As the UK moves towards a clean energy future, these new energy infrastructures will be vulnerable to hackers or nation state actors. Whether attackers are financially motivated, intend to cripple a country’s electricity supply or focused on intelligence gathering, there is no doubt that the threat to critical infrastructure is real. Hacking groups such as Dragonfly have already turned their attention to Europe’s renewable energy companies.
Scottish Power became the first major UK energy firm to completely drop fossil fuels in favour of wind power. In addition, in the first six months of 2019, wind power in Scotland generated close to double the nation’s power requirements. Our growing dependency on renewables is an exceptional step forward for creating a clean energy future. However, as cities and countries increase their dependency on renewable energy sources to power homes, offices and infrastructure, renewable energy assets have only become more attractive targets to cyber-criminals.
What makes renewables vulnerable?
Renewables depend on industrial control systems (ICS) and distribution networks to operate, and these systems were often built with efficiency rather than security in mind. The convergence of IT/OT (operational technology) environments alongside digital transformation, the expansion of the industrial Internet of Things (IIoT) and increased connectivity has expanded the attack surface, making renewable energy assets even more vulnerable to hackers.
Further, the distributed and remote nature of many renewable energy assets, such as wind farms, creates physical security alongside cyber-security challenges. Researchers at the University of Tulsa, Oklahoma, in a cyber-attack stimulation on a US onshore wind farm, were able to bypass the physical security of one of the wind turbines and use a Raspberry Pi minicomputer to access the ICS network switch. Effectively, this allowed them to turn all the wind turbines on and off. The researchers were also able to install software that allowed the attack to take place without detection. Physical security, such as fences, CCTV, alarms and locking devices, should be considered the first line of defence against attempted sabotage.
The growing importance of renewable energy technologies in securing the UK’s power supplies means that it is vital that appropriate security controls are implemented. Energy companies within the renewable sector need to recognise the reality of their vulnerability and begin investing in adequate cyber-defence.
Defending our energy supply
The first step is to develop an inventory of all the assets within systems. Understanding this provides security teams with the knowledge of what assets are on their network and how they can effectively protect them. Furthermore, known and suspected control system vulnerabilities should be documented and prioritised. This can be achieved through implementing a vulnerability management programme, which helps security teams identify vulnerabilities that need to be patched and mitigated before any damage is done.
ICS visibility is a critical component of protecting renewable energy assets from cyber-threats. ICS should be continuously monitored in real time, allowing security teams to visualise the entire industrial network and identify anomalous behaviour that could pose a threat to power supplies.
Cyber-security is just as important for a wind farm or hydroelectric plant as it is for an oil refinery or gas pipeline. Therefore, with today’s attackers showing no sign of slowing down it is critical that renewable energy companies prepare themselves and instigate strategies that place cyber-security at the forefront. Implementing policies for physical security, software and hardware security, remote management and employee training will help to secure the infrastructure that will play a major role in our energy mix.