The cyber threat – keeping renewable assets secure

The World Economic Forum recently stated that climate change and cyber-attacks targeting the renewables industry continue to increase in number and sophistication, with cyber driven failure of critical infrastructure and services being among the top global threats in terms of likelihood and impact. Despite these two risks being the biggest threat to the modern world, maturity across the renewable industry is low, leaving many asset owners vulnerable to attack.

The recent IPCC report, Climate Change 2022: Mitigation of Climate Change, published on 4 April 2022, made it clear that limiting warming to 1.5C requires global greenhouse gas emissions to peak before 2025. The move to renewable sources of energy plays a key part in this transition and this is evidenced by a rapid increase in the demand by consumers for sources of renewable energy and the desire by organisations, as well as private households, to transition to a ‘greener’ environment. 

Cyber threats

The threat of cyber-attacks is not hypothetical. We have already seen the renewable sector effected by cyber risks. An example which demonstrates the risks posed to renewable energy suppliers and the technologies employed by them is in relation to a cyber-attack which took place earlier this year, which affected Viasat, a satellite communications company. The incident resulted in nearly 6,000 Enercon wind turbines in Germany being left inaccessible by remote communications and disrupted thousands of organisations across Europe. Another example includes one of the largest turbine manufacturers, Vestas, being hit with a ransomware attack. This resulted in data being compromised and internal systems being impacted. Whist there was no clear indications that the incident impacted customer and supply chain operations, it was a reminder that the renewables industry is clearly a target for cyber threat actors.   

Even though there are risks, these are outweighed by the surge in demand for renewables which has put pressure on renewable technologies to speed up their entry to market and bring innovation forward as a priority. What cannot be overlooked under this pressure is the critical aspect of renewable energy tech – cyber resilience.

The devastating invasion of Ukraine and Russia’s track record of launching cyberattacks means that governments around the world are issuing advice to review and bolster cyber defences. With renewables now accounting for at least 28% of the world’s electricity generation, and this number set to continue growing, it’s increasingly important to adapt our cyber measures to combat the threats and vulnerabilities arising from the interconnected and digital world our businesses operate in today.   

From business email compromise, leading to significant intellectual property theft, to ransomware attacks sabotaging critical operations, cyber-attacks are a reality of doing business. Organisations are therefore focusing on their response and recovery measures to compliment more protective and traditional cyber hygiene controls to prevent financial loss and more importantly, reputational damage.  

Regulatory action

Governments and regulators are starting to place sterner obligations on Asset Owners. Legislators and regulators in the US, UK, Europe and Australia are all either uplifting or augmenting the cyber obligations applying to asset owners and operators, often requiring adherence or formal accreditation to common standards and frameworks such as ISO27001 and NIST CSF.  

One of the biggest risk areas for renewable asset managers and owners is the SCADA systems used to manage assets. Many of these systems are old and no longer provide security updates, and are typically accessed through internet-facing assets, meaning they are more exposed to a cyber-attack. In addition, many of the newer SCADA systems are designed to operate and be used remotely e.g., via the cloud or VPN’s. As with anything that relies on remote access there is a higher risk of cyber attackers infiltrating these systems, especially if they use automated systems that aren’t actively monitored, or log-in credentials and patch management aren’t properly managed.  

Taking responsibility

Adopting good practice cyber measures can make a real difference, like proactive monitoring and targeted remediation of weaknesses hackers could exploit, raising cyber vigilance of phishing attacks amongst key staff and systematically applying multi-factor authentication on remote access. Staying ahead of these cyber risks requires a continual improvement approach to adapt cyber capabilities and protections to address an ever-evolving threat landscape.

We understand the role we play in ensuring that our clients assets continue to deliver green energy in a reliable, efficient, and resilient manner.  We also understand that the cyber security threat is constantly changing and sometimes escalating.  Our highly experienced Operational Technology team is working with many of our clients to assess and enhance the cyber resilience of operational assets. Ultimately, a well-planned and managed Cyber Security strategy will help to decrease your vulnerabilities and the risk of a cyber-attack.

To find out more please contact [email protected].