Cybersecurity: the growing threat to renewables

IN DEPTH | Recent high-profile cyber-attacks have put the issue centre-stage and the energy sector is worryingly vulnerable, writes Christopher Hopson

The global energy transition is putting the health and safety of millions of people at risk by making it easier for state-sponsored hackers to shut down the power networks that society depends upon, according to cybersecurity experts.

Energy providers — including renewables developers and technology suppliers — need to fight back, they warn.

“It’s not a question of if you are going to be attacked, but when,” says Jason Haward-Grau, chief information security officer at Houston-based PAS, a cybersecurity adviser specialising in the energy sector. “For companies, the state-sponsored threat is very difficult to handle.

“We should hope for the best, but prepare for the worst.”

Such predictions came true last month, when a global ransomware attack (see panel) locked up more than 230,000 computers in more than 150 countries. Microsoft described the attack as a “wake-up call”, blaming governments and companies for using outdated software or not taking advantage of the latest security patches.

The energy sector’s vulnerability first came to the fore in 2015 and 2016, when state-sponsored Russian hackers allegedly caused blackouts in Ukraine amid the ongoing crisis between the two countries.


Ransomware is the latest scourge of the internet, “extorting millions of dollars from people and organisations after infecting and encrypting their systems,” according to US communications and technology giant Verizon’s 2017 Data Breach Investigations report.

A ransomware attacker uses malware for “data kidnapping” — encrypting a victim’s data and then demanding payment in return for the decryption key. “It has moved from the 22nd most common variety of malware in 2014 to the fifth most common in this year’s data,” the report states. “We have seen a 35-fold increase in ransomware attacks in the last 12 months, so assume it’s going to happen,” says Jason Haward-Grau of US cybersecurity firm PAS, speaking before last month’s WannaCry ransomware attack that paralysed more than 230,000 computers worldwide.

And after last November’s US presidential election — which was apparently influenced by Russian hackers revealing sensitive internal Democratic Party communications — the Land of the Free is under no illusions about its vulnerability. Early this year, the US Department of Energy (DOE) warned that the country’s electricity system “faces imminent danger” from cyber attacks, which are growing more frequent and sophisticated.

The DOE’s landmark Quadrennial Energy Review (QER) spelled out the threat, warning that a widespread power outage caused by a cyber attack could undermine “critical defence infrastructure” as well as much of the economy, while placing at risk the health and safety of millions of people.

David Batz, senior director of cyber & infrastructure security at the Washington-based Edison Electric Institute, says state-sponsored attacks are growing in sophistication, with an increasing number of hits. But he believes there has been a cultural shift within the energy industry, away from the “old days when companies used to think nobody would attack us”.

“Today, the US power sector has recognised it has the most critical infrastructure, which needs protection,” he says. “[But] we need higher standards and more effective information sharing on the growing cyber risk.” Indeed, one of the QER’s recommendations is to increase the collection from utilities of online data breaches.

And in Europe, the threat was acknowledged last year, when the European Parliament began work on its cybersecurity strategy for the energy sector, for which it is now consulting stakeholders. A plan of action is expected to be proposed by the end of this year.

The reason for this growing threat is that the energy system is becoming increasingly complex and sophisticated — and more reliant on digitalised, internet-based networks.

The transition to a renewables-led network based on wind turbines and solar panels is introducing thousands of potential entry points into the energy system for hackers. Similarly, the roll-out of smart grids and meters — and the expected widespread growth of demand-side response — is also introducing countless new entry points.

“Nothing is secure and everything can be hacked,” says Omer Shech, a customer solutions engineer with Israel-headquartered Waterfall Security. “The big question for companies is, ‘How high do you set the bar on security?’”

Shech believes that interconnectivity is currently the biggest problem for network security, as almost any connection to the internet can be a source of a malware attack. “We put up firewalls to keep us safe — but they don’t provide sufficient perimeter protection for industrial sites,” he points out.

There are also concerns about the security of unmanned, remotely operated wind and solar installations, Batz tells Recharge.

GE locks up $13m cybersecurity deal for Invenergy fleet

Read more

“We have observed that many such facilities may directly connect to the internet, with little or no security controls implemented,” he says. “This could lead to an opportunity for adversaries to remotely connect to such facilities, and potentially disrupt operations.”

Sean McCue, technical sales engineering manager at Swiss cyber-security firm Nozomi Networks, agrees. “The problem of attacks is real and getting worse,” he says. “It’s quite possible to envisage a problem involving solar panel owners who are selling power back to the grid.”

In Europe, which is leading the global energy transition, a new energy market design is being planned to allow greater and more effective use of interconnections between countries, self-generation, battery storage, smart grids, demand-side response and electric vehicles.

“The landscape is getting increasingly dangerous, with ever more active threat actors,” explains Michael John, director of consulting services at the European Network for Cyber Security. “We need new cyber standards as we have more interconnectivity, and we need to ensure this happens in a secure way.

“If we are to tackle this problem head-on, we need to manage risk and vulnerabilities; and we need security validation and to future-proof deployments; [to] carry out functional separation [of systems]; and introduce enhanced life-cycle management.

“We need to get [new] technology under control and we need to get newly developed devices secured.”

One argument cited by many cybersecurity experts is that even though a decentralised grid is more vulnerable than a centralised one, the potential impact of a security breach would be smaller. In simple terms, a decentralised grid contains more layers of energy systems that can be isolated from each other, therefore limiting the severity of an attack.

Shech argues that energy companies can ensure that minor security breaches do not become major incidents by utilising unidirectional security gateways — hardware that can physically only transport information in one direction.

“Unidirectional gateways — widely used across the energy sector on offshore platforms and nuclear plants — allow industrial networks and critical assets to be physically inaccessible from corporate networks and [therefore] totally secure from any online attacks,” he says.

"The landscape is getting increasingly dangerous, with ever more active threat actors"

In other words, the risks can be managed if energy companies act now.

Grid operators in the US say they are already tackling the problem. “[US] asset owners and operators understand that the effects of a co-ordinated cyber and physical attack on a utility’s operations would threaten electric system reliability and potentially result in large-scale power outages,” the Idaho National Laboratory wrote in a report last year entitled The Cyber Threat and Vulnerability Analysis of the US Electric Sector. “Utilities are routinely faced with new challenges for dealing with these cyber threats to the grids and consequently maintain a set of best practices to keep systems secure and up to date.”

Europe, meanwhile, quickly needs to develop more security capacity, says John, who points out that “lots of [European] utilities have built security operational centres [with] laboratories and training facilities”.

Europe: taking energy cybersecurity seriously

A 2016 European Commission (EC) study declared that there was an urgent requirement for a co-ordinated energy cybersecurity strategy across the EU. “We see that more than 90% of renewables will be connected to the distribution grid, so decentralisation is happening and it’s a big issue,” says Mark Van Stiphout, deputy head of research and innovation at the commission’s energy department. “So the way the distribution grid is going to be operated in the future is going to change, and this has big implication when you consider cyber security.”

The commission report, Cyber Security Strategy for the Energy Sector, warns that threats to energy cybersecurity in one member state could have the potential to disrupt infrastructure across the EU, possibly inflicting significant financial and physical damage, including loss of life.

The EC has adopted a whole raft of policy measures to deal with cybersecurity in general, but none specifically for energy. “The key issue at the moment is the implementation of the network and information system directive of last year, which identifies essential infrastructures and obliges member states to identify essential operations that have to meet certain cybersecurity requirements,” says Van Stiphout.

“At a European level — and globally — the legislative framework for cybersecurity is being set up, so we have a directive and have asked member states to define the operators and their requirements. We then need to make sure these requirements are consistent across the EU and you will likely see a convergence in the application of how things are handled.”

An EC energy cybersecurity report produced earlier this year recommends that EU states work together to analyse cyber threats and also establish best practice as to how to manage the system if threatened. It also calls for a build-up of capacity and competencies across the bloc to tackle the problem.

“We are currently thinking about investing in a few projects [through the EU’s Horizon 2020 research and innovation programme] where we support cybersecurity — in particular in electricity systems — to ensure that the already existing systems, like SCADA [ supervisory control and data acquisition], are much better protected at a time when more remotely located energy sources will be attached to the system,” says Van Stiphout.

“We will also look, for example, at how we can certify components or systems, or maybe even suppliers, because all these things are linked to the vulnerabilities of the energy system.”