Cybersecurity: keeping your assets safe

It is widely acknowledged that we are living in uncertain times due to global geopolitical events and an increasing number of cyber-attacks on business including power and renewable energy companies. 

On 15 May 2024, Anne Keast-Butler, the Director of GCHQ (Government Communications Headquarters – UK) and Harry Coker, the White House’s National Cyber Director, spoke about the clear and present danger of cyber attacks on critical national infrastructure with a number of industry studies supporting this view. 

According to Dragos’ OT Cybersecurity 2023 Year in Review, which gives a comprehensive view of the global OT threat landscape, ransomware attacks against industrial organisations have increased by 50% in the last year.  The report also highlighted the increase in the number of hacktivist groups with a focus on critical national infrastructure, partly fuelled by the wars in Ukraine and Gaza. They are currently tracking 21 threat groups. 

In addition, according to the Waterfall and ICS Strive 2024 Threat Report, in 2023 there were 68 attacks impairing operations at over 500 sites. This is a 19% increase in attacks over the previous year.

Legacy sites

Using the internet to remotely manage and control sites creates vulnerabilities if connections are not properly secured and network equipment is not kept up to date. Equally, often technicians qualified in maintaining wind or solar equipment have access to network equipment and may unintentionally make changes that open doorways to attack.

Sites that are between five and 10 years old, or more, were designed for the risks of the time. However, the risk landscape has dramatically changed in the last 2-3 years. The increased threat to national critical infrastructure, coupled with evolving national regulations and obligations, is starting to incentivise parties to prioritise cybersecurity alongside performance.

Cyber risk management typically involves many different stakeholders, including investment asset owners, asset managers, construction partners, OEMs, energy dispatch operators, energy trading partners, grid owners, operations and maintenance providers, and energy performance solutions. Generation sites are often run by multiple parties, leading to inconsistent and uncoordinated cyber management. Clarity of ownership of the cyber risk in the project is essential to ensure assets, output, reputation, and revenue are protected.

Ongoing digital transformation

Another key consideration is how developers and their sites are progressing on their digital transformation journey.  Data and cybersecurity are critical to successful digital transformation. Developers and owners should urgently consider the objective of delivering reliable data acquisition and data quality whilst ensuring business continuity and security. 

Opportunity to protect and instil good practice

There is now an opportunity to build on emerging information exchanges with industry peers sharing good cyber practices.  Owners and investors are encouraged to contractually mandate consistent cybersecurity obligations between parties (from owner to operator and contractor) and clarify ownership of the OT equipment and therefore cyber risk.

When repowering of a project is considered there will be opportunities to leveraging projects to upgrade IT/OT assets and remove cyber vulnerabilities. Going forward, organising cross party cyber exercising of incident response practices should be encouraged. Governments are recognising more renewable generation capacity as part of Critical National Infrastructure which will lead to more focus on cyber risk management within regulations.

By staying vigilant and fostering a culture of continuous improvement in cybersecurity, the energy sector can navigate the complexities of the modern threat landscape and ensure a resilient and secure future.

To find out more about how we can help you keep your assets safe please contact  [email protected]