Securing the Renewable Infrastructure

The Biden administration is pushing to have one-third of all US energy supplied by renewables by the end of this decade. We must not lose the opportunity to forge a companion renewable energy automation plan that is secure from the start. Implementing cyber security at this stage will enable the maximum possible protection at the lowest implementation and long-term cost for this industry that is so dependent on new technology.

“There’s a lot more new technology in renewables than in many of the other sectors. Well, attackers feed off the technology,” said Ian Bramson, the global head of industrial cybersecurity at ABS Group, and a risk management adviser to the energy sector, in a recent videotaped interview with Renewable Energy World magazine. “When things are growing rapidly, it’s very hard to manage the cybersecurity risk.”

A new report from Accenture highlights other factors contributing to the risk. “The power system is transforming to accommodate more variable generation, with plants that are fleets of intelligent, connected rotating and static equipment. Simultaneously, operators are undergoing a digital transformation, incorporating automation, robotics and hyper-connectivity in the construction and operation of wind and solar farms.” All this expands the attack surface, they say, as does increased use of unmanned remote operations and a growing ecosystem of third-party services providers who may require network access.

The report further found that the security on sensors and wind turbines was weak and those in use are not well-integrated, inflexible, complex, labor-intensive, and quickly outdated. And while there is a growing need to parse high volumes of data for intelligence, there are disparities in the maturity levels of IT security and OT security and an overall lack of qualified experts available to help. It identifies gaps in the following areas:

• Lack of VISIBILITY into which devices and systems are on the network and how they communicate and operate; without this, securing them is difficult
• Minimal NETWORK SEGMENTATION and other safeguards that support increased connectivity
• Limited ACCESS MONITORING that would restrict devices only to authorized people and applications
• Lack of AUTOMATION to produce utilization reports, lifetime patch status, and other data
• Incomplete SECURITY CONTROLS to support inline, real-time prevention of cyber security threats without intrusive patching, downtime or service interruption

The report’s authors believe that cyber security measures are as vital as data quality processes in plant design for health, safety, and environment (HSE). They also believe that fault monitoring and operational analysis should be embedded into renewables activities from design through decommissioning and into contracting with ecosystem partners.

“When constructing a new plant, cyber security needs to be factored into the lifecycle of the project, assets, and infrastructure. This begins with creating a reference model/architecture, security requirements, and a procurement language in the planning phase. It involves security assessments during design, security evaluation during procurement, and testing during construction and commissioning,” they write.

Making the right automation decisions can be critical to both the present and future of a renewable operation. From a cyber security standpoint, this is an opportunity to work with the most current technology available, which means looking at control systems with encryption and authentication and other cyber security built-in. This would ensure that you not only get the most secure solution available, but you would also get the most scalable and most likely, economical solution.

For more discussion on securing renewable operations, see Cyber Security Issues for Renewable Energy.