Cybersecurity challenges and solutions for large-scale green energy infrastructure

TL;DR

• Green energy companies increasingly rely on digital technology to manage plants, grids, and general operations, which leave them vulnerable to cybersecurity attacks.

• 90% of the world’s largest energy companies had their cybersecurity breached in 2023.

• The relationship between renewable energy companies and the smart grid, remote operations, outdated technology, and a lack of cybersecurity talent are all challenges facing the industry.

• Governments are taking steps to address this risk, implementing legislation that requires energy companies to achieve certain standards in cybersecurity and earmarking investment to address the shortfalls.

• Companies can also take a proactive approach to their cybersecurity, implementing best practices such as robust authentication, firewalls, detection software, and constant reporting to protect their operations and their customers.

The detail

As the energy transition gains pace and renewable energy sources start to replace fossil fuels, the myriad benefits of this shift don’t mean it’s free from risk.

The renewable energy sector relies on a complex flow of electrical data to operate effectively in every part of the supply chain, from generation and transmission to distribution. All energy companies, but especially green energy providers, increasingly rely on digital technology to manage their plants, grids and general operations. Unfortunately, this also means they are vulnerable to cybersecurity attacks.

The statistics paint an alarming picture; one in three firms have suffered a cyber breach in the past year and 90% of the world’s largest energy companies had their cybersecurity setups breached in 2023. The International Energy Agency (IEA) has reported that attacks on utilities in general have been increasing since 2018, reaching worrying levels in 2022 following Russia’s invasion of Ukraine.

In 2022 alone, the average cost of data breaches in the energy sector was $4.72 million and co-ordinated cyber-attacks were directed at critical infrastructure across Europe. According to an IBM Security Report, the energy sector is the UK’s top target for cyber threats and accounted for 24% of the country’s attacks.

In recent years, incidents have disabled wind farms remotely, disrupted prepaid meters and led to data breaches, with Vestas and Enercon both becoming high profile victims. The impact of these attacks can be incredibly disruptive; a Dutch white hat hacker, known as Jelle Ursem, was able to access 40,000 homes in the Netherlands via their rooftop solar systems that were controlled by a remote monitoring tool, for example. Further, another incident in 2022 led to nearly 6,000 wind turbines in Germany malfunctioning, affecting thousands of companies across Europe.

An ideal target

There are several challenges related to cybersecurity that directly impact the renewable energy industry. One notable concern is the relationship between the industry and the smart grid, which revolves around gathering data. Wind farms, for example, use mechanical gears that support multiple sensors. The information from each sensor is then sent through the grid to alert the asset owner to any issues. All this crucial data is vulnerable to hackers.

Each digital system, piece of telecommunication equipment, and sensor throughout the smart grid offers an additional entry point to potential cyber criminals. Smaller renewable installations in Europe are similarly at risk due to their reliance on third-party systems. These are typically connected to the grid digitally and sit below the power generation monitoring threshold set by safety authorities.

The remote nature of many renewable power plants has also proved problematic. Many energy sources are located in isolated places, necessitating some form of remote access capability to share data and receive instructions via the cloud or a VPN. These systems are notoriously vulnerable to cyber-attacks.

Further, such vulnerabilities are compounded by the global shortage in cybersecurity experts. In 2022, the shortfall was estimated at 2.4 million people. The energy sector is especially affected by this limited workforce as they need employees with specific cybersecurity skills that are adapted to regulated technical and operational activities. Unfortunately, it seems unlikely that this shortage will be addressed with the urgency required as salaries offered within the energy industry are among the lowest for this type of role.

The age of many renewable energy farms is also a cybersecurity risk. The first wave of wind farms, for example, was installed in the 2000s and is now reaching retirement age. As a result, the systems that support them aren’t equipped with adequate cybersecurity defences capable of combatting modern cyber threats. This is notable, given that the lifespans of many of these farms are being extended as new plants await approval and investment, continuing to operate for another three to five years without appropriate protection.

Policies and procedures

Happily, there are solutions available that address many of these concerns. With the benefit of hindsight, renewable energy producers should have designed their operations with cybersecurity concerns top of mind, but it’s not too late for them to invest in robust security measures.

At the moment, they are sorely lacking; in the UK’s wind sector only 1% of approximately 11,000 sites has any kind of cyber solution in place. Ideally, the sector should adopt a strategic approach to their cybersecurity to safeguard the security and resilience of its operations.

The government certainly has a role to play, both in raising awareness within the renewable energy industry and in legislating to ensure cybersecurity is adequately considered.

The Network and Information Systems Regulations 2018 is one step forward; it applies to all electricity suppliers with more than 250,000 customers, electricity generators producing more than 2GW, and transmission systems operators. These companies must take appropriate and proportionate technical and organisational measures to manage risks and minimise the impact of incidents affecting their network and information systems. Failing to take these steps could incur a penalty of between £1 and £17 million.

The UK also recently introduced the PSTI cybersecurity standard, setting a global precedent. This new legislation requires all manufactures of connected consumer devices, including solar inverters, to comply with set standards regarding password strength, support periods, and technical documentation.

Further afield, the Cyber Resilience Act, led by the European Commission, is expected to introduce cybersecurity mandates from 2027 onwards. This legislation, and others like it, not only ensures a basic level of cyber security is adopted throughout the sector, but also raise awareness of the potential risks.

The future is secure

Artificial Intelligence (AI) occupies a unique position as both a cybersecurity challenge and a solution. It is expected that AI will increase the volume and heighten the impact of cyber-attacks over the coming years. However, implementing AI-based monitoring and detection platforms could mitigate this risk. AI has the capacity to spot and decipher the signals that serve as precursors to a cyber-attack far more efficiently than a human could.

Even so, AI isn’t the only technological solution companies can adopt to combat cyber-attacks. There are several standard practices that, when implemented strategically, can greatly diminish the renewable energy sector’s vulnerability.

Cybersecurity best practice including adopting multifactor authentication, encryption, and other tools that can secure devices can protect systems from hacking attempts from outside – and within – organisations. It is only with robust authentication measures and restricted access rights in place that companies can be sure that only those with the right permissions can gain access to their systems. Further, these procedures can be supported and strengthened by the introduction of firewalls, intrusion detection systems, encryption protocols and regular vulnerability assessments.

Data exchange is one of the biggest risks associated with the renewable energy industry, but it’s an essential process. To facilitate an energy system that can accelerate, automate, plan and anticipate processes better, data must be shared securely. That’s why Supervisory, Control and Data Acquisition (SCADA) systems are preferred targets for cyber-attacks. Taking a zero-trust approach to verifying commands related to data can improve cyber resilience, while it’s also important that all data moving across the network is monitored and encrypted.

Collaboration between the clean energy and cybersecurity communities, supported by investment, can build resilience throughout the supply chain. The US government, for example, has pledged $45 million to enhance the cybersecurity of clean energy technologies and the energy supply chain.

This type of targeted external investment can also contribute to the adoption of cybersecurity measures throughout the supply chain: equipment manufacturers, engineering procurement, construction, generation, transmission, distribution and end-users.

A fight worth winning

In 2021, there were an average of 736 cyber-attacks a week; a figure that has grown exponentially since. The green or renewable energy sector is especially vulnerable, not only due to the way it operates, but also the potential large-scale impact attacks can have.

Cyber criminals looking to impact a country’s infrastructure will look to the energy sector as a high priority target. However, acknowledging this vulnerability is the first step in the sector addressing its gaps in cybersecurity and taking proactive steps to plug them.

From implementing cybersecurity best practices, robust protocols, and constant monitoring to encouraging the government to implement new cyber security regulations and investing in talented experts, the renewable energy sector has many potential pathways to pursue.

Cyber-attacks will always be a threat, but the industry does not have to operate without defences.

— Lew 👋

As ever your feedback is important to me. Please help by letting me know what you love or what you think can improve.

The Transition’s work is provided for informational purposes only and should not be construed as advice in any capacity. Always do your own research.