Cyber resilience in the renewable energy sector

/in


In April 2022, a few months after the start of the Russia-Ukraine war, three wind-energy companies in Germany were hit with cyber-attacks that disabled thousands of digitally managed wind turbines. In one case, the company wasn’t even the target but “collateral damage” after attackers took down the Ukrainian satellite system ViaSat. This is just one example of the cyber-risks now facing digital renewable energy systems.

It is estimated that by 2050, global power systems will be 70% reliant on renewable energy – derived mainly from solar, wind, tidal, rain, and geothermal sources. These energy sources are generally distributed, geographically remote, and relatively small scale. They are often managed and operated using under-secured digital technologies that plug directly into the legacy infrastructure of national power grids. This creates a broad cyber-attack surface for threat actors to target.

From risk to resilience

To build robust cyber-resilience into digital renewable energy systems we first need to understand the areas of risk. These include, but are not limited to:

  1. Code vulnerabilities and misconfigurations in embedded software. The demand for renewable energy means that supporting technologies and applications are often developed and implemented at speed, with little time to include or test security controls. The vendors and their developers will be experts in electrical engineering and may not have the relevant security skills to do this anyway. The risk is compounded if software isn’t regularly patched and updated as bugs are reported. 
  2. Unsecured APIs. Another software-related risk, application programme interface (API) based applications can communicate and share data and functionality with other applications, including third party apps. They are a common feature of connected or public-facing systems. Web application security and firewalls are essential to prevent attackers from leveraging APIs to steal data, infect devices and build botnets.
  3. Management, control, reporting and analysis systems. Software-related risk No 3 – Management and control software, such as supervisory control and data acquisition (SCADA) systems, and other systems that import, analyse and…

Source…