Power to protect: Cyber resilience in the renewables sector

The success of the global renewable energy sector over the past decade has made it an attractive target for hackers.

While financial gain remains the primary driver for attacks, now that renewable power is essential to global energy security the industry is also becoming a magnet for geopolitically motivated actors seeking to destabilise national infrastructure.

The clear trend is that cyberattacks on renewable energy assets are increasing in frequency and scale.

Recent high-profile attacks on companies such as Vestas, Enercon and Hydro-Quebec have increased awareness of the threats facing the sector; however, the extent of the disruption caused by these incidents indicates that the industry is not yet sufficiently resilient to the sophisticated threats it faces.

Thanks to their size, complexity and innate connectivity, most commercial renewable power assets provide hackers with a large 'attack surface' – from wireless networks that engineers use to connect their devices onsite, to the SCADA (Supervisory Control And Data Acquisition) systems used to control assets remotely.

SCADA systems are an interesting case study. When working effectively, they offer project owners full remote control and supervision of the entire asset – whether a wind park or a solar PV farm or other types of generating asset – right down to the operation of individual turbines or solar panels.

But while these systems were originally designed to run on computers in the control rooms of solar and wind parks, advances in connectivity mean they can now be run on any internet-connected device using the asset's TCP/IP (Transmission Control Protocol/Internet Protocol – i.e., the suite of communication protocols used to interconnect network devices via the internet).

This offers project owners and managers greater flexibility and more options to respond in the event of an emergency; however, it also gives bad actors additional opportunities to attack the asset control systems.

The impact of Infratech

The SCADA example is illustrative of a broader trend in the infrastructure sector generally, known as Infratech.

The Global Infrastructure Hub describes Infratech as "the integration of material, machine, and digital technologies across the infrastructure life cycle". In its broadest sense, the Hub notes that Infratech "can be considered any technology that impacts the development, delivery, and ongoing operation of infrastructure".

Technology is now part of every sizeable infrastructure environment, with use cases ranging from electric vehicle (EV) charging points, to battery storage, to renewable energy control systems.

Infrastructure has traditionally been behind the curve when it comes to technology integration, but this is changing fast.

Nowhere is this truer than in the context of renewables, which is less reliant on legacy infrastructure than other types of energy generation, meaning technology can be more easily integrated into the design process of generating assets.

Companies operating in the sector have begun to realise technology's huge potential to, for example, drive greater efficiency in the assets, deliver continuous feedback from those assets that can transform their performance, and help businesses comply with regulatory requirements – all whilst offering more flexibility.

Data generated by digitally-connected assets also presents significant commercial opportunities for project owners, if harnessed in the right way.

These opportunities are of course all premised on increased connectivity. The flip-side of that opportunity is the "cost" of becoming a tempting, and exposed, target for hackers.

Increasing regulation

For various geo-political reasons, governments around the world are becoming more acutely focused on the security of their critical infrastructure.

Given the increased threat presented by cyberattacks, and the extent to which companies are maximising the opportunities presented by Infratech, it is no surprise that governments are prioritising the cyber resilience of those assets. 

The outcome has been a swathe of new regulation globally, imposing strict new requirements on asset owners and operations with respect to cybersecurity, with multiple overlapping laws often applying to any given entity – especially where that entity operates in multiple jurisdictions.

Penalties for failing to comply with these rules are tough and getting tougher, as regulators see the havoc that can be wrought by data breaches and seek to deter organisations from leaving avoidable chinks in their cybersecurity armour.

In the UK, for example, the Network and Information Systems Regulations 2018 apply to renewable energy companies involved in the supply or generation of electricity, subject to certain thresholds, which may be lowered to bring more companies and potentially service providers within scope as part of proposed reforms to the regulation. 

Under the regime, entities are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely, and prevent and minimise the impact of incidents affecting the security of these networks or systems, with a view to ensuring continuity of services.

They also have a duty to notify incidents that have a significant impact on the continuity of their essential service. The notification must be provided to the competent authority without undue delay and in any event no later than 72 hours after the operator is aware that an incident has occurred.

The UK regulations set out a sliding scale of maximum financial penalties, with the highest being £17 million (and the lowest being up to £1 million).

In the EU meanwhile, the obligations are even more onerous. The NIS 2 Directive, which became law in January this year and which will come into effect in October 2024, brings a number of new sectors and entities within scope compared to the existing European regime.

One notable addition is hydrogen, with the Directive identifying “operators of hydrogen production, storage and transmission” as working in a sector of “high criticality”.

For electricity more generally, the Directive continues along the path trodden by the existing European regime, in covering undertakings involved in the supply of electricity, distribution systems and transmission system operators, but also captures “producers” (i.e. generators) of electricity in general, as well as “market participants” providing “aggregation, demand response or energy storage services”.

Under the forthcoming European regime, entities will be required to put in place cyber risk management measures that are "appropriate" and "proportionate".

Management will be directly responsible, and liable, for the organisation's compliance with the cyber security requirements, and organisations are expected to review their supply chain contracts/supplier relationships, to ensure security at all levels in the chain.

Incident need to be notified within 24 hours, with a more detailed follow up in 72 hours, and sanctions for non-compliance have been increased, with potential fines reaching the higher of €10 million or 2% of total worldwide annual turnover.

In the face of these much more onerous regulations, organisations that have not already done so should immediately begin assessing their compliance with the requirements.

Practical steps to achieving cyber resilience

In addition to complying with their obligations under law, there are various practical steps organisations can take to minimise the risks associated with cyberattacks.

Security should be built deep into supply chains, with the familiar adage that an organisation’s cybersecurity is only as strong as the weakest link in the chain in mind.

Given how complex the supplier landscape can be in infrastructure environments, there will always be a risk that a compromised supplier can cause issues for an asset owner's business.

A good first step is to conduct security due diligence of direct suppliers or service providers to assess and take into account:

• Vulnerabilities specific to the supplier/service provider;
• The overall quality of their products and cybersecurity practices (including their secure development procedures); and
• Results from “coordinated security risk assessments”.

Organisations should also start thinking about incorporating cybersecurity risk-management measures into their contractual arrangements with suppliers (which is one of the requirements under NIS 2 in any event).

In addition, organisations should think critically about whether all of their assets need to be connected, and ask whether there are any assets that can be segregated from the network and kept logically separate, especially safety systems or other mission-critical systems.

The overwhelming reliance on third parties to provide cybersecurity protection should also be reviewed.

Outsiders may not always be aware of all the assets and systems that need protecting, particularly if OEMs have not passed on all the relevant documentation following the construction of a project. In that context, companies should consider whether it is appropriate to take more responsibility in-house.

Another way of protecting a business commercially might be to take out cyber insurance. It is worth noting, however, that the market for cyber insurance is notoriously volatile – with policies often being extremely narrow and the thresholds to claim high. Organisations may also want to look at whether cyber risk is covered in other policies they or their suppliers may hold, such as professional indemnity.

Ultimately, there is no substitute for investing in governance, people and skills, ensuring you have the right knowledge, experience and structures in house ready to respond when the worst happens.

This article was authored by Fieldfisher cybersecurity experts, Partner James Walsh and Director Nikhil Shah. It was based on an event co-hosted by Fieldfisher and RenewableUK, featuring insights from Ronan O’Meara, Managing Director, EnergyPro Asset Management Ltd; Jasjeet Singh, Team Leader, Principal Consultant, Risk Management Consulting, Energy Systems, DNV; Brijesh Suryawanshi, Lead Data Engineer, ORE Catapult; Paul Jenkinson, Cyber Security, IT Strategy and Architecture Director, RES; and Philip Tonkin, Senior Director of Strategy, Dragos.