Stefan Schachinger, senior product manager, network security at Barracuda explains ways in which cybersecurity resilience can be built
In April 2022, a few months after the start of the Russia-Ukraine war, three wind-energy companies in Germany were hit with cyber-attacks that disabled thousands of digitally managed wind turbines. In one case, the company wasn’t even the target but “collateral damage” after attackers took down the Ukrainian satellite system ViaSat. This is just one example of the cyber-risks now facing digital renewable energy systems.
It is estimated that by 2050, global power systems will be 70% reliant on renewable energy – derived mainly from solar, wind, tidal, rain, and geothermal sources. These energy sources are generally distributed, geographically remote, and relatively small scale. They are often managed and operated using under-secured digital technologies that plug directly into the legacy infrastructure of national power grids. This creates a broad cyber-attack surface for threat actors to target. To build robust cyber-resilience into digital renewable energy systems we first need to understand the areas of risk.
Code vulnerabilities and misconfigurations in embedded software
The demand for renewable energy means that supporting technologies and applications are often developed and implemented at speed, with little time to include or test security controls. The vendors and their developers will be experts in electrical engineering and may not have the relevant security skills to do this anyway. The risk is compounded if software isn’t regularly patched and updated as bugs are reported.
Another software-related risk, API (application programme interface) based applications can communicate and share data and functionality with other applications, including third party apps. They are a common feature of connected or public-facing systems. Web application security and firewalls are essential to prevent attackers from leveraging APIs to steal data, infect devices and build botnets.
Management, control, reporting and analysis systems
Management and control software, such as SCADA (supervisory control and data acquisition) systems, and other systems that import, analyse and visualise data from power sources, are top targets for cyberattack as they allow attackers to access the whole system, manipulate data, send instructions and more. Systems that integrate data from third party sources, such as from meteorological towers offer another route for compromise. Robust authentication measures, multifactor at a minimum but ideally based on zero-trust, combined with restricted access rights are vital in ensuring only those with permission can gain access to the system.
Dispersed and distributed renewable energy systems, particularly at scale, need 24/7 monitoring and management and this is increasingly automated. The risk is that these systems may not be monitored intently for anomalous or suspicious traffic that could suggest the presence of an intruder. Security solutions that offer extended detection and response and specialist Internet-of-Things (IoT) security functionality can help here.
Remote access services
Renewable energy sources are dispersed and often in isolated locations and this means they need some form of remote access capability to share data and receive instructions and reports, for example via cloud services or VPNs. Remote access services are notoriously vulnerable to cyber-attack and robust authentication and access measures are vital.
Another risk linked to geography is that location can slow down response and recovery time after an incident. The logistics of getting to and from an offshore wind farm to repair or re-image sensors, for example, can be complex, time consuming and expensive. The people travelling to remote sites are unlikely to be IT professionals, so a security solution that is easy to deploy and replace by a non-security expert is essential. An electrician needs to be able to replace a broken unit on a Sunday night.
All data that moves across the network should be monitored and encrypted. In connected power systems, the traffic between a device and the central application is often unencrypted and vulnerable to manipulation. Data at rest and in motion can be intercepted by attackers, or the traffic systems overwhelmed in DoS attacks.
Traditional power plants such as gas are generally not connected to the internet and have a so-called “air-gapped” infrastructure, which reduces the risk of a cyberattack. However, the connected nature of renewable energy sources means that they generally don’t have this protection. All web-facing assets need to be secured.
Legacy infrastructure of electricity grids
In most countries, a significant proportion of the electricity grid will be old and outdated and unable to receive security updates. The best way to protect those systems is to wrap them in secure authentication and access measures.
Lack of regulation and security co-ordination
For long term security, legislation and regulation – such as NIS 2.0 in Europe – need to ensure there are strong standards for renewable energy installations, however small in scale. Further, the technology for renewables is developing rapidly and supply chains are complex – this can lead to confusion about who is responsible for security. The “shared responsibility” model applied to cloud providers could be a good way to approach this.
In some ways, renewable energy systems are not that different from other IoT systems. Attackers can scan for and target vulnerable components, unpatched software, insecure default settings, and under-protected connections. A sustainable connected renewables industry will need security and cyber-resilience built in from the start – and then maintained continuously every step of the way.
Securing a complex environment needn’t be complex. It’s worth considering SASE (Secure Access Service Edge) an integrated solution that securely connects people, devices and things with their applications, wherever they are. If you add network segmentation and user education, you’ll have a solid foundation for cyber-resilience, not just to prevent an attack, but to contain the impact of an incident if you do get hit.