Water powers energy. Energy powers water. Cybersecurity protects the energy powered by water – but not very well. Paper beats rock.

It may seem complicated, but water is part and parcel of the energy industry – specifically the renewable energy industry. Renewable energy is power generated from water, wind, solar and geothermal energy, and until 2019, hydropower was the largest source of renewable energy in the US. This is all great, except for the fact that the renewable energy sector is falling short in cyber awareness. “Cybersecurity poses a serious challenge for renewables operators,” reads one industry report, and when water and renewable energy are so interconnectedly entwined, that poses a risk for both industries. We’ll dig into the cybersecurity problems facing renewable energy, how water and energy are connected, and how cybersecurity guidelines from the American Water Works Association (AWWA) can protect the entire chain.

Cybersecurity challenges for renewable energy

“In 2019, the renewable energy sector recorded its largest ever increase in installed capacity, with more than 200 GW added, outpacing net installations in fossil fuels and nuclear power combined,” the Accenture report states. That’s great for business – bad for cybersecurity. Renewable energy systems were born before the days of good cybersecurity; according to the report, “many of the systems currently in use were built prioritizing efficiency over security.”

This is like the early days of DevOps when hot apps were being delivered fast, but not safe. In came SecOps. In addition to lacking the natural security controls now built into the architecture, there’s also the problem of too many hands in the pie. Accenture states, “risk factors include the ecosystem of original equipment manufacturers and third-party operations and maintenance providers with access to their assets and networks.” In other words, a lot of the manufacturing and ops guys that did work for these renewable energy plants still have access to their networks. Oops. And if that didn’t double risk enough, the plants themselves used manual processes to onboard and permit these guys in the first place, so tracking them down will be – manual.

These archaic measures create obvious technical gaps, which in turn leave the system more cyber-vulnerable. Some security factors to consider are:

  • Within these systems, you’ll be facing a lack of visibility into what devices and applications are on the network
  • Legacy technologies are commonly used (most without security-by-design), so safeguards like network segmentation are key to preventing pivoting and lateral attacks
  • Many renewables plants have limited to no monitoring capabilities, so you don’t know who is accessing which device. This network blindness leaves you open to obvious threats.
  • Basic security functions are not automated. If you’re left to pull utilization reports by hand, can you imagine what you’d do for threat monitoring?
  • Security governance may not be well established, especially regarding IAM and patch management, and renewables plants may simply lack the resources needed to put better security controls in place.

In addition to the problems inherited by legacy systems and processes, renewables face other threats from the outside. These threats are made even more dangerous by the fact that the sector is so ill-equipped to meet them. These threats include:

  • The growing Industrial Internet of Things (IIoT) increases the number of connected devices (and therefore exposed endpoints) within renewable energy facilities – and up the supply chain, to water. Now, there are two sectors (and their connected devices) to deal with, growing the attack surface while making cyber visibility more complex.
  • Geographically dispersed resources among the renewables industry, with many contributors working remotely or as distanced third parties. This leads to difficulties in alignment, communication, and speed of response.
  • Non-agile security tools are also a part of the problem and lead to lengthy, expensive installation processes, extensive training, and ultimately difficulty integrating with other tools that become necessary in a quickly evolving cyber climate. SaaS tools can help.
  • The IT/OT mix is sifting out those who are prepared, and those who aren’t. Industries with legacy OT (much like local utilities) bring the most insecure operational technology, making those vulnerabilities doubly dangerous as they all now connect to IT architecture.
  • A global cyber worker shortage is hitting the industry hard, and municipal agencies are struggling to keep up. “Think of the criticality of what your local government does: water purification, waste treatment…public safety,” said Mike Hamilton, the chief information security officer at Critical Insight. “But Amazon is out there waving around bags of cash to protect their retail operation.” Means: critical national infrastructure (CNI) agencies need cyber talent the most but can afford it the least.

The renewable energy industry differs from typical utilities in cybersecurity, as they combine industries to get the job done, whereas typical sectors are siloed: water, coal, gas. Renewable energy sources combine water and electricity, wind and electricity, solar rays and electricity – and double their liabilities in the process. There are twice as many upstream attacks, supply-chain encounters, and potential threats lurking when you combine two systems as opposed to one. It’s kind of like IT/OT – if one isn’t properly cybersecure, it’s twice as much trouble for both. Which brings us to our next point.

Water, renewable energy, and cybersecurity
Since water is a key part of the renewable energy industry, it’s important to secure our “liquid assets” so no cyber liabilities travel upstream. The good news: “cybersecurity is now a mission-critical function for water utilities,” according to the AWWA, and to prove it, they released a set of cybersecurity guidelines and tools centered largely around the electronic and automated systems within their water sector, and their security and network monitoring.

The American Water Works Association has approximately 51,000 members and is the largest “nonprofit, scientific and educational association dedicated to managing and treating water” (or, as they aptly put it, “the world’s most important resource”). In line with this vision, their recommended cybersecurity guidelines for water cover:

  • Governance and Risk Management
  • Business Continuity and Disaster Recovery
  • Server and Workstation Hardening
  • Access Control
  • Application Security
  • Encryption
  • Data Security
  • Telecommunications, Network Security, and Architecture
  • Physical security of PCS equipment
  • Service Level Agreements (SLA)
  • Operations Security (OPSEC)
  • Education
  • Personnel Security
  • Cyber-Informed Engineering

Along with the above, the AWWA provides an assessment tool to see if you are using the most effective security controls for your technology stack, and small systems guidance to help rural communities improve their cybersecurity posture. And, these industry protections stretch far beyond making the water sector safe for renewables: maintaining a bullet-proof cyber status will enable water to be usable for industries such as manufacturing, agriculture, and healthcare.

Similar in intent to the guidelines released by WaterISAC, the AWWA framework seeks to provide the knowledge, guidance, and expertise needed to shore up water sector defenses to be at a safe operational standard – and give these pillars of critical national infrastructure the cybersecurity needed to fend off today’s threats and support their energy partners in the renewables sector upstream.

Essential water industry frameworks such as AWWA and ISAC provide crucial guidance for creating a solid security posture. ITEGRITI has the right people to get you up to par in the industry – and beyond – if you are looking for support.