Renewable energy sources have gained a tremendous amount of momentum from both a legislative perspective as well as customers’ willingness to embrace and support the shift to clean energy. This shift — and demand, really — has led to the rapid design and construction of renewable energy facilities. More hydrogen production plants, wind turbines, solar farms and the like are popping up across the country. Like their coal- and gas-fired plant brethren, these facilities are mostly controlled from a centralized system and face a high risk of cyberattacks.
Given this, cybersecurity must be a priority and considered early when designing new systems and infrastructure or updating existing ones. Otherwise, electric utilities and companies that generate renewable power could risk exposure that results in vulnerabilities in everything from wind turbines and solar farms to battery storage facilities, smart home systems, electric vehicle charging stations and even electric vehicles themselves.
Across industries, cybersecurity consulting professionals at 1898 & Co., a part of Burns & McDonnell, have seen it all. “The methods of cyberattacks are constantly evolving, and the threats are growing in frequency and sophistication,” says Ali Elnaamani, a managing director at 1898 & Co. “Staying a few steps ahead of potential attackers so that they don’t disrupt an entire system is possible if proper planning is done.”
For industry insiders like Elnaamani, one of the biggest fears has been that energy providers aren’t aware of how vulnerable they can be to cyberattacks. In the case of the Colonial Pipeline attack in 2021, it became clear how easily a single compromised password could disrupt the energy infrastructure of a nation. Following this attack, there were major fuel shortages, long lines at gas stations across the country, and authorities declared a state of emergency in 17 U.S. states. Also in 2021, several Russian government employees were indicted for conducting computer intrusions against companies in the global energy sector. The attacks targeted thousands of computers and hundreds of companies in 135 countries — including several Midwestern utilities. The result was at least two major emergency shutdowns.
The level of awareness and degree of cybersecurity preparation is changing as more attacks like these occur. Key things a company can do to secure their systems include:
- Identify the assets needing protection. Secure them through advanced technology, training and monitoring.
- Share information. Collaboration with others can turn out to be the best defense. Become a member of groups like the Information Technology-Information Sharing and Analysis Center.
- Have operations in place so attacks can be detected when they begin.
- Respond with a predetermined strategy and tools that can stop or slow attacks.
A key component for staying ahead of cyberattacks is threat intelligence and information sharing. What’s important to keep in mind is that cyber bad actors aren’t just going after major utilities. They are going after smaller, rural targets as well. Intruders who target smaller renewable energy generators may find gateway access to larger energy suppliers who own these smaller renewable assets. This could lead to a nationwide negative impact on the grid.
As power operations expand and modernize, utilities are using more intelligent electronic devices in the field and incorporating more Internet of Things (IoT) sensors in their systems. These include IoT devices on transmission and distribution lines, in generators to monitor vibrations, and on equipment such as solar arrays and wind turbines so engineers can remotely collect data to make informed maintenance decisions.
As the number of digital monitoring components grow, so does the potential attack surface. Operators must physically and logically secure these devices and networks, as well as the supervisory control and data acquisition (SCADA) systems that manage operations overall. If not properly secured, the potential increases for attacks that result in unplanned outages, operational challenges that threaten demand and the loss of public confidence.
Increase Defense With a Solid Plan
“Due to how fast clean energy sources are coming online, the remoteness of power sources, the age of some systems and the desire to handle operations in a centralized way, renewable energy providers need to be hyper-diligent and focused on developing cyber-resilient systems. One way to do this is through thorough threat assessments,” Elnaamani says.
To evaluate their level of security, companies are using outside cybersecurity professionals, internal engineering and IT staff and third-party equipment vendors to run penetration tests and other evaluations to find weaknesses in their systems and repair them.