The transition to a green economy based on sustainable power is steadily reducing society’s dependence on fossil fuels, but it is also ratcheting up cybersecurity risks for the renewable energy sector. As more wind turbines and solar arrays get connected to the energy grid, they, unfortunately, introduce new attack surfaces for cyber criminals and foreign adversaries to take advantage of.
Modern systems for wind and solar power rely on network connections for command and control, along with remote monitoring and maintenance. As a result, all those devices and connections are creating new entry points for hackers to infiltrate networks and disrupt operations or launch ransomware attacks. To compound this problem, the sustainable energy sector remains immature, making it difficult to estimate the costs and overall impacts of such cyber risks on sustainable energy companies.
Sustainable Energy Networks Pose New Cybersecurity Threats
About 80% of the world population lives in countries that are net energy importers, according to the International Renewable Energy Agency (IRENA). That percentage could be greatly reduced based on the abundance of potential renewable energy sources yet to be tapped. Such a shift would greatly reduce human dependence on imported fuels while increasing the adoption of sustainable energy sources.
Yet many obstacles remain on the path to sustainability. For unsecured IoT devices such as windmills, solar panels, and battery storage systems, attackers can hide backdoors inside the equipment to later install malware that compromises energy systems, or even shuts down operations. In 2022, three European wind energy companies suffered an attack that turned off remote-control systems for 7,800 wind turbines for a full day.
Power grids in the U.S. are becoming more vulnerable to such cyberattacks as more software and hardware gets connected to the system, according to the North American Electric Reliability Corporation (NERC). Distributed energy resource aggregators control fleets of hundreds of thousands of devices, and such organizations are not subject to the same cybersecurity standards as the bulk electric system, including NERC’s Critical Infrastructure Protection standards.
Cyber threats have only escalated in the U.S. amid the current global geopolitical conflicts in Ukraine and Gaza. NERC regulators say that they expect this country’s presidential election to further escalate the likelihood of attacks on the grid from adversarial nation-states. The virtual and physical weak spots within the software and hardware that make up the U.S. grid grew to a range of 23,000 to 24,000 vulnerable points last year. That figure was up from 21,000 to 22,000 vulnerable points at the end of 2022, according to NERC.
Applying Financial Metrics to Translate Risk Levels to Business Leaders
The assets contained in a smart grid present new targets that are ripe for attack because energy distributors create two-way flows of energy and data between the renewable power generators and storage batteries they install. The very strengths of renewable energy environments can haunt their operators due to the vulnerabilities they introduce through end-to-end connectivity, automated asset management, and continuous data feedback loops. In this treacherous environment, every user, device, and connection point present a potential threat that should be continuously monitored and validated.
To protect the critical physical infrastructure of an energy center from cyberattacks, companies will need to adopt better cyber risk quantification tools as part of their overall security posture. Cyber risk quantification and management (CRQM) provides a comprehensive approach for companies to assess their greatest vulnerabilities, and plan their cybersecurity budget and resources using evidence-based analysis to balance the effectiveness and costs of pursuing mitigation versus transferring the risk to cyber insurance, or even enduring an attack.
In order for these threats to be taken seriously by leadership, it is important for executives who lack security backgrounds to understand what’s really at stake. That requires communicating risk levels in the clearest terms, including the dollar amount of losses stemming from damages, lost business, and reputational harm. By quantifying these risks in a way that is simple for CISOs, CFOs, and other business leaders to grasp, organizations in the renewable energy sector can create greater buy-in to protect against the growing likelihood of attacks.
Cyber risk management practices should recognize an organization’s current level of cybersecurity, while also calculating how much that business is targeted based on its industry, size, location, customer base, and other relevant parameters. Only in this way can organizations proactively manage their cyber risk portfolio to adequately assess risk mitigation projects and prioritize their cybersecurity investment decisions.
Jose M. Seara is the founder and CEO ofDeNexus, a leader in cyber risk quantification and management for operational technology (OT) and industrial control systems (ICS). Jose was previously the President & CEO of NaturEner USA (now BHE Montana) & NaturEner Canada from November 2006 to January 2018. During his time at NaturEner, Seara led the company through a leadership transition, working to ensure a smooth transition for the new team.
Prior to his time at NaturEner, Seara was a founding partner and member of the board of directors at DeWind Co from June 1999 to September 2002. Jose was also a founding partner and principal at PROYDECO Ingenieria y Servicios SL from January 2003 to December 2006, and a partner and director at Proyectos de Cogeneración SL from January 1999 to December 2003.
He holds an Executive Program degree from Singularity University in the field of Exponential Technologies. Jose also holds a Masters of Science in Naval & Marine Engineering from Universidad Politécnica de Madrid.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.