Against the omnipresent threat of attack to digital assets and infrastructure, the burgeoning renewable energy industry is urged to establish an effective security culture.
Renewable Energy World heard from Swiss Re and Swiss Re Corporate Solutions about the risks, consequences and solutions as the energy sector becomes evermore interconnected, automated and digitalized.
Jimmy Keime, senior underwriter engineering, at reinsurance provider Swiss Re, commented that there are two prominent drivers leading to an increase of cyber risks for the renewable energy sector.
“The first is the rise of connected elements — including smart grids, smart meters and such — controlled by the latest generation of industrial control systems (ICS) and supervisory control and data acquisition (SCADA), which increases the number of potential entry points into energy systems,” Keime said.
A second driver, according to Keime, presents itself with the shift from centralized to distributed energy generation, and the inherent rise in number of generations sites. The risk here, Keime said, is of a compounding nature: “producing many more potential entry points for cyber attacks.
Expanding on this, he said: “All levels of renewable energy infrastructure are at risk, and all levels should have proper safeguards in place. The interconnectedness of all infrastructure parts, from the wind turbine itself (wind vanes, anemometers, etc.) to SCADA systems to control centers and general network and IT systems, makes it difficult to ignore the importance of any of these elements.”
Such interconnectedness between system components results in circumstances where, “[a] security breach at one part of the entire renewable energy value chain can potentially put the entire energy system at risk,” he said.
Correspondingly, with vulnerabilities present across a wide range of assets, both tangible and intangible, Keime describes a “diverse” set of dangers threatening both physical and non-physical damage.
“A data loss can lead to market intelligence theft or to energy production interruption,” he said. “Gaining access to the controls can lead to a physical loss, for example, changing the wind vane speed of a wind turbine.”
With the potential consequences varying from physical damage to costly business interruption, and potential vulnerabilities as widespread as they are, the appropriate response is a holistic one.
Fail to Plan…Plan to Fail
So how well prepared are renewable energy developers and operators?
Keime cautions: “I believe renewable energy industry may not be as well prepared for cyber risk as the rest of the energy sector. Perception exists that consequences from renewable energy infrastructure damages are less severe and have limited impact on public safety.”
However, he’s not without confidence that awareness is growing. In part, he believes this to be due to software companies involved with the renewable energy supply chain fostering a good understanding of the risks at hand.
“They have understood the importance of [risks] for operators – for example, we see more often SCADA providers promoting security features of their software as one of the main selling arguments,” Keime said.
Security comes from sources other than software, however. Keime added that imbuing a clear sense of “security culture” within companies is also key: “The human factor is also extremely important — a company needs to demonstrate the right reflexes and train regularly on how to deal with security breaches.”
Providing additional perspective on how prepared the renewables industry is for cybersecurity, Francesca De Gregorio, underwriter energy onshore, corporate insurance provider Swiss Re Corporate Solutions commented: “Companies in the energy sector are becoming more vulnerable to cyber risk as they are becoming increasingly reliant on technology. With this, awareness about the risk is increasing and the topic of cyber risk is quickly climbing up on the list of management priorities for many companies.”
De Gregorio added that this has led to many companies taking active steps to manage their risk on cyber, with one solution being insurance protection.
Encouragingly, precautionary actions are readily available. Keime highlights: “A proper security framework should include these elements: security modules installed to prevent access to the industrial controls, security compliance of interconnected smart meters and latest generation of SCADA. All these have proven to be efficient measures if implemented.”
Keime added that “the most important measure though is to maintain security of the many different systems: a patching strategy in place together with regular penetration tests is the best way to counter the countless flaws and bugs of the IT systems.”
As a good initiative in this context, Keime highlights the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the U.S. — the mission of which is to reduce cyber risk to the critical infrastructure.
With energy security an issue of national security, De Gregorio noted that the government itself may do well to foster and promote enhanced security within the renewables sector too: “It may require a further push from governments and/or regulators to mandate measures and practices to achieve awareness and preparedness on a broader scale.”
The ideas conveyed here are echoed in the report, The road to resilience: managing cyber risks, published October 2016 by the World Energy Council in collaboration with Swiss Re Corporate Solutions and Marsh & McLennan Companies.
Lead image credit: NREL Cyber-Physical Systems Security and Resilience R&D Center.