The U.S. renewable energy sector is experiencing unprecedented growth, driven by federal and local legislative efforts to reduce carbon emissions and promote sustainable energy sources. However, as the industry expands, it becomes an increasingly attractive target for cybercriminals. In July, the Federal Bureau of Investigation (FBI) released a Private Industry Notification (PIN) to underscore the heightened cybersecurity risks facing this critical infrastructure.
The notification highlights how malicious cyber actors may aim to disrupt power generation operations, steal intellectual property, or ransom critical information for geopolitical or financial gain.
The FBI's notification emphasizes several key threats that the renewable energy sector must be vigilant about. Cyber actors could potentially cause widespread disruptions by targeting operational technology (OT) systems that control power generation. Such disruptions could lead to significant economic and societal impacts.
The renewable energy sector, rich in proprietary technology and innovative processes, is a prime target for intellectual property theft. Adversaries may seek to gain competitive advantages by stealing trade secrets or technological advancements.
The industry is also vulnerable to ransomware attacks, in which cybercriminals encrypt critical data and demand a ransom for its release. Such attacks can cripple operations and cause substantial financial losses.
"National critical infrastructure has been a target of attack by Axis Powers (China, Russia, Iran, and North Korea) for many years. A decade ago, Iran was thought to have owned much of the U.S. power distribution and transmission network," said Richard Staynings, Chief Security Strategist for IoT security company Cylera and teaching professor for cybersecurity at the University of Denver. "We have seen largely Russian cyberattacks masquerading as ransomware against oil and gas pipelines (Colonial), healthcare (Change, Ascension, Synnovis, etc.), pharma (Merck), communications (Royal Mail, TNT Express), shipping (Maersk), education, and a long list of industries all supposedly considered critical to their nation-states, yet all succumbing to cyberattack by foreign-based adversaries."
Staynings continued: "The fact that these industries continue to be attacked displays a failure of resiliency and segmentation/isolation of systems from the internet and the air-gapping of OT and IT networks. Connecting a nuclear power station to the internet would not be a good idea for obvious reasons; perhaps those same good reasons should be considered for the renewable energy sector."
As governments push for more renewable energy projects, the industry is poised for rapid expansion. This growth, while beneficial for environmental sustainability, also increases the attack surface for cyber threats. New projects often involve the integration of advanced technologies and interconnected systems, which can introduce vulnerabilities if not properly secured.
"Given the increasing interconnectivity of Industrial Control Systems (ICS) and Operational Technology (OT) in the renewable energy sector, the risk landscape has significantly expanded. As highlighted by CISA and the FBI, the potential for cyber threats targeting these systems is profound," said VJ Viswanathan, Founding Partner at CYFORIX, a research-driven strategic risk and technology advisory firm. "These threats can disrupt not only energy production but also the stability and reliability of the broader grid infrastructure. It is imperative for organizations to prioritize robust cybersecurity measures to safeguard against these evolving risks and ensure the continuous delivery of renewable energy. This starts with an SRA (Strategic Risk Assessment) across the critical function set (Connect, Distribute, Manage, and Supply) and systematically decreasing the attack surface."
The FBI's PIN warning provides several recommendations for mitigating the risks associated with these cyber threats.
-
Implementing Robust Security Frameworks: Companies should adopt industry-standard cybersecurity frameworks such as NIST or ISO/IEC 27001. These frameworks provide guidelines for establishing and maintaining effective cybersecurity practices.
-
Enhancing Monitoring and Incident Response: Continuous monitoring of systems and having a well-defined incident response plan are critical for detecting and responding to cyber threats promptly.
-
Securing Supply Chains: Ensuring that all third-party vendors and suppliers adhere to strict cybersecurity standards can help mitigate risks associated with the supply chain.
-
Investing in Advanced Technologies: Leveraging advanced security technologies, such as AI-driven threat detection and response systems, can provide proactive protection against sophisticated cyber threats.
-
Employee Training and Awareness: Regular training and awareness programs can equip employees with the knowledge to recognize and respond to cyber threats effectively.
"Ransomware attacks today seem to be less about the prospect of cyber-extortionists receiving a payout, and more about purposely inflicting pain and damage as a result of long outages," Staynings said. "With rising geopolitical tensions, these hybrid warfare attacks are an effective way of inflicting damage while being able to claim plausible deniability, since attacks are orchestrated by proxies kept at arm's length. Ransomware is just a 'cover' for attacks against the availability of critical infrastructure sectors."
The renewable energy sector's growth trajectory indicates that cybersecurity will remain a critical concern. As noted in GlobalData's report on cybersecurity in various industries, sectors experiencing rapid digitalization must be particularly vigilant about protecting their digital assets. The renewable energy industry is no exception, and the stakes are high given its role in the broader effort to combat climate change.
"Much of China's global domination of the photo-voltaic (PV) industry is the result of years of intellectual property and commercial trade secret theft. Its domination of manufacturing in this space is the result of subsidized manufacturing, currency exchange manipulation, and dumping practices designed to kill off non-Chinese manufacturers," Staynings said. "Although many PV panels are finished in other countries to get by restrictions, an examination of their supply chains reveals massive China involvement."
"Whenever there is new technology being envisaged, it's important to design in good cybersecurity and capacity for extensibility for the future so that updates, enhancements and new cyber feature sets can be incorporated as needed, to combat changing vulnerabilities and cyber threats from adversaries," Staynings concluded.
To learn from cybersecurity experts across the manufacturing and industrial sectors, attend the SecureWorld Manufacturing & Retail virtual conference on August 28, 2024. Register here to attend for free and earn 6 CPE credits.
