
Contributed by Roman Arutyunov, Co-Founder, SVP Product at Xage Security
Adopting clean energy has emerged as a significant priority in the U.S. and worldwide. Huge strides have already been made, and demand for clean and renewable energy shows no sign of slowing. However, one barrier to accelerating clean energy still plagues both the public and private sectors: cybersecurity.
The modern electrical grid faces increasing cyberattacks on both real-world operational technology (OT) and information technology (IT) systems. Notably, the coordinated attack on over a dozen Danish power utilities in May 2023 serves as a stark illustration of the escalating frequency and sophistication of these attacks, which have dramatically increased in the past few years. These attacks coincide with increased IT/OT convergence and interconnectedness between suppliers and operators.
The gravity of cyberattacks on energy systems can have far-reaching consequences, affecting the everyday lives of citizens. Power disruptions have become plausible scenarios in homes, workplaces, and even transportation networks. Actionable measures are required to improve the security of these critical energy systems. In this article, I’ll be diving into the industry’s challenges and the viable solutions to address cybersecurity within clean and renewable energy.
The challenges
The surge in renewable Distributed Energy Resources (DERs) has introduced significant cybersecurity challenges. DERs are small-scale power generation sources located near where electricity is used and provide an alternative to the traditional electric power grid. However, due to their decentralized structure and the many stakeholders involved, DER sites create an extensive cyberattack surface. Too many sites, such as solar and wind farms, rely on security models that are slow to innovate and vulnerable to compromises, as renewable energy deployments are often more distributed and fragmented than traditional infrastructure systems. The absence of adequate cyber-hardening measures hinders innovation and creates vulnerabilities that set these energy systems up as prime targets for cyberattacks, particularly ransomware attacks.
DERs are dispersed throughout vast areas linked by multiple networks and are managed by various local operators. The DER workforce frequently rotates across numerous stakeholders, including owners, operators, asset managers, vendors, and manufacturers. Each party requires different on-site and remote access levels depending on their roles and responsibilities. Traditional security strategies rely on a broad trust-based system, granting more comprehensive access than necessary and burdening operators with complex configurations. To enable multi-party remote access, operators must manage various products for every site, such as VPN software, identity access management (IAM), privileged access control, password vaults, scripts, firewalls, and physical servers. There is a real challenge in developing an approach to enable multi-party cooperation easily and securely across these distributed networks without slowing down service.
Operators face regulatory pressure to meet security guidelines due to the rising threats of ransomware and DDoS attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has established cross-sector performance goals that serve as a benchmark for critical infrastructure operators to measure and improve their cybersecurity posture and reduce risk. As renewable energy scales up, the pressure intensifies from the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC-CIP) standards, which regulate, enforce, monitor, and manage the Bulk Electric System (BES) security in North America. Simultaneously, owners exert increased pressure on operators by demanding compliance with the IEC 62443, a series of standard requirements and processes for implementing and maintaining industrial automation and control systems.
Complying with evolving cybersecurity guidelines quickly and seamlessly is no easy task and can leave operations teams stretched thin. Operators frequently rely on IT-centric tools to meet demands for secure access to the distributed infrastructure. However, these IT-centric tools cannot secure Industrial Control Systems (ICS), leading to significant security gaps and incomplete coverage.
Strengthening clean energy systems’ security
The challenges the industry faces, however, are manageable. Remote or onsite DER operations can minimize their attack surfaces and mitigate threats by embracing zero trust principles, end-to-end orchestration, centralized policy management, and distributed policy enforcement. Zero trust uses identity to create and enforce security policies, granting specific permissions at each layer, from the enterprise to the demilitarized zone (DMZ), through operational site networks, and down to the devices monitoring clean energy sources.
A robust access control solution is essential for streamlined management of granular access. While zero trust principles play a pivotal role, traditional security frameworks lack efficacy in DERs because they are distributed, highly multi-party, and operate in intermittently connected environments. A distributed architecture can operate autonomously even when disconnected and supports multiple identity sources with a consistent access policy.
Tools are readily available to smooth the transition and enhance security and operations simultaneously. A defense-in-depth approach assumes a network breach will occur and places authentication and authorization mechanisms inside critical operational sites. Identity-based access control with multi-factor authentication (MFA) at every layer (not only at the perimeter but at every layer of the operational environment) is essential to hardening your overall system against attacks. Understanding cyber attack techniques is equally crucial. For example, lateral movement allows adversaries to spread across a network and move closer to valuable assets.
Curtailing lateral movement attacks involves preventing attackers from using stolen or compromised credentials, preventing opportunities for vulnerabilities to be exploited, and reducing the attack surface. One way to limit an attacker’s ability to move laterally is via microsegmentation, which works by isolating individual workloads within each segment. So, even if an attacker gains access to a particular workload, they won’t be able to move beyond it.
Relying solely on detection proves insufficient, as demonstrated by the surge in successful attacks on critical infrastructure. Prioritizing the prevention of intrusion and lateral movement strengthens overall security and bolsters detection capabilities by reducing the volume of successful threats. By emphasizing prevention, critical operators have a greater chance of success in their operations, leading to improved detection capabilities and a fortified security posture.
Looking ahead: the advancements in the clean energy industry
The trajectory of the clean energy industry suggests that investments in renewable and clean energy will continue to grow. The increasing emphasis on clean energy adoption has become a key aspect of public policy, underscored by President Biden’s cybersecurity strategy, which specifically emphasizes renewables. This is an encouraging path toward a future where clean energy adoption is central to our national agenda.
A noticeable shift in the clean energy industry involves implementing stronger cybersecurity safeguards. Critical infrastructure sectors, like solar farms, oil and gas pipelines, and manufacturing facilities, are increasingly adopting zero-trust approaches. This proactive stance significantly reduces cyber risks and supports innovative business initiatives. This shift reflects a growing industry recognition of the critical need to enhance cybersecurity measures for safeguarding clean energy infrastructure and promoting widespread adoption.
In the journey towards making clean energy a cornerstone of our future, fortifying energy systems against cyber threats is crucial. The modern world hinges on the dependable supply of energy, and as we transition to renewable and clean energy sources, the stakes have never been higher. The progress in the clean energy industry is promising. However, achieving a sustainable and secure energy future depends on a collective commitment to addressing cybersecurity challenges during this transition.
It’s within our reach to pave the way for a future where energy security aligns seamlessly with our commitment to cleaner sources. Through proactive measures, collaborative efforts, adherence to zero trust principles, and a distributed architecture, we can ensure that our clean energy systems power our future and are protected from cyber threats. The journey to a clean and secure energy landscape is well underway, and it is a journey worth every effort and investment.
About the author
Co-founder and SVP Products, Roman holds a Bachelor’s in Applied Mathematics with an emphasis in Computer Science from the University of California, Berkeley, and an MBA from Columbia University.