Solar

Cyber attacks: The ever-changing and evolving threats facing renewables

Cyber attacks: The ever-changing and evolving threats facing renewables

Contributed by Auke Huistra, Industrial & OT Cyber Security Director, DNV Cyber

As the energy transition continues to ramp up in pace, companies are busy upgrading and connecting their legacy technology and infrastructure to improve safety, increase efficiency, and accelerate decarbonization.  

In our survey of 601 energy professionals, of which 115 work in power and renewables, some 89% believe cyber security to be a prerequisite for the digital transformation initiatives that are making the future of the energy industry possible. This is according to DNV’s Cyber Priority research, which explores the state of cyber security in industrial sectors. 

As part of this evolution, an increasingly urgent challenge is securing operational technology (OT), the control systems that manage, monitor, automate, and control industrial operations. This was particularly true after the Russian invasion of Ukraine, which highlighted the vulnerabilities of such infrastructure. At a global level, the digitalized and interconnected technology linking thousands of renewable assets to our energy grids represents a rich opportunity for cybercriminals.  

DERs and cybersecurity are hot topics at GridTECH Connect California, June 24-26, 2024, in Newport Beach, CA! GridTECH Connect Forum is the interconnection event, offering electric utilities, grid operators, project developers, policymakers, solutions providers, and advocates the unique opportunity to join forces and improve the critical issue of interconnection through face-to-face collaboration.

Without robust cyber security, the energy sector cannot reap the benefits of digital transformation and increased electrification. The opportunities are there, but building resilience to ensure they are embraced carefully is key.  

Supply chain vulnerabilities  

With new energies largely still in the early stages of maturity, there has not been the exposure to cyber risks which perhaps the oil and gas industry has experienced. While 63% of oil and gas professionals say their organization has good oversight of the cyber security vulnerabilities in their supply chain, that number drops to 54% for those working in electric power, renewables, and grid infrastructure. However, many of these challenges aren’t new, and history often repeats itself, especially when companies move too quickly.  

According to our research, the supply chain is considered by energy professionals to be one of the top five challenges for cyber security. In other words, it is all well and good having your own house in order, but steps must be taken to ensure that also suppliers adhere to strict protocols. New companies, technologies, and systems appear every single day, and that can present a risk. The appetite to drive our energy future must be accompanied by caution and diligence to ensure it is delivered safely.  

Suppliers and manufacturers of technology across the supply chain often lack the people, processes, and technologies needed to guarantee the cyber security of their products and services. A study of OT and IT practitioners across industries by Applied Risk, a DNV company, found that just 27% of companies do due diligence on new suppliers, despite this being a major potential area of vulnerability – possibly providing an easy ‘back door’ to cyber threats.  

Issues remain, though, and worth highlighting is that assumptions made by vendors about the coding in their systems and devices can mean risks for clients. Extreme caution is necessary: coding that may be perceived as coming from an entirely sound source may have been pulled from internet hosting services, some of which are potentially developed in hostile countries. Therefore, it is strongly suggested that a proper check on these products be done to ensure that industry best practices for coding and architectural design have been used while creating these new technologies.  

The risk to renewables companies is ongoing, and obtaining assurances when purchasing software that can be hacked and leave you vulnerable is a critical step worth taking.   

The perspective from the sector 

It is fair to ask whether enough is being done to ensure mitigations against cyber threats have been put in place. There is some optimism among energy professionals that action is being taken, with 36% stating cyber security is treated as a top risk by their organization. It is placed fourth, behind operational and technical, safety, and financial. However, cyber security risks can also impact the first three.  

Generally, investment is lagging. Less than half (42%) of those surveyed think their organization’s current level of investment is sufficient to ensure the resilience of their assets. Just one in three expressed confidence in their company’s investment in OT cyber security.  

A significant challenge is the skills shortage. Of course, this applies to the broader energy transition, but power and renewables professionals rate a lack of in-house cyber skills as the single most intractable barrier to maturity in the industry.  

Training can also be difficult, with contributors to the Cyber Priority research highlighting how overlong and unengaging sessions can prove ineffective.  

Despite these challenges, there is recognition that cyber security is an ever-growing threat that must be taken seriously. Indeed, 71% of respondents said that their organization takes cyber security as seriously as it takes physical health and safety.  

But this is not grounds for relaxation. If an engineer walked onto the site without the right PPE, we’d expect a very quick intervention. Can we be so sure we’d see the same speed if a business identified a vulnerable application or inappropriate digital behavior? That is the standard of awareness, or even better, human behavior and action that the sector must aspire to.  

What should renewables companies do? 

Cyber security breaches are a case of when, not if. Incidents in the industry have shown that in recent years. As threat actors evolve and become more creative in their ways of attack, evolution and staying at the forefront of defensive practices are essential for renewables companies.  

One positive outcome is that 73% of power and renewables professionals say that cyber security is incorporated in the early phases of new energy infrastructure projects in their companies. Compare that with just 55% in the oil and gas industry, and it would suggest that a new culture is taking shape.  

However, while our research suggests that there is an increasing awareness of the risks across the energy sector, continued and increased efforts must be made to build and maintain cyber resilience and develop cyber maturity. It is not a one-time effort. 

Renewables companies must embrace a culture where their staff are encouraged to question whether confidence in their cyber security practices is justified and how they are measuring the strength of their defenses and protocols. It is good practice to ask where improvements can be made. At the same time, working on the expected cyber behavior is key, just like in safety.  

New regulation is also coming; as an example, less than one year remains until European Union (EU) countries must transpose NIS2 guidelines into law. For organizations providing essential services – such as energy – across the bloc, it will be the toughest cyber security regulation they have ever faced. Similar regulations loom in other regions. At the same time, there are also other regulations on the horizon: The Cyber Resilience Act will apply to products with digital elements, while the EU Machinery Regulation encourages manufacturers to produce high-quality machinery and specifically addresses the cybersecurity of safety control systems and conformity-related software. In the renewables sector, this translates to, e.g., safeguarding critical components such as wind turbine control systems, solar inverters, and grid integration software against cyber threats.  

Renewables companies, and their suppliers, have an opportunity to be on the front foot with their cyber security investments and not wait until such regulation comes into force. They must do so now, not only to ensure compliance but also to go beyond what is expected. For the energy transition to continue to accelerate at pace and avoid the potentially severe repercussions of cyber-attacks, proactive, thorough investment in cyber security is vital.

About the author

An international specialist in the field of Industrial Control Systems security, Auke has over 25 years’ experience in critical infrastructure protection, working for government, multinational and critical infrastructure companies, national research organisations and consultancies. He has been involved in various national and international cyber security initiatives, in various functions. Auke co-authored the Dutch government’s first National Cyber Security Strategy and led the Dutch Cyber Security Information Sharing and Analysis Centres (ISACs), before it was integrated into the National Cyber Security Centre (NCSC) in early 2012. Auke holds a degree in Chemistry from the University of Groningen.