“In 2019, the renewable energy sector recorded its largest ever increase in installed capacity, with more than 200 GW added, outpacing net installations in fossil fuels and nuclear power combined,” reads a report from Accenture about the cyber state of renewables. With more surface area comes more attack surface. Luckily, there are measures in place to combine energy and cybersecurity, such as the Federal Energy Management Program (FEMP). And, knowledge is power.
Cybersecurity poses a serious challenge for renewables operators. Many of the systems currently in use were built prioritizing efficiency over security. Other risk factors include an ecosystem of original equipment manufacturers and third-party maintenance providers with lingering access to their assets, and the fact that many are still mired in manual processes. The road to full cybersecurity maturity for the renewable energy sector won’t be easy, but in time it can develop into the security posture seen in traditional power plants. We’ll go over the differences here, and what has to be done to close the gap.
Renewables vs. Traditional Power Plants
Renewable energy facilities and traditional power plants are not the same thing; therefore, cybersecurity works a little differently for them, too. Traditional power plants run off exhaustible supplies like coal or natural gas. Once you use them, they’re gone (sorry, Earth). Renewables are just that – naturally replenishing but flow-limited resources like biomass, hydropower, geothermal, wind, and solar. This means you can’t use them up, but you can also just use what’s available at the time. It takes time to charge a solar panel.
The main cybersecurity challenge between renewables and traditional power lies in environment structure. Renewables rely on more than one industry: water and power, wind and power, sun and power. You’re combining two sectors, each with its own personnel, infrastructure, and security challenges. Think of the cybersecurity difficulties in combining IT/OT: you’re combining often up-to-date IT with often lagging legacy OT resources, especially where much critical national infrastructure is concerned. Now imagine doing that for two different industries (each with its own IT/OT problems). Now you’re starting to see why securing the renewable power sector can be such a difficulty.
Another challenge, ironically, is the expansion of technology. Renewable grides typically feature more IoT technology, and that can be a [security] problem if not handled with care. With every new IoT device, smart water meter, or smart inverter on a solar panel, the attack surface (and risk potential) multiplies. Traditional power supplies – think coal, oil, and natural gas – only have to worry about gadgets infiltrating from one side: energy. Renewables have to deal with potential new technologies being integrated from multiple sectors and funneling into their electric grid. It’s double the trouble.
A third, and perhaps inescapable challenge, is that “going green” is on the rise. That simply means the attack surface is growing with every new solar farm, hydropower plant, and windmill. If the sector’s inherent cybersecurity problems aren’t solved quickly, and at the root, they will just proliferate into each new build. These problems are dynamic, as opposed to those of the oil, coal, and fracking facilities that are increasingly being threatened with shut down as we struggle to transition to clean energy.
And lastly, a lack of regulations for distributed energy resources (DERs) and inverter-based resources (IBRs). Says Kenneth Boyce, senior director for Principal Engineering with UL’s Industrial group, “Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER devices and IBRs against an established and widely adopted cybersecurity certification program.” He concludes that developing said requirements will provide a “single unified approach” for testing and certifying DERs before they are deployed in the field.
How to Close the Gaps
Although traditional power plants are streaking ahead in cyber safety, measures can be put in place to close the gap. Michael Sanchez, CEO (CISA, CCSFP) noted 10 essential steps organizations can take today to improve their cybersecurity posture – no matter where they are on the maturity scale. They include:
- A culture of cybersecurity
- Asset inventory
- Minimize attack surface
- Identify business-critical data
- Manage cyber and physical boundaries
- Prepare for real-time events
- The principle of least privilege
- Manage vulnerabilities
- Keep track of baselines
- Balance preventative and protective controls
And, a report from the Renewables Consulting Group (RCG) and cyber specialist Cylance recommends the following cybersecurity suggestions for the renewable power industry specifically:
- “Environment assessment: Renewable energy companies should carry out comprehensive assessments of their current cybersecurity posture.
- Asset update: Updated systems provide a last line of defense when other security measures fail so it is critical IT infrastructure is updated and staff are trained to recognize the threats.
- Access management: Access to sensitive systems and data needs to be properly managed.
- Predictive tools: New tools, including artificial intelligence and machine learning, can help maintain strong security as cyberattacks and operating environments become more complex.”
By implementing the above suggestions, underfunded, legacy-ridden renewables operators can begin to keep up with the rest of the power sector in securing their assets. Managed service providers like ITEGRITI can help establish baselines, track goals and implement solutions.
Managed Security Services
Choosing a Managed Security Service Provider (MSSP) like ITEGRITI can help offload the burden of achieving cyber-stability all on your own. A good MSSP can give you the manpower to get stuff done. No, we’re not a staffing agency. But we do provide you with managed service experts who can make tough calls and provide ongoing advisory through our Virtual Support models. Check out vCISO, vCompliance Team, and Workforce Support.
We can also cut through the jargon and legislation to help your renewables plant achieve cyber compliance. As we state, “Our team members served in operational, management, and auditor roles and have deep experience in regulatory compliance and affairs.” We’ll help you with program implementation (NERC, FERC, NIST), audit prep, and mitigation activities.
And lastly, none of this means anything without resilience. If you can swat off one cyberattack, great. But what happens the next time? Choosing a good MSSP means finding one who not only implements the solutions but measures them on a consistent basis to ensure they’ve still got what it takes to fight off the latest threats.
When the energy sector is facing ever more sophisticated threats, not one weak link can be allowed in the chain. Renewables may well be the future of the energy industry but right now, this industry has yet to mature from a cybersecurity perspective. Choose the managed service provider that can work with your renewable power plant’s unique security challenges and catch you up to the rest of the sector.
If you are looking to bolster your defenses and ensure you are compliant with all current frameworks, contact ITEGRITI today.