By Stefan Schachinger, Senior Product Manager, Network Security at Barracuda Networks.
In April 2022, a few months after the Russian attack on Ukraine began, three wind energy companies1 in Germany were hit by cybercriminals. The attacks crippled thousands of digitally controlled wind turbines. In one case, the company was not even the explicit target, but a victim of “collateral damage” after the attackers took down the Ukrainian ViaSat satellite system. This is just one example of the cyber risks to which digital renewable energy systems are exposed. It is estimated2 that by 2050, 70 per cent of the world’s electricity systems will depend on renewable energy, mainly from solar, wind, tidal, rain and geothermal sources. These energy sources tend to be decentralised, geographically remote and relatively small. They are often managed and operated with inadequately secured digital technologies that are directly connected to the outdated infrastructure of national power grids. A situation that opens the door to cyber attacks. From risk to resilience To implement robust cyber resilience in digital renewable energy systems, it is first necessary to understand the areas of risk. The top 10 are as follows: 1. Code vulnerabilities and misconfigurations in embedded software. The demand for renewable energy means that supporting technologies and applications are often developed and implemented quickly, leaving little time to incorporate or test security controls. Vendors and their developers are experts in electrical engineering and may not have the security knowledge to do so. The risk is compounded if the software is not regularly patched and updated after error messages.
2. Unsecured APIs. Another software-related risk is that API-based applications can communicate with other applications, including third-party applications, and share data and functionality. They are a common feature of networked or publicly accessible systems. Web application security and firewalls are essential to prevent attackers from using APIs to steal data, infect devices and create botnets.
3. management, control, reporting and analysis systems. Management and control software such as supervisory control and data acquisition (SCADA) systems and other systems that import, analyse and visualise data from energy sources are top targets for cyberattacks because they allow criminals to access the entire system, manipulate data, send instructions and more. Systems that integrate data from third-party sources, such as weather towers, provide another avenue for compromise. Robust authentication measures, at least multi-level but ideally based on zero-trust, combined with restricted access rights, are critical to ensure that only those with authorisation can access the system.
4. automation. Distributed and decentralised renewable energy systems, especially on a large scale, need to be monitored and managed 24/7, which is increasingly done automatically. The risk is that these systems are not monitored carefully enough for anomalous or suspicious traffic that could indicate the presence of an intruder. Security solutions that offer advanced detection and response, as well as specific IoT security features, can help.
5. remote access services. Renewable energy sources are widely dispersed and often located in isolated locations. This means they need some form of remote access to share data and receive instructions and reports, for example via cloud services or VPNs. Remote access services are notoriously vulnerable to cyber-attacks and robust authentication and access measures are essential.
6. physical location. Another geographical risk is that location can slow down response and recovery time after an incident. The logistics of travelling to and from an offshore wind farm, for example to repair or re-image sensors, can be complex, time-consuming and expensive. The people travelling to the remote sites are usually not IT professionals, so a security solution that can be easily installed and replaced by a non-security expert is essential. An electrician must be able to replace a faulty unit on a Sunday evening.
7. network traffic. All data passing over the network should be monitored and encrypted. In connected power systems, data traffic between a device and the central application is often unencrypted and vulnerable to tampering. Attackers can intercept data at rest and in motion. Or DoS attacks overload traffic systems.
8. internet connectivity. Conventional power plants, such as gas-fired power plants, are usually not connected to the internet and have a so-called “air-gapped” infrastructure that reduces the risk of a cyber-attack. However, as renewable energy sources are connected to the internet, they generally do not have this protection. All facilities connected to the internet need to be secured.
9. outdated power grid infrastructure. In most countries, a significant portion of the power grid will be outdated and therefore unable to receive security updates. The best way to protect these systems is to include them in secure authentication and access measures.
10. Lack of regulation and security coordination. For long-term security, laws and regulations – such as NIS 2.0 in Europe – must ensure that there are strict standards for renewable energy installations, no matter how small. In addition, renewable energy technology is developing rapidly and supply chains are complex – this can lead to confusion about who is responsible for safety. The ‘shared responsibility’ model that applies to cloud providers could also help here. Sustainable security In some ways, renewable energy systems are not so different from other IoT systems. Attackers can look for and attack vulnerable components, unpatched software, insecure default settings and unprotected connections. A sustainable, connected renewable energy industry needs to be equipped with security and cyber resilience from the start – and then continuously maintained, step by step. Securing a complex environment does not have to be complicated. It is worth considering SASE (Secure Access Service Edge), an integrated solution that securely connects people, devices and things to their applications, wherever they are. If network segmentation and user training are then added, companies have a solid cyber-resilient foundation – not only to prevent an attack, but also to contain the impact should it (happen).
*****
Sources:
1 https://www.wsj.com/articles/european-wind-energy-sector-hit-in-wave-of-hacks-11650879000
2 https://www.dnv.com/energy-transition-outlook/rise-of-renewables.html
