With the new incoming US government and other international countries looking seriously at renewable energy sources; so are hackers, who are no fools and are researching ways to compromise the future of energy. The ‘rush’ to renewable energy technology may open multiple cybersecurity threats and vulnerabilities if caution is not placed on cyber security and these energy source developments.
Quick developing solar and wind technologies present new risks to power grid security, especially as smaller renewable energy companies often lack resources to fight against hackers. These new sources only multiply the avenues for cyber intrusions. A recent hacking campaign targeting US federal agencies and potentially hundreds of energy companies only emphasizes the scale of these challenges.[1]
The incoming US President Biden's push to zero out electricity-sector carbon emissions by 2035 could force the administration to contend with a rising cybersecurity threat from nation-states and criminal hackers while protecting new technologies in the grid that are heavily reliant on internet-connected devices. While hacking clean energy networks currently pose little risk of a blackout, that could change as thousands of megawatts of new wind, solar and battery storage resources link up to electric grids. Both cyber and energy experts agree that the challenges of protecting grid-edge technologies from hackers are increased by the distributed nature of renewables, lax or nonexistent cybersecurity standards, and an industry that may be more focused on building first and leaving cybersecurity as an afterthought.
The lack of attention is not limited to new or smaller companies. Established energy providers swinging toward renewables seem to be repeating past mistakes of adding cybersecurity as an afterthought — even as they make strides in cybersecurity in other areas. Researchers are saying that wind or solar companies are not engaged in this topic, so many are forcing the cyber security matter on them.
The more renewable resources enter the energy sector, the more cyber security impact is placed on electric grid stability and reliability. But clean energy's rapid rise (wind technology has alone risen from 2.3% of the US electricity source 10 years ago, to around 7% currently[2]) could also present a positive opportunity to implement a security-by-design framework, where defensive measures are built in alongside the technologies. In the case of the US government, that would provide buy-in from device manufacturers all the way up high levels of government that would craft cybersecurity priorities at agencies including the standards-setting National Institute of Standards and Technology (NIST and the Energy Department (DOE).[3] Researchers at DOE's National Renewable Energy Laboratory are already exploring security fixes in hardware and software associated with technologies like electric vehicles, battery storage and energy-efficient buildings that interface directly with the wider power grid, as well as wind and solar generators.
The renewable electricity sector has already seen its fair share of cyberattacks. In March 2019, a Utah renewable energy developer was hit with a "denial of service" attack that temporarily left grid operators blind to solar power sites. While the incident did not cause any blackouts, it was the first officially known disruptive cyberattack to occur anywhere on the US power grid. A ransomware attack this past February hit an unnamed renewable energy facility in Sterling County, Texas – US. While the attack also did not cut electric service, it highlighted ransomware threats that have broken US hospital and school networks this year and will likely continue to haunt critical infrastructure in the near future. Additionally, investigators and experts are continuing to assess the fallout from the far-reaching breach of information technology service provider SolarWinds, which counts most Fortune 500 companies as well as global renewable energy developers and manufacturers in its customer base. Companies or agencies that downloaded a hacked version of a SolarWinds software update, one that has been circulating since at least March 2020, could be vulnerable.
Economic Espionage - As with any new technology, espionage remains a key concern for clean energy developers. The renewable industry is a prime target for other nations hoping to steal US intellectual property. In an October analysis, the Department of Homeland Security warned that hostile nations like China and Russia continue to target the US energy sector. The threat posed by China, given its background in industrial espionage, is especially concerning, report US authorities.
Nation-backed (APT) and criminal hackers are constantly looking for the weakest link in the energy sector, said Marty Edwards, vice president of operational technology security at Tenable Inc. and a former DHS cybersecurity official. "If the weakest link happens to be renewables because we've deployed them in a nonsecure manner," there could be an increased interest in attacking those technologies, he said. DOE said that cyberattacks "are outpacing cybersecurity capabilities, posture, and expertise" in a road map for wind cybersecurity released earlier this year.
DOE warns that an individual wind turbine is not likely to threaten the grid if a cyberattack disables it, but because generators typically connect to each other via "smart grid" communications, there are many more attack paths for hackers. If a turbine is breached, the hackers could use that foothold to gain access to more networks and perhaps find their way into the bulk electric system.
Supply Chain worries - Wind energy also has supply chain cybersecurity concerns, the DOE report noted. Much of the renewable industry's equipment is built overseas, bringing a risk of embedded malware or other hidden vulnerabilities. Cybersecurity experts and government officials have raised the same worries about solar power gear. Supply chain security has been a key focus of the current US administration. The US issued a 1 May executive order (EO) aimed at protecting the bulk power system from supply chain threats from nations that pose a national security risk, including China. In a course direction for the new incoming administration, the American Wind Energy Association (AWEA) recommended that the new president should revoke this EO. AWEA said that the resulting DOE rulemaking could lead to "unnecessary restrictions on transactions involving non-US bulk-power system electric equipment." AWEA said ambiguous wording in Trump's order could set back or even halt ongoing projects. "There are pervasive industry fears that contracts deep into development or construction or operations are no longer economic, and this has created uncertainty over whether to proceed with current supply orders with equipment that might be impacted for new projects," AWEA wrote. AWEA said the new administration should instead "leverage existing industry standards in its development to mitigate major threats." The senior director of standards and asset management for AWEA, added in a statement that "standards development, if done correctly, encourages growth while setting a predictable, level playing field across the renewable energy industry." "While renewable energy remains a relatively low cybersecurity risk, AWEA supports efforts from the federal agencies to protect our nation by looking ahead to potential cybersecurity issues that could arise and address them in a comprehensive and transparent manner."
Unfortunately, existing cybersecurity standards for renewable energy are weak. The Federal Energy Regulatory Commission (FERC) and the nonprofit North American Electric Reliability Corp. (NERC) set and enforce cybersecurity requirements for any networks interacting with the bulk power system, but there are no wind-specific rules, DOE said in its policies. "The wind industry largely depends on standards developed for other energy systems and technologies, meaning that the specific cybersecurity needs of wind energy technologies are not well understood," DOE said.
However, developing cyber standards for wind is not easy. Standards are not the end-all, be-all for defense against hackers, as cybersecurity experts agree, and mandatory requirements drafted by NERC and FERC can take up to four years to come into effect. A recent FERC white paper concluded that current critical infrastructure protection standards are not enough to protect the grid from hackers.
Solar technology is even more widely distributed than wind turbines and could pose bigger challenges as sales of rooftop panels rise. A solar installation at a home or small business could be a lucrative target for criminal hackers looking to make money from a ransomware attack. Like wind energy, solar has few cybersecurity regulations and standards in place, though some guidance exists in California and Hawaii, and through the SunSpec Alliance of solar manufacturers and service providers.
More robust standards are currently being developed by organizations like the Institute of Electrical and Electronics Engineers and the International Electrotechnical Commission, alongside US national labs and industry.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing the supply chains inside the energy sector. For many years we have believed the supply chain is the Achilles Heel to the over-all cyber network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments