Cyber Resilience Spurs Reassurance for Renewables

"Have you identified any efforts by known or suspected nation-states to test exploitation capabilities, develop new malware or otherwise prepare for cyber operations?" The FBI posed this question in a communiqué sent to U.S. companies in spring 2022 that was shared with CNN.

Think this sounds like something out of an international spy novel? It’s not. More inquiries — like this SHIELDS UP advisory from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — are finding their way into the inboxes of employees tasked with handling cybersecurity for critical infrastructure owners and operators in the United States.

Tens of millions of dollars each year are spent paying ransomware and repairing damage from cyberattacks. Especially at risk is the energy industry, including renewable energy suppliers. This sector is a high-profile target for intruders looking to deploy malware, ransomware and attacks with the intent of affecting power supplies.

While the motive for attacks can vary, financial gain through ransomware is the most common reason. Ransomware abusers leverage weaknesses in email and endpoint controls, relying heavily on email recipients to click on links without second guessing the content and/or sender. Other adversaries, such as corrupt countries, prefer to lay low and remain undiscovered until a geopolitical event occurs that they believe warrants an attack. Then they leverage a payload that’s been lying dormant in a network.

Disrupting, delaying or destroying key services to customers provides a big incentive for individuals with malicious intent. An attack can cost utility operators not only financially in ransomware payouts but also in direct and intangible ways such as downtime and liability costs, loss of data, revenue, talent and reputation.

The monumental shift from analog toward digitalization and the growing number of renewable energy sources and new vulnerabilities is outpacing the cyber resilience needed to protect utility assets. As a result, cybersecurity professionals are being stretched too thin, allowing more room for exploitation.

Renewable energy sources have gained a tremendous amount of momentum from both a legislative perspective as well as customers’ willingness to embrace and support the shift to clean energy. This shift — and demand, really — has led to the rapid design and construction of renewable energy facilities. More hydrogen production plants, wind turbines, solar farms and the like are popping up across the country. Like their coal- and gas-fired plant brethren, these facilities are mostly controlled from a centralized system and face a high risk of cyberattacks.

Given this, cybersecurity must be a priority and considered early when designing new systems and infrastructure or updating existing ones. Otherwise, electric utilities and companies that generate renewable power could risk exposure that results in vulnerabilities in everything from wind turbines and solar farms to battery storage facilities, smart home systems, electric vehicle charging stations and even electric vehicles themselves.

Across industries, cybersecurity consulting professionals at 1898 & Co., a part of Burns & McDonnell, have seen it all. “The methods of cyberattacks are constantly evolving, and the threats are growing in frequency and sophistication,” says Ali Elnaamani, a managing director at 1898 & Co. “Staying a few steps ahead of potential attackers so that they don’t disrupt an entire system is possible if proper planning is done.”

For industry insiders like Elnaamani, one of the biggest fears has been that energy providers aren’t aware of how vulnerable they can be to cyberattacks. In the case of the Colonial Pipeline attack in 2021, it became clear how easily a single compromised password could disrupt the energy infrastructure of a nation. Following this attack, there were major fuel shortages, long lines at gas stations across the country, and authorities declared a state of emergency in 17 U.S. states. Also in 2021, several Russian government employees were indicted for conducting computer intrusions against companies in the global energy sector. The attacks targeted thousands of computers and hundreds of companies in 135 countries — including several Midwestern utilities. The result was at least two major emergency shutdowns.

The level of awareness and degree of cybersecurity preparation is changing as more attacks like these occur. Key things a company can do to secure their systems include:

1. Identify the assets needing protection. Secure them through advanced technology, training and monitoring.
2. Share information. Collaboration with others can turn out to be the best defense. Become a member of groups like the Information Technology-Information Sharing and Analysis Center.
3. Have operations in place so attacks can be detected when they begin.
4. Respond with a predetermined strategy and tools that can stop or slow attacks.

A key component for staying ahead of cyberattacks is threat intelligence and information sharing. What’s important to keep in mind is that cyber bad actors aren’t just going after major utilities. They are going after smaller, rural targets as well. Intruders who target smaller renewable energy generators may find gateway access to larger energy suppliers who own these smaller renewable assets. This could lead to a nationwide negative impact on the grid.

As power operations expand and modernize, utilities are using more intelligent electronic devices in the field and incorporating more Internet of Things (IoT) sensors in their systems. These include IoT devices on transmission and distribution lines, in generators to monitor vibrations, and on equipment such as solar arrays and wind turbines so engineers can remotely collect data to make informed maintenance decisions.

As the number of digital monitoring components grow, so does the potential attack surface. Operators must physically and logically secure these devices and networks, as well as the supervisory control and data acquisition (SCADA) systems that manage operations overall. If not properly secured, the potential increases for attacks that result in unplanned outages, operational challenges that threaten demand and the loss of public confidence.

“Due to how fast clean energy sources are coming online, the remoteness of power sources, the age of some systems and the desire to handle operations in a centralized way, renewable energy providers need to be hyper-diligent and focused on developing cyber-resilient systems. One way to do this is through thorough threat assessments,” Elnaamani says.

To evaluate their level of security, companies are using outside cybersecurity professionals, internal engineering and IT staff and third-party equipment vendors to run penetration tests and other evaluations to find weaknesses in their systems and repair them.

Renewable energy producers, at this time, aren’t required to operate under any mandatory or enforceable cybersecurity standards. Yet many operate under the same Critical Infrastructure Protection (CIP) standards — established by the North American Electric Reliability Corp. and approved by the Federal Electric Regulatory Commission — as electric utilities do.

Across sectors, entities often need to be incentivized to take proactive steps in securing their critical infrastructure, whether that’s through direct funding made available to public utilities or cost recovery mechanisms that make it possible to recoup a portion of cybersecurity investments.

“Renewable energy providers that think about security at the beginning of a project will find themselves more protected at a lesser cost,” says Eric Ervin, a director at 1898 & Co. “We know where the crown jewels are for renewable producers and so do adversaries, which are often nation-states that have similar assets.”

According to Ervin, securing a system should never be an afterthought done in the eleventh hour. It’s much cheaper and more efficient if security is built into a project’s design earlier rather than later, when budgets are tight and resources constrained. This allows for security to be coordinated between the security and engineering teams.

“In addition to incorporating security into rather than around operations, having a playbook in case of an attack is an absolute necessity,” Ervin says. “Winging it is not acceptable. An attack can affect all aspects of a business; however, with the right controls in place, the impact can be mitigated.”

A predefined plan, with roles and responsibilities clearly outlined, can help alleviate chaos in times of stress during an attack. Additionally, having preexisting relationships with the intelligence community, including the Department of Homeland Security, Department of Energy and the Federal Bureau of Investigation, is instrumental in a company’s ability to recover quickly with minimal damage to critical operations. These pre-established connections can help companies gain quick access to the full resources of the government.

The goal of an effective cybersecurity plan is to leverage secure design principles and solutions to minimize risks to acceptable levels. 1898 & Co. is helping to launch a patent-pending program designed to do just that.

The program is the result of a partnership established in 2021 between 1898 & Co. and Idaho National Laboratory (INL), part of the U.S. Department of Energy. The consequence-driven, cyber-informed engineering (CCE) methodology was developed by INL. It is designed to protect the most critical aspects of utilities and manufacturing companies.

The CCE methodology provides a level of resilience uncommon in today's cybersecurity environments. 1898 & Co. is one of only five cybersecurity consulting firms in the U.S. partnering with INL to provide this level of protection. And while nothing is guaranteed, utilities that implement CCE for their most critical assets will have additional safeguards in the form of engineering changes and process improvements that can limit the damage an attacker can do. Simply put, CCE has the ability to temper the size and scale of sabotage by providing a high level of security that’s sorely needed across industries.

As part of its CCE programming, 1898 & Co. has multiple engagements in the pipeline that kick off in 2022. The work includes projects for entities in the oil, gas and utility sectors.

While cybersecurity technology specific to the decarbonization industry has yet to be developed, major events such as the Colonial Pipeline attack have led to a boost in government investment for cybersecurity protection in energy and other sectors.

Recent cybersecurity funding specifically for utilities set forth in the Infrastructure Investment and Jobs Act includes $250 million for the creation of the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program. The program is designed to help improve utilities’ ability to detect, respond to and recover from cyber attacks. Additionally, another $250 million is available to develop advanced cybersecurity applications and technologies for the energy sector. This includes a program that provides operational support to electric utilities in the form of threat intelligence, enhanced monitoring tools and other technical assistance. Both sources of funding should be available to renewable energy providers.

“While funding is helpful, further investment, regulations and potentially fines will be needed to raise the bar above that of pure compliance for renewable energy providers,” Ervin says. “Additional government oversight in the way of stringent mandatory regulations is likely just one major cyber event away.”