“Cybersecurity in Renewable Energy Assets – A key policy energy asset owners cannot afford to ignore!” first appeared on Cleantech Geek

By Ypatios Moysidis

We are fortunate that we live in the Renewable Energy Renaissance. The penetration of Renewable Energy Assets is increasing exponentially even with the COVID Restrictions and distributed energy generation will be the new norm.

As we are coming to terms with this new reality, we will need to be aware of the risks associated with managing multiple generating assets. Information and data are key within this environment, as the industry evolves into unsubsidized full merchant mode.

Before we venture deeper into the importance of Cybersecurity, we should perhaps define it. What is Cybersecurity?

“Cyber security refers to technologies, processes and controls that are designed to protect systems, networks, devices and data from attacks and unauthorised access.”

So, how does this apply to Renewable Energy Assets?

With respect to renewable energy assets, each control with physical or digital access presents an intrusion point.  Access must be controlled, and data integrity must be maintained at each accessible point. Many renewable systems use advanced controls, digital sensors, network architectures near generation sources which should, under normal circumstances, adequately secure. Examples of components and systems that require close consideration and could potentially be intrusion points are:

  • Inverter control and monitoring
  • CCTV
  • Alarm systems (IDS and environmental)
  • Communications
  • Substation control system
  • Field sensors
  • Wind control stations
  • Field weather and environmental data sensors
  • Networking architecture and routers

Give me an example, how could a bad scenario  become a reality…

Imagine you are the asset manager of multiple solar and wind parks. You have tight corporate PPA contracts that you will need to serve, with strong associated penalties. As you work on your assets, you suddenly lose visibility, and you are held “hostage” by a hacker. What would that do to your corporate reputation? How would that impact your relationship with your clients? What would be the real monetary losses you would incur? How serious would the disruption to your operations be? What would be the time, effort, and resources you would require to rectify things?

That’s Terrible! What’s the current state of our Industry? Are we adopting adequate policies?

The reality is that Cyber security maturity across the renewable industry is low. As a sector we are just tweaking into the security risks associated with Cybercrime. As a result, the majority of asset owners today, do not have a cybersecurity policy and don’t really know where their generation data is stored, who has remote access to their systems, or how secure are their connections.

If we could outline some key points regarding the current state of the industry, we could say that:

  • Cybersecurity has not been under consideration during the design phase of the vast majority of renewable assets operating today throughout the world. Cheap, off-the-shelf SCADA and CCTV systems have been for the last decade an industry norm.
  • Key components were being selected without consideration for cyber security, driven only by cost and availability.
  • Untrained EPC or O&M engineers were doing the majority of the on-site installations with limited hardware and software knowledge and no idea of Systems Architecture.
  • There were no clear policies, standards or regulations to follow.
  • Buyers and their Technical Advisers were not scrutinising cyber security, neither during transactions, nor upon completion, commissioning and acceptance of the projects.

Are Cyber-attacks a real threat?

If you think that such treats and such attacks only happen at government level or within the IT industry you are mistaken. Cyberattacks are not hypothetical. Cyberattacks are happening, BUT not necessarily publicised or communicated in the wider market.

Amongst the first cyberattack on renewable projects reported, was in 2019 in the United States, where sPower, a major solar and wind assets owner in the state of Utah, suffered  a series of lost connections between its main control centre and remote power-generation sites. The intruders capitalized on a known weakness in its Cisco Firewalls which triggered multiple communication outages over a total period of 12 hours. The brief, intermittent periods of downtime were determined to be the result of a denial-of-service (DoS) attack.

Further attacks mainly on the transmission grids or major utility companies happened over the last 5 years. Notably, Ukraine’s Power Grid suffered a transmission-level substation outage in 2016 and Suadi Arabia’s state agencies and private companies were hit by a virus in 2017.

In the EU, there are general and energy specific pieces of legislation. In general, there is the Cybersecurity Strategy 2013, the NIS Directive 2016, the Cybersecurity Package 2017 and the Cybersecurity Act 2019. Regarding more energy specific legislation, not necessarily just for Renewables, you should look at the Regulation of the Security of Gas Supply 2017 and the Clean Energy for All Europeans 2019.

What are the potential Consequences of Cyber-Attacks to my assets?

  • Loss of Visibility and Data / Grid Balancing Issues – In time sensitive contracts where total and live management of the plants is required. Loss of visibility and data can seriously impact the generator. Furthermore, an additional important risk is that cyber-attacks can cause grid balancing issues.
  • Financial Loss & Increase in Costs – Financial loss comes in the form of lost production, rectification measures, component replacement. Additionally, is it also possible to result in increased rectification, management, and insurance premiums costs.
  • Reputational Damage – When Cybersecurity attacks becomes public, asset owners / managers might occur seriously reputational damage, even more when lack of diligent management of risk is identified. This might be even more damaging on publicly listed and utility companies.
  • Loss of Opportunity – New models that are emerging, as the virtual power plants, require high cyber security standards, potential buyers may require demonstratable high level of cyber security risk management measures before they buy in.

I understand the threat is real and I need to act. Where do I begin?

Being aware of the situated risks is the first major step. If you are aware you act. Based on your current and future portfolio outlook the first step is to formulate a Cybersecurity Strategy and roll out a program to formulate policies and adopt procedures.

When formulating your Cybersecurity Strategy as an owner / operator you should consider:

  1. The cost of recovery (should your assets become a target of a cyberattack) against the cost of implementing additional security measures.
  2. Adopting measures that are relatively inexpensive and easy to implement, such as putting in place policies and assuring that software and hardware you are using have been updated to the latest versions and with the latest firmware.
  3. Regulation of remote access to your systems, as you would regulate physical access, should be implemented you need to know who, when and why accessed your systems.

Be mindful that, due to the complex and highly specialised nature of cyber security, ad hoc solutions may not be sufficient.

When deciding on formulating your cyber security strategy you should start with a comprehensive assessment of the current state of cyber security across your portfolio. Such audits should assess current policies, processes, practices in place, systems, infrastructure, suppliers and provide recommendations for further actions.

From experience, I would recommend a 5-step adoption approach, after you have a sound Cybersecurity Strategy in place.

  1. CyberSecurity Policy Creation – Every company in the sector from Developers, EPCs, Operators and Service providers should create and implement a Cyber Security Policy. It should be as mandatory as having a HSE policy. Remember that CyberSecurity starts at planning and site design. Be Cyber aware next time you negotiate your EPC contract.
  2. Risk Assessment, Site and Equipment Inspections / Replacement – Assess the risk at site and portfolio level. Inspections and test / probe attacks should be scheduled in an annual basis. You can optimize inspection planning by coordinating to perform security as you perform other inspections and assessments. Each site should have its security manual which would include your cybersecurity prevention and rectification measures.
  3. Human Resources Management and Training on Cyber Security Issues – A large aspect of CyberSecurity is the management of physical human behaviour. Negligence or lack of clear instructions to your teams are increasing the risks within your organization. Adequate procedure adoption and regular training is needed.
  4. Risk Mitigation Strategy – Once risks have been identified, risk mitigation strategies and actions should be implemented, both on digital and physical level. This does not just include site level, but organization level planning which affects the complete supply chain.
  5. Annual Security Reviews – Annual reviews and updates with the latest regulatory standards and requirements should be compulsory. Industry best practices must be adopted. Equipment and system update programs should be considered especially when you repower your assets. Its not just about generation but your communication and SCADA systems should be up to date as well.

If you have further questions and you need help on how you can assess the level of threat, your current state and you want to adopt and implement CyberSecurity policies and procedures throughout your organization and renewable energy assets, then get in touch today and a team of specialists will be able to assist and guide you.