Skip to main content

Does a lack of industrial cybersecurity practices put a renewable future at risk?

With every new wind turbine, solar panel, and hydro-electric facility put into service, comes an increased risk of industrial cyber attacks.

By Ian Bramson, Global Head of Industrial Cybersecurity at ABS Group

The only things growing faster than the renewable energy sector are the hopes and expectations of the companies, governments, and people who are betting on its success. However, with every new wind turbine, solar panel, and hydro-electric facility put into service, comes an increased risk of industrial cyber attacks.

These attacks can have devastating impacts on operations, safety, finances, and reputations. To win the race to reshape energy markets, renewable energy companies need to understand how to protect themselves from industrial cyber attacks and mitigate the damage should one occur.

Cyber attackers hit where it hurts: operations

Cyber attackers adapt quickly. They know how to target the places that will have the greatest impact. As such, they’re shifting their focus from the information technology (IT) networks that run business systems to operational technology (OT) that control the networks and devices vital to operations. Industrial cybersecurity is now an operational and safety risk.

OT is a new kind of prize. Rather than stealing and manipulating data, cyber attackers targeting OT environments can take direct control of critical infrastructure equipment. These bad actors can even shut down, speed up, overload, and disrupt how a business generates, stores, and transfers energy. If these attackers gain entry into any aspect of an OT network, the threat can easily spread to other devices, become entrenched in the grid, and spiral out of control.


Subscribe today to the all-new Factor This! podcast from Renewable Energy World. This podcast is designed specifically for the solar industry and is available wherever you get your podcasts.

Listen to the most recent episode on building out the U.S. solar supply chain, featuring interviews with Rhone Resch, Martin Pochtaruk, and Michael Parr.


Rapid growth means wider attack surfaces

As operations expand, so do opportunities for cyber threat actors to access critical systems. The rush to grow has too often left cybersecurity as an afterthought, despite companies’ widening “attack surfaces” (the points on a system where an attacker can try to enter). Cyber attackers look for vulnerabilities, and when there is rapid expansion there are likely to be visibility gaps due to the manual asset inventory processes on which most OT environments rely. All too often, these enterprises have very little insight into the breadth or depth of their attack surfaces — and cyber attackers count on this lack of insight into expanding brownfield environments.

Rapid growth of renewables also has implications for the security of greenfield projects. If companies don’t make cybersecurity an integral part of new construction, they run the risk of exposing new builds before they even begin to take shape. Concepts such as security-by-design and supply chain cyber risk management must become core to all new development within OT environments because renewable energy companies’ greenfield projects are also cyber attackers’ greenfield projects. Businesses that fail to prioritize security from day one are all but inviting attacks on new projects and through their supply chains.  

Cyber attackers feed off new technology

The renewable market is built on digitalization. The competitive advantage within the market comes from equal parts progress, data leverage, and automation. But these factors also lead to two fundamental cyber risks: increased connectivity and rapid innovation.

First, as connectivity increases so do attack surfaces. Consider the sensors, devices, and IoT equipment needed to facilitate connected OT environments. Each additional device creates another potential door for attackers to exploit. Many renewable energy solutions — like wind and solar farms — depend on remote asset monitoring and management. Remote capabilities offer a lot of advantages, but their multiple points of connection and complex ecosystems also open operations to attack. Without good cyber hygiene, companies are serving opportunities to take control of operations to attackers on a silver platter.

Second, the overwhelming pressure to push the limits of what’s possible and beat competitors to market often means that cybersecurity is an afterthought. Companies that take this approach are setting themselves up for trouble as their operations grow and expand.

The solution

Basic cyber hygiene can go a long way toward reducing industrial cyber risk. To mitigate risk and shrink attack surfaces, renewables companies should:

  • Take industrial cyber seriously. Industrial cybersecurity should be a business imperative. It can be as important to your growth as any other strategic investment. Make sure to have the program, investment, and capabilities in place to minimize your OT cyber risk.    
  • Learn what to protect. Make sure to have a robust and automated asset inventory and management system. This will let companies know what they need to protect and which components are connected.
  • Manage vulnerabilities. Once a business knows what to protect, it can begin to assess the holes in its defenses, prioritize those holes, and close them.
  • Consider cyber from the beginning. Cybersecurity should begin in the concept phase. Companies should make sure security-by-design and supply chain risk management are a core part of their new construction and expansion.
  • Maintain visibility and control. Companies should invest in robust monitoring and response programs. Without these programs, cybersecurity teams might as well be flying blind.
  • Find the right partner. Industrial cyber is a challenge. It takes domain expertise and a solution built specifically for OT environments. It’s unlikely that OT cyber is within a renewable company’s core business functions. That’s OK. Finding a partner with experience and expertise in OT cyber can minimize risk.

The cyber risk equation is straightforward: more devices + automation + light security = big risk.
At present, renewables companies are accepting “big risk” as unavoidable. However, companies that build good cyber hygiene into operations from day one can change the outcome and keep power out of the hands of bad actors.


About the author

Ian Bramson heads the global industrial cybersecurity organization at ABS Group, where he works closely with senior executives across the energy, industrial, and maritime sectors to help minimize their cybersecurity risks. For over 20 years, Bramson has helped organizations adapt to their digital environments and solve business challenges related to industrial cybersecurity, risk management, and digital transformation. He has built successful companies, global sales organizations, and cybersecurity programs across multiple industries. Bramson is a recognized thought leader and market developer in the emerging threat landscape of attacks on industrial operations and critical infrastructure. He has a bachelor’s degree in Economics and English from Cornell University.

Data & News supplied by www.cloudquote.io
Stock quotes supplied by Barchart
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.