search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Digital transformation and cyber security |


Cyber security: the key to ensuring a renewable future


Why the renewable energy sector lacks sufficient cyber security protection, how technical and behavioural aspects of operations expose critical assets to malicious attacks, and what can be done about it


Rafael Narezzi, Chief Technology Officer, Cyber Energia


Despite the variability of renewable power sources, they all have in common a number of distinguishing factors – including, being widely distributed, often geographically remote and relatively small scale, yet rapidly growing. Critically, they are often managed and operated using under-secured digital technologies that plug directly into the legacy infrastructure of national power grids, exposing big security gaps. With almost half of the world’s electricity sources currently susceptible to cyber attacks from hostile actors, this vulnerability is likely to increase considerably once energy sources are almost fully renewable, by 2050. As such, defence against system violations has never been so mission critical.


Smart grid technology and increased exposure to cyber threats


Grid technology and advanced operating procedures have revolutionised the way renewable energy suppliers deliver cleaner, sustainable electric power.


The latest smart grid technology is enabling the efficient management and distribution of renewable energy sources by connecting a variety of distributed energy resource assets to the power grid – yet this connectivity can be the Achilles heel of renewable energy generation. The relationship between the smart grid and renewable energy revolves around gathering data. For example, wind farms use mechanical gears that require each link to support multiple sensors. Information from each sensor is sent though the grid to alert the asset owner to any issues, which improves the quality of service. At the same time, such advancements have exposed firms to greater potential security breaches. Cyber Energia’s own analysis indicates that there are as many as 880 million cyber risks across the renewables sector, with over 300 attempted security breaches at any one moment and up to 1000 attacks per day. To provide an indication of the serious exposure faced by renewable energy firms, Cyber Energia’s analysis shows that in the UK wind sector alone, only 1% of around 11 000 sites have any type of cyber solution.


Consequences of shut-downs caused by cyber attack can range from significant inconvenience to devastating operational impact. Such attacks can result in loss of production and revenue,


Renewable energy data for the grid involves intelligent data gathering. Image credit: Cyber Energia


damage to assets and infrastructure, leakage of sensitive commercial information, health and safety risks, as well as reputational damage. And, renewable energy firms which are not sufficiently protected against


cyber breaches are increasingly at risk of financial penalties from legislation.


Understanding the exposure risks To build strong cyber resilience into digital renewable energy systems, we need to look at the areas of risk – both from a technical and behavioural point of view.


One of the key areas of vulnerability lies with the commercial pressure to rapidly develop and implement software – at times, with less than optimal testing of security controls and a lack of specialists in cyber security. While some software developers are undoubtedly experts in coding, they may not have the relevant security experience to deliver a robust system against cyber attacks. Incomplete security controls will not only lead to constant cyber security threats, but will result in the company dealing with intrusive patching, downtime or service interruption.


Renewable energy sources are dispersed and often located in isolated locations, necessitating some form of remote access capability to share data and receive instructions and reports – for example, via cloud services or VPNs. Remote access services are notoriously vulnerable to cyber attack, so robust authentication and access measures are vital.


Another significant risk is the vast numbers of devices and systems on the network and the degree to which they are secured in relation to how they communicate with each other and the application programmes they help enable. Renewable energy facilities often provide employees with devices that are manufactured on an industrial scale, without


28 | May 2024| www.modernpowersystems.com


the benefit of product development and not incorporating cyber security qualities or values. As such, additional safeguards such as network segmentation should be considered. Traditional power plants are typically not directly connected to the internet and have, what is known as “air-gapped” infrastructure, essentially allowing them to act like an island – safe, secure and isolated from other networks. This massively reduces the risk of a cyber attack. However, the connected nature of renewable energy facilities means that they generally don’t have this protection.


All data that moves across the network should be monitored and encrypted. In connected power systems, the traffic between a device and the central application is often unencrypted and vulnerable to manipulation. Data can be intercepted by attackers, or the traffic systems overwhelmed in “denial of service” (DoS) attacks. API, or “application programme interface”- based applications, communicate and share data and functionality with other applications – both within the organisation, but also with third party apps developed externally. Therefore, web application security and firewalls are critical to prevent hackers from attempting to leverage APIs to steal data and infect devices.


There is also significant exposure from limited capabilities for monitoring access to and from devices by authorised people and applications. Supervisory, control and data acquisition (SCADA) systems – and other systems that import, analyse and visualise data from power sources – are top targets for cyberattacks as they allow bad actors to access the whole system, manipulate data, send instructions and more. Robust, multifactor


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41