Don’t Get Left in the Dark: Leading the charge on solar cybersecurity

More than ever, communities around the globe are rapidly increasing their energy consumption as electrification of modern society increases with each passing year. As that insatiable need for electricity grows, power generators are responding to a global call for more sustainable energy production. In heeding that call, many organizations are turning to solar generation for increased output. 

While solar energy has been available for decades, it only represents a small fraction of energy output around the globe. As a result, its production has frequently been considered less critical than that of fossil generation facilities; most sites have largely escaped cybersecurity regulations, such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards.

Today, however, the pace at which solar resources are being built and acquired to supplement energy generation portfolios is at a historic high. With additional production comes increased impact on the grid, and that impact leads directly to a higher level of criticality. Already, regulatory agencies are signaling their recognition of the importance of renewables and the likelihood of increased regulation — including NERC CIP, specifically — around their cybersecure operation. The days of “cybersecurity by obscurity” are nearing their end, and solar energy generators will soon need to regularly demonstrate adequate cybersecurity preparedness (Figure 1).

Figure 1: As regulations continue to increase, solar energy generators will need to improve their cybersecurity readiness.

Forward-thinking organizations know that cybersecurity readiness is not a switch they can flip overnight. When regulations arrive, it will take time to ramp up capabilities to meet those standards, and lead times will only increase as more companies around the globe scramble to meet deadlines. Because there is no penalty for implementing cybersecurity strategies ahead of regulation, many solar generation owners and operators are starting their journey now to stay ahead of the curve, and to ensure they implement the right solutions as strategically as possible for the greatest value across the lifecycle.

Cybersecurity for solar starts with OT

Cybersecurity has long been a staple of the information technology (IT) systems that drive the business world. Unfortunately, the IT cybersecurity roadmap does not often translate directly to operational technology (OT) systems such as those running solar generation facilities. In most cases, solar OT groups are much more focused on uptime, availability, and reliability of operating assets than their IT counterparts. Many cybersecurity technologies, if not applied correctly, could directly conflict with those goals. 

Securing systems is not just about buying the newest technology on the market and installing it across a solar operation. Rather, OT teams need fit-for-purpose solutions in place that not only keep systems cybersecure but also do not disrupt their OT goals.

Many solar organizations are meeting these challenges by optimizing around availability and uptime in parallel with security. Instead of focusing on endpoint cybersecurity solutions, the OT teams seeing the most success in their cybersecurity projects are focused on holistic solutions that include the network as well as endpoint solutions. 

For example, many of today’s teams are focused not just on adding solutions like antivirus and firewalls, but also on implementing redundancy into their control schemas. When teams identify cyber threats, this added redundancy helps them mitigate those threats and get the original system back online without disrupting energy delivery. 

That same redundancy also facilitates easier patching and updating of systems to ensure solutions are always performing at their best, without the need for service outages. It is a different way of thinking about security — not just adding technology to stop bad actors but anticipating an incident and preparing a strategy for the fastest and least disruptive resolution.

Ready, set, go(vernance)

Perhaps the most challenging roadblock many solar photovoltaic owners and operators face when implementing a cybersecurity roadmap is knowing where to start. Cyber attacks can come from many different directions, and OT systems typically have many interconnected devices and controls, dramatically increasing points of entry for attack. Understanding this attack surface is critical to developing a successful strategy.

Most organizations opt to start with a vulnerability assessment from a trusted provider of their automation solutions. Automation solutions providers with decades of experience in the power generation industry understand critical regulations such as NERC CIP, and they also understand the unique needs and limitations of OT teams in renewable energy generation. 

A vulnerability assessment from a trusted third-party explores all the areas where a solar generation operation is vulnerable from a cybersecurity perspective. The partner can provide clear reports on potential threats, with detailed prioritization guidance to help the team make the most impact right from the start. 

However, the vulnerability assessment is only the beginning. Cybersecurity is not a set-and-forget solution, but rather an ongoing process. Teams need to schedule regular checks of their security, monitoring both their endpoint and network security solutions, and monitoring software and protocols to ensure they are up to date. The most experienced automation solution providers can be a single source of support for design, procurement, and management of the solutions that are best fit for an organization’s specific OT technologies, helping the team keep its cybersecurity investment evergreen across its lifecycle (Figure 2).

Figure 2: Automation solution providers with deep expertise in power generation provide cybersecurity solutions that are customized to fit the unique needs of the industry.

Different footprints need different strategies

Many solar owners and operators also struggle with implementing cybersecurity strategies because most — if not all — of their facilities are operated remotely. What many of these organizations do not know is they can be just as creative in their cybersecurity deployment as they are in their control strategies. 

With the technologies available today, including monitoring and software capabilities, it is not only possible but relatively easy to implement a remote security operations center to work in tandem with the standard remote operations centers commonly found in renewable energy systems. For lean teams with limited personnel and IT resources, or even those taking advantage of third-party security management via an automation solutions partner, centralizing cybersecurity can right-size the resource cost of cyber protection.

Start securing systems

Cybersecurity regulations are coming to solar generation operations. Whether that happens in 5 or 10 years, the organizations waiting for regulation before implementing cybersecurity strategies and technologies will already be behind the curve. Building a foundation for cybersecure operation does not have to be a massive undertaking. 

Even the first step — a cybersecurity vulnerability assessment — will put most organizations ahead of their competition. Implementing at least some of the recommendations from the assessment will make them a less desirable target, while simultaneously building a foundation for a long-term cybersecurity journey that will help ensure the uptime, availability, and reliability necessary to drive successful, productive operations for years to come.

Emily Thomas is Director, Shared Services at Emerson. She is responsible for the management of the cybersecurity solutions, educational services, and global product support services organizations for Emerson's power and water solutions business, delivering value across the full customer lifecycle through customer success strategies and people development strategies. She has over eight years of experience with Emerson working across different divisions in strategic planning, marketing, and operations.

Emerson | www.emerson.com