By Irina Slav
- Cybersecurity risks to critical infrastructure came to the forefront this year when hackers took over the Colonial Pipeline.
- The renewable revolution is especially vulnerable to cyber attacks, as well.
- Wind and solar energy infrastructure are in desperate need of a cybersecurity upgrade.
- A few years ago, researchers provedthat wind turbines could be hacked and manipulated. Solar farms can also be taken hostage by hackers: one Dutch scientist found a way to hack the inverters of solar installations. With more wind parks and solar farms getting built amid the energy transition, these are turning into critical infrastructure that needs to be defended. But can it?
For starters, it needs noting that the cybersecurity management of wind and solar installations is a pretty complex task. Benny Czarny, founder and CEO of OPSWAT, a cybersecurity company with a special focus on critical infrastructure, explains that wind and solar installations are run by industrial control systems and operational security systems, with the latter often isolated from the former. In theory, he says, this is supposed to make the infrastructure more secure. In practice, it adds a layer of complexity to the management of the infrastructure and this, in turn, makes it more vulnerable to attacks.
“Cyber risks to renewable energy assets are extremely acute,” Fieldsfisher partner and cybersecurity specialist James Walsh told Oilprice. “Many of these generation facilities will be directly connected to a regional or national grid and most now rely on smart systems, allowing their owners and operators to manage them digitally – all of which creates cyber risk interfaces.”
The cybersecurity risk to critical energy infrastructure came to the fore earlier this year when hackers took over the Colonial Pipeline and forced it shut down, causing fuel shortages along the East Coast. This certainly drew attention to the protection of energy systems but not enough.
Wind and solar have historically accounted for a small portion of U.S. power generation capacity, so they have not been placed in the same priority for protection as conventional power plants, says David White, founder and president of Axio, a cyber risk management software development firm. Yet there are now states that generate almost a third of their power from renewable installations, he adds, so the time to act on better protecting them has come.
Somewhat unfortunately, part of the reason for the increased cyber vulnerability of wind and solar installations is good intentions. As the CTO of Awen Collective, Jules Farrow, explains, connectivity is not always a good thing.
“The efforts to gather and analyse operational data to improve the efficiency and resilience of OT systems is a worthy cause, but one which often results in undermining the only protection traditional OT [operational technology] systems had – a lack of connectivity to other systems and networks,” he told Oilprice.
Awareness of the problem is the beginning of this protection. Then comes the security of devices used in proximity to critical infrastructure systems and continual risk assessment in order to be able to detect vulnerabilities early on.
“The greater connectivity associated with renewable energy assets, versus oil and gas, which are disconnected energy commodities, increases system risks and could potentially pose threats to entire grid networks,” says Fieldfisher’s Walsh.
Possible specific measures include “adequate access controls, strong segmentation from the business network and the internet, strong protection of any third-party connectivity (like some modern fossil-fuel generation, many of these assets have persistent connectivity to third parties for control and monitoring), and monitoring,” according to Axio’s White.
Training a company’s employees to protect themselves against cyberattacks is also crucial in the risk mitigation of energy systems, according to Keatron Evans, principal security researcher at Infosec Institute. Yet risk mitigation is not always possible and companies need to focus on post-attack recovery, too.
Phil Bezanson, energy and cybersecurity expert and partner at law firm Bracewell, agrees. According to him, minimum standards in cybersecurity management should include “comprehensive data mapping, updating software security patches, training employees about user-error contribution to cyber incidents, and having a tested incident response plan.”
The thing to remember is that as wind and solar installations become more complex and more advanced, so do the techniques hackers use to infiltrate any system. This means that operators of wind and solar systems—as of any other critical energy infrastructure—need to advance their management practices as well.
“Newer wind and solar operations must be designed and built with cybersecurity in mind,” says Matt Donahue, compliance and risk analyst at Sentient Digital. “Updating and reinforcing security measures on older systems should be made a priority, since these will be most vulnerable to attack. This includes not only updating their systems, but the physical security of the grids and retraining of personnel.”
All cybersecurity experts agree on the need to focus on connectivity. Per Axio’s White, “Owners and operators of wind and solar farms need to understand the cyber risk exposure of those assets and implement appropriate measures to respond to those risks. In particular, we should take measures to protect any persistent connectivity to third parties to minimize the systemic exposures that could arise from the compromise of one of those third parties.”
The threat of cyberattacks is increasing and will continue to increase in the future. At the same time, wind and solar generation capacity will also increase. “We are at constant risk of a significant cyber attack on the U.S. energy sector,” says Lisa Sotto, head of global privacy and cybersecurity practice at Hunton Andrews Kurth.
The thing to keep in mind is that no energy system is immune to cyberattacks—in fact, energy systems being critical infrastructure are a magnet for hackers—and prepare accordingly before it is too late.