Power in the Wrong Hands: The rising threat to renewables

Cyberattackers love renewables. This is because they meet many of the key characteristics that make them prime targets. First, renewables pioneer and employ new technology. Threat actors feed off new technology because it allows them to target vulnerabilities that have not yet been discovered. Second, renewable operations are spread out over large distances, often in remote locations. This drives a dependency on renewables for remote connectivity and control, providing more ways cyberattackers could have a large impact.  Lastly, renewables are high profile. Increasing investment and renewables’ criticality to national infrastructure makes them a high-impact target for cyberthreats.

Rise in cyberattacks

Geopolitical tensions are a stark reality in today's world. The aftermath of Russia's invasion of Ukraine saw Europe's attempt to reduce its reliance on Russian oil, leading to retaliatory cyberattacks on renewables; three wind turbine companies in Germany bore the brunt of these attacks, temporarily losing control of a staggering 7,800 turbines. These real-world examples underscore the urgent need for enhanced cybersecurity measures in the renewable energy sector.  

In the United States, the frequency of cyberattacks against renewables has seen a sharp rise. Ransomware attacks against utilities and manufacturers increased by 50 percent in 2023. Administration officials have been sounding the alarm, warning that many of these attacks are orchestrated by nation-states and aimed at critical U.S. infrastructure. A separate report identified 21 “threat groups” specifically targeting industrial/OT networks, including electric power generation facilities, transmission and distribution networks, renewable facilities, satellite services, and telecommunications networks.

Start with the basics

When enhancing your cybersecurity posture, begin by asking these four fundamental questions:  

• Do you know what you need to protect, especially after drilling into the components? (This is your asset inventory/management)
• Do you know where your gaps are? (This is your vulnerability management and prioritization)
• Can you see if someone is inside your system? (This is your monitoring program)
• If someone is inside your system, can you get them out? (This is your response and remediation plan)

Addressing these questions is a solid place to begin for both existing facilities and new project builds. If you aren’t able to confidently answer “Yes” to each one, your OT cyber program needs work.

Know your supply chain  

The time has certainly come for renewables to step up their fight against cyberattacks, especially on the OT side. One of the most important protective actions is to know your supply chain – and know it thoroughly, end to end. It is not enough to know where a piece of equipment was assembled or from where it was imported. Do you know where the sub-assemblies or motherboards were built? What about the software? Organizations need to have a supply chain map that digs deep into all digital equipment, components, and subcomponents to ensure better control of all equipment entering the facility. 

It is also vital to know your suppliers' cyber “hygiene” practices. What measures do they take to protect, validate, and check equipment and components before shipping to you?  

A second key step involves acceptance testing of all equipment (big and small) against any malware before installation. Acceptance testing is common practice, but generally we’re not looking at it from a security standpoint; we’re checking to make sure the equipment works, but, all too often, that’s where it ends. We need to take it much further.

Proper security acceptance testing includes virus and malware detections, penetration tests for vulnerabilities, segmentation, and other types of system hardening. The amount of time and money organizations spend on these two steps now could be pennies on the dollar compared to the millions a typical successful cyberattack would cost. 

Designing cybersecurity in each new project

Building in cybersecurity is better than bolting it on later. Ideally, you want to be thinking about how your organization is going to protect your facilities at the point of the design, not afterward — and certainly not after you’ve been the target of a cyberattack. Building in cyber from the beginning is less expensive, offers better protection, more efficiency, and provides a higher understanding of what you have and what you need to protect. 

Keep an eye on Artificial Intelligence (AI) 

Generative AI is being applied rapidly in the cyber world, as it can see patterns humans may overlook. Organizations now have the capabilities to reproduce malware and test it on their own systems. If the bad guys have AI to attack systems (which they do in increasing numbers), then the good guys need AI to protect them. 

Many organizations are still taking a “wait-and-see” attitude on AI. In this instance, however, renewable facilities cannot afford to get left behind this wave – there’s too much at risk. 

Renewable energy is rapidly becoming a critical part of our infrastructures, economies, and national security. Organizations must understand that the chance of a potential cyberattack is almost a certainty, as today’s bad actors use sophisticated scanners to find vector points (openings) to get into any system. The size or location of the facility is irrelevant. 

Investing in solutions to address the fundamentals of strong security is crucial in reducing the cybersecurity risk renewable utilities face. With the increasing threats, it is vital to take protective measures to ensure a safer and more secure environment for your renewable energy infrastructure and operations. Without the right protections, we run the risk of letting our power fall into the wrong hands.

Ian Bramson is Vice President – Global Industrial Cybersecurity at Black & Veatch. He is a highly experienced leader in the fields of cybersecurity, risk management, and digital transformation, with a career spanning over 25 years. As the head of the global industrial cybersecurity practice at Black & Veatch, Ian works closely with top-level executives in critical infrastructure industries to provide innovative solutions that minimize cybersecurity risks. He has successfully built two cybersecurity consulting services over the past decade, both of which were supported by global sales organizations and implemented in multiple industries. Ian is a respected thought leader and market developer in the emerging threat landscape of attacks on industrial operations and critical infrastructure. He holds a bachelor's degree in Economics and English from Cornell University.

Black & Veatch | www.bv.com