From my perspective, one of the biggest challenges is legacy technology. At COPA-DATA, we see this issue come up repeatedly in our work with operators. Many control systems were never designed with cybersecurity in mind.

I’ve seen organisations hesitate to upgrade for fear of disrupting operations. Ironically, the perceived risk of modernisation often outweighs the much bigger risk of leaving known vulnerabilities in place.

This mindset isn’t limited to technology, it’s embedded deep into its culture. In some organisations, IT teams push hard for updates, but operational technology (OT) teams push back, worried that downtime or instability could hit production.

I’ve been in conversations where leaders acknowledge the risks but feel pressure to keep projects moving and delay security changes until after the next milestone. It’s understandable given the commercial pressures they face, but it leaves a gap that attackers are quick to exploit.

Many of these concerns aren’t just things I’ve observed personally. We heard the same message in interviews for our recent report on UK offshore wind. One industry contributor summed it up bluntly: “Cyber security has been overlooked for many, many years.”

That sense of playing catch-up came through consistently, and it underlines how overdue real action is.

Read more: Europe Energy Briefs | Status of cybersecurity in Europe’s electricity sector

A shortage of cyber-OT skills

Then there’s the skills gap. Government data shows almost half of UK businesses lack basic cybersecurity expertise. In energy, the problem is even sharper because OT security is not the same as IT security. The threats, systems, and standards are different.

This shortage feeds into human error, which still accounts for the vast majority of breaches. I’ve seen highly skilled engineers struggle with patching policies simply because they weren’t trained to think about cybersecurity. We’re asking people to bridge a gap without giving them the tools to do it.

Until we build a workforce fluent in both OT and cyber, that vulnerability will remain.

NIS2 and regulatory pressure

The good news is that regulation is starting to catch up. The NIS2 directive, which tightens rules around network and information security, is designed to push essential service operators (including energy) into raising their game.

I, of course, welcome this, but legislation alone won’t solve the problem. Compliance can too easily become a box-ticking exercise, and I worry that some businesses will approach NIS2 as exactly that. It needs to be seen as a baseline, not a ceiling - cyber resilience must be embedded into daily operations, not treated as a separate compliance project.

When geopolitics meets cyber risk

Cybersecurity is no longer just a technical issue; it’s a geopolitical one. The debate around whether Chinese companies should be allowed into the UK’s renewable supply chain illustrates this perfectly.

Only recently, the FT reported that the Trump administration had warned the UK government about allowing Chinese wind turbine maker Mingyang to build a turbine factory in Scotland. The concern isn’t just about market competition, it’s about national security. Who supplies the software and hardware that underpins your energy grid is no longer a neutral question.

The UK is grappling with this dilemma. We have ambitious targets: 43-50GW of offshore wind by 2030. But if in our rush to scale we embed suppliers that cannot demonstrate stringent cybersecurity standards, we are building long-term risk into critical infrastructure.

Once those assets are deployed, they’ll be part of the system for decades. Replacing or securing them later is vastly harder than getting it right at the start.

Also of interest:
Octopus Energy and BYD join forces to scale up V2G in UK
NATO cyber advisor ready to work with energy sector to bolster security

A disconnect at the top

In many of the companies I speak to, there’s a worrying disconnect between executive-level rhetoric and operational-level action. Leaders will talk confidently about cyber resilience at events or in strategy documents, but the same commitment doesn’t always translate into investment, training, or time spent hardening systems.

Part of this comes down to the pressure the sector is under. Developers are under enormous strain to deliver projects at speed, with costs rising and timelines squeezed. Cybersecurity is often framed as a cost centre rather than a strategic enabler. Until we change that mindset, the disconnect will persist.

Where do we go from here?

I don’t believe the situation is hopeless. But I do believe the sector needs a wake-up call before the wake-up call comes in the form of a successful attack.

There are some very clear steps energy operators can take:

  • Embed OT-first standards such as IEC 62443. These frameworks are designed for industrial environments and encourage defence-in-depth rather than bolt-on fixes.
  • Phase out insecure protocols. If a communication method cannot be encrypted or authenticated, it has no place in critical infrastructure.
  • Invest in skills as urgently as you invest in steel. Building turbines is pointless if the systems running them are porous. A cyber-skilled workforce is as vital as engineers offshore.
  • Treat NIS2 as a floor, not a ceiling. The directive is useful, but real resilience comes from going further.
  • Scrutinise the supply chain geopolitically, not just commercially. Cost should never be the only criterion for who gets into our critical energy systems.

I spend a lot of time with companies who want to get renewable energy projects built at pace, and I get it - speed matters. But if we cut corners on security, we’re creating bigger problems down the line.

Cybersecurity isn’t an IT side issue. It’s central to resilience and to keeping public confidence in renewables. A preventable attack could set the whole transition back just when it needs to move forward fastest.

We’ve had enough warning signs. The time to act is before the headlines, not after them.

ABOUT THE AUTHOR

Martyn Williams has over 20 years of experience in industrial automation and is passionate about sharing information and helping companies with digitalisation, innovation and sustainability within the UK’s manufacturing, engineering, and energy sectors.

Related tags

Share:
Join the community for freeAnd get access to all content

Latest content

Latest in Digitalisation

All articles