There's no doubt that renewable energy is growing rapidly. With 178 GW of new renewable generating capacity added in 2017, renewables now provide about 30 percent of the world's energy. And with governments and environmental agencies pushing hard, this could rise to 85 percent by 2050.
Renewables are also becoming more digital. A wave of asset modernization and digital asset development projects is strengthening the digital linkage between renewables capacity and their owners, operators and operations and maintenance (O&M) providers. The result? Renewables are now digitally connected not only to each other, but also to the larger electricity system.
While this is positive for the transition to a lower-carbon energy mix, there is also a downside. Specifically, a combination of electronic monitoring and control of utility-scale renewables, and a relative lack of cybersecurity for sensors and wind turbines leaves renewables operators open to higher risks of cyber attacks. What’s more, the fact that renewables assets are usually left unmanned in remote locations means these dangers could go unnoticed.
As renewables’ share of overall generation grows, so does the threat that these cyber risks pose to the entire grid—and thereby to companies and wider society. Regulators around the world are recognizing the need to protect renewables assets as part of Critical Infrastructure. And they’re responding with regulations like the EU’s NIS Directive, the ICS standards and leading practices ranging from ISO27001 to NERC-CIP.
To comply with these emerging security requirements, renewables operators need a clear understanding of the gaps in their current security practices, and a commitment to addressing these weaknesses across their people, processes and industrial control systems (ICS), building their own “system of trust.” But cybersecurity investments shouldn’t be targeted solely at achieving regulatory compliance. Instead, they should also look to harness leading practices and build resilience against attacks, as well as adding cybersecurity requirements in specifications for new renewable assets development.
Most executives will be aware of the types of cybersecurity attacks that could threaten renewables generation, ranging from hijacking of physical control to ransom attacks to “hard stop” attacks aimed at triggering emergency shutdowns, and more. But whatever form an attack takes, the key for operators is to be able to prevent breaches proactively and also to respond effectively if a breach does occur, in line with NIS Directive requirements.
To achieve this level of resilience, a renewables operator needs to understand its current capabilities and level of responsiveness to potential attacks. In our view, the best starting point is to perform a security risk assessment composed of two parts: resilience diagnostics and a capability assessment.
What do these involve? First, resilience diagnostics. These aim to identify the weak spots and attack flows that hackers are likely to follow, and provide comprehensive technical recommendations to improve defensive capabilities. The diagnostics themselves can range from basic penetration testing simulating attacks from organized criminals to larger exercises simulating nation-state attacks and advanced persistent threats from industrial espionage experts.
By contrast, a capability assessment examines the operator’s actual cyber defense capabilities across all dimensions. These include organizational roles, governance, processes, operating model, key performance indicators and methodologies and tools both for conducting security risk assessments and for preventing, detecting, responding to and recovering from attacks.
In combination, the outputs from the resilience diagnostic and capability assessment enable a renewables operator to produce a security transformation roadmap setting out the steps required to achieve two things: first, compliance with regulatory and industry standards on cyber security; and second, a more cyber-resilient business in a world of ever-increasing cyber threats.
In a future blog post, I’ll drill down in more detail into what a cyber security risk assessment involves, and what it can deliver.