Most organizations have IT nailed down, Bramson said, but are severely lacking in OT protections.
"The OT side, there's a giant lag behind the IT side," he said. "Most companies on the OT side can't answer my first question: do you know what assets you need to protect?"
Bramson outlined 4 key pieces to a renewable energy cybersecurity plan:
- Asset inventory
- "You need to figure out an automated way (to inventory assets that need cybersecurity protection). When you're expanding and growing, even that basic step is a challenge -- it's not always done."
- Vulnerability management
- "Where are my holes? Any time you connect with anything, there's a point of attack-- both ways. What are you connected to?"
- Configuration management or management of change
- "If a bad guy wants to change something, he's going to change a configuration of how something works in that system and so you're going to have to know if there's an unauthorized change going on."
- "You need to understand if something (bad) is happening."
"Sometimes, people skip to the monitoring piece but all of those pieces fit together," Bramson said. "If an attack happens and I have a great asset inventory and I know what they're going to attack next, I'm a lot faster in my response than if I just have one piece of that equation."
Watch the full interview with ABS Group's Ian Bramson and Renewable Energy World's John Engel.