In April 2022, a few months after the Russian attack on Ukraine began, three wind energy companies in Germany were hit by cybercriminals. The attacks disabled thousands of digitally controlled wind turbines.
It is estimated that by 2050, the world's power systems will depend on 70 percent renewable energy, primarily from solar, wind, tidal, rain and geothermal sources. These energy sources are typically decentralized, geographically remote and relatively small. They are often managed and operated using insufficiently secured digital technologies that are directly connected to the aging infrastructure of the national electricity grid. A situation that opens the door to cyber attacks.
From risk to resilience
To implement robust cyber resilience into digital renewable energy systems, it is first important to understand the risk areas. The 10 most important are as follows:
1. Code vulnerabilities and misconfigurations in embedded software. The demand for renewable energy means that supporting technologies and applications are often developed and implemented quickly, leaving little time to incorporate or test security controls. The providers and their developers are experts in electrical engineering and may not have the appropriate security knowledge to do this. The risk is increased if the software is not regularly patched and updated following error reports.
2. Unsecured APIs. Another software-related risk is that API-based applications can communicate and share data and functionality with other applications, including third-party applications. They are a common feature of networked or publicly accessible systems. Web application security and firewalls are essential to prevent attackers from using APIs to steal data, infect devices, and build botnets.
3. Management, control, reporting and analysis systems. Management and control software such as SCADA (Supervisory Control and Data Acquisition) systems and other systems that import, analyze and visualize data from energy sources are top targets for cyberattacks because they allow criminals to access the entire system, manipulate data , enable sending instructions and more. Systems that integrate data from third-party sources, such as weather towers, offer another opportunity for compromise. Robust authentication measures, at least multi-level but ideally based on zero trust, coupled with limited access rights are crucial to ensure that only those who have authorization can access the system.
4. Automation. Distributed and decentralized renewable energy systems, particularly on a large scale, require XNUMX/XNUMX monitoring and management, which is increasingly done automatically. The risk is that these systems are not monitored carefully enough for anomalous or suspicious traffic that could indicate the presence of an intruder. Security solutions that offer advanced detection and response as well as specialized IoT security features can help here.
5. Remote Access Services. Renewable energy sources are widely dispersed and often located in isolated locations. This means they need some form of remote access to share data and receive instructions and reports, for example via cloud services or VPNs. Remote access services are notoriously vulnerable to cyberattacks and robust authentication and access measures are essential.
6. Physical Location. Another geographic risk is that location can slow response and recovery times after an incident. The logistics of traveling to and from an offshore wind farm, for example to repair or reimage sensors, can be complex, time-consuming and expensive. The people traveling to the remote locations are typically not IT professionals, so a security solution that is easy to install and replace by a non-security professional is essential. An electrician must be able to replace a broken appliance on a Sunday evening.
7. Network Traffic. All data passing over the network should be monitored and encrypted. In connected power systems, data traffic between a device and the central application is often unencrypted and vulnerable to tampering. Attackers can intercept data at rest and in motion. Or DoS attacks overload the traffic systems.
8. Internet Connection. Traditional power plants, such as gas-fired power plants, are typically not connected to the internet and have so-called “air-gapped” infrastructure, which reduces the risk of a cyberattack. However, because renewable energy sources are connected to the internet, they generally do not have this protection. All systems connected to the Internet must be secured.
9. Outdated power grid infrastructure. In most countries, a significant portion of the power grid will be outdated and therefore unable to receive security updates. The best way to protect these systems is to incorporate secure authentication and access measures into them.
10. Lack of regulation and safety coordination. For long-term security, laws and regulations – such as NIS 2.0 in Europe – must ensure that there are strict standards for renewable energy installations, no matter how small. Additionally, renewable energy technology is evolving rapidly and supply chains are complex – this can lead to confusion about who is responsible for safety. The “shared responsibility” model that applies to cloud providers could also help here.
Sustainable security
In some ways, renewable energy systems are not that different from other IoT systems. Attackers can scan for and attack vulnerable components, unpatched software, insecure default settings, and unprotected connections. A sustainable, connected renewable energy industry must be built with security and cyber resilience from the start - and then maintained continuously, step by step.
Securing a complex environment doesn't have to be complicated. It's worth considering SASE (Secure Access Service Edge), an integrated solution that securely connects people, devices and things to their applications, no matter where they are. Add network segmentation and user training to the mix, and organizations have a solid cyber-resilient foundation - not only to prevent an attack, but also to mitigate the impact if an attack occurs.
Comment from Stefan Schachinger, Senior Product Manager, Network Security at Barracuda Networks
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.
Matching articles on the topic