Post - Blog

Ian Bramson

By Ian Bramson , Global Head of Cybersecurity at ABS Consulting

Hitachi Energy
More info

Hitachi Energy

The future of energy will run on wind, solar and renewable energy. The only thing growing faster than the renewable sector are the hopes and expectations of the companies, governments and people who are betting heavily on its success. However, with every new wind turbine, solar panel, and hydro-electric facility put into service, comes an increasing risk of an industrial cyber attack.

These attacks can have devastating impacts on operations, safety, finances and brands. To win the race to reshape energy markets, you will need to understand how to prevent, protect, detect and respond to industrial cyber threats.

Hitting where it hurts most

Cyber attackers adapt quickly and target the places where they can have the greatest effect. They are shifting focus from the Information Technology (IT) networks that run business systems to Operational Technology (OT) that control the systems, networks and devices vital to your operations.

OT is a new kind of prize. Instead of stealing and manipulating data, cyber attackers now want to take direct control of your operations. This includes shutting down, over-speeding, overloading and disrupting how you generate, store and transfer energy. When exploits occur at any point on the OT network, threats can easily spread to other devices, become entrenched in the grid and escalate risks quickly. Industrial cybersecurity is now an operational and safety risk.

Rapid growth inflates the attack surface

As your operations expand, so do all the ways cyber threats can get into your systems. This is called your attack surface, and the rush to grow has too often left cybersecurity as an afterthought. Cyber attackers look for vulnerabilities, and when there is rapid expansion, they are trained to look for the cracks. The fact is most expanding renewable companies don’t even know what they need to protect. In OT, asset inventories are too often manual, outdated or non-existent. Put another way, if you don’t know what you need to protect, how can you protect it?

Cybersecurity needs to be an integral part of new construction. Concepts such as security-by-design and supply chain cyber risk management must become core to new development. Unfortunately, this is often not the case, leaving new construction vulnerable to attacks on and through the supply chain. Remember that your greenfield projects are also cyber attackers’ greenfield projects.

Attackers feed off new technology

The renewable market is built on digitalization. Innovation, data leverage and automation equal competitive advantage in this market. This causes two fundamental cyber risks. First, connectivity increases as more sensors, devices and IoT are added to the operational network. This expands the above-mentioned attack surface, allowing more points-of-exploitation for attackers. Second, the push of the technology envelope and the pressure to beat competitors to market often means that cybersecurity is left out. The cyber risk equation is clear; more devices + more automation + little security = big risk.

You depend on remote capabilities – so do cyber attackers

Many renewable energy solutions depend on remote monitoring and management of assets. Wind farms and solar energy fall into this model. However, the centralization of operations is also popular with other renewable markets. Remote capabilities offer a lot of advantages, but they also open your operations to attack. Remote systems offer more ways to penetrate your defences, more connection points and more ways to remotely take control of your operations. Remember the more remote visibility and control you have, the more that you could potentially surrender to a cyber attacker.

What you can do

Basic cyber hygiene can go a long way to reduce your industrial cyber risk. Here are some cyber basics to keep in mind:

  • Take industrial cyber seriously – Industrial cybersecurity is a business imperative. It is as important to your growth as any strategic investment. Make sure you have the program, investment and capabilities in place to minimize your OT cyber risk.
  • Know what to protect – Make sure you have a robust and automated asset inventory and management system. This will let you know what you need to protect, and what is connected to what.
  • Manage your vulnerabilities – Once you know what to protect, know the holes in your defenses. Prioritize those holes and close them.
  • Cyber starts from the beginning – Cyber begins from the concept phase. Make sure security-by-design and supply chain risk management is a core part of your new construction and expansion.
  • It’s about visibility and control – Make sure you have a robust monitoring and response program. Without these, you’re flying blind.
  • Find the right partner – Industrial cyber is a challenge. It takes domain expertise and a solution built specifically for the OT environment. OT cyber is likely not you’re core business. Find a partner who has the experience and expertise in OT cyber to minimize your risk.

The future of power is in renewables. Just make sure that power doesn’t end up in the wrong hands.