As the electrical grid is becoming more and more digitized, the United States is undergoing a nationwide transition towards renewable energy. Critical energy infrastructure has always been an appealing target for American adversaries, and the latest threat is cyber attacks.
Critical energy infrastructure defense has undergone significant development, which makes it more efficient but more susceptible to cyber-attacks. This development is the blurring of operational technology and informational technology. Renewable infrastructure incorporates both.
For example, distributed energy resources are electricity generators that are often connected to the Internet to communicate with the power grid. If communications are not encrypted, attackers can obstruct energy production. Other kinds of attacks include ransomware, in which a user is unable to access the system without paying an often monetary ransom to the hacker.
A unique issue with cyber threats compared to traditional physical disruption is that since these systems are interconnected, having even one system be compromised could result in many other systems becoming infected. In a similar vein, an insecure supply chain can have drastic impacts even if the grid itself is secure. As a result, renewable energy companies need to be on the same page about their cybersecurity priorities.
One of the most critical mindset changes that needs to occur concerns the cost of developing cyber-secure technologies. Naturally, these processes will make for a higher upfront cost, and that may turn renewable energy companies off.
However, the financial cost of a cyber attack can be enormous, and in almost every case it is worth the investment to keep systems secure from the outset. Even basic practices like frequently updating software, using multi-factor authorization (e.g., multiple passwords or third-party security applications) and continually re-authenticating users can have a real impact.
Moreover, renewable infrastructure needs to be constructed with cybersecurity in mind. Energy providers may be using networks based on legacy systems that are far too old to support modern software updates. If security is not an inherent aspect of design, it becomes difficult to simply add updates as threats evolve.
The government has an important role to play in coordinating efforts across renewable energy sectors because there are so many different operators and consumers involved in the process. In fact, the U.S. Department of Energy recently released a National Cyber-informed Engineering strategy that includes five sections: Awareness, Education, Development, Current Infrastructure and Future Infrastructure.
Having the government and the private sector collaborate on engineering solutions is critical, but it only solves a part of the problem. Any system is only as secure as its weakest link, and humans are always the weakest link when it comes to cybersecurity. Even seemingly obvious procedures like logging out of the network when done accessing a system remotely need to be reinforced because all of the engineering in the world cannot compensate for poor cyber governance.
Since renewable energy and cybersecurity will be intertwined for the foreseeable future, it is crucial that the government and the private sector cooperate to ensure energy security in the United States.
Sources
“Securing Our Solar Future: How Clean Energy Can Be the Most Cybersecure, Reliable Technology on the Grid.” SEIA, 10 Dec. 2021, https://www.seia.org/blog/securing-our-solar-future-how-clean-energy-can-be-most-cybersecure-reliable-technology-grid.
“Doe Releases Strategy for Building Cyber-Resilient Energy Systems.” Energy.gov, https://www.energy.gov/articles/doe-releases-strategy-building-cyber-resilient-energy-systems.
“Solar Cybersecurity Basics.” Energy.gov, https://www.energy.gov/eere/solar/solar-cybersecurity-basics.