The renewable energy industry is becoming more important as countries attempt to move away from fossil fuels, but the continued growth of the sector must be managed with cybersecurity in mind, or there’s the danger that vulnerabilities in everything from power plants down to smart meters could leave energy providers and their customers open to risk.
The energy industry is already a high-profile target for hackers, including those looking to deploy espionage campaigns, ransomware and even attacks with the intent to sabotage systems to cut off power – and the rapid transition towards renewable energy could lead to additional avenues for cyber criminals to exploit.
A new report by defence and security think tank the Royal United Services Institute (RUSI) has outlined some of the top cyber risks during the transition towards renewable energy from fossil fuels.
SEE: A winning strategy for cybersecurity (ZDNet special report)
“Renewables offer huge opportunities for the UK to become more self-sufficient in energy production whilst mitigating effects of climate change. This transition has to be taken with cybersecurity in mind, cognisant of future cyber threats to society due to the massive digitalisation of the sector,” said Sneha Dawda, research fellow in cybersecurity at RUSI.
One of the main targets for cyber attackers is the supervisory control and data acquisition (SCADA) systems responsible for managing industrial networks.
There are two key security issues in SCADA systems – the first is that many of these networks are old, sometimes to the extent they can’t receive security updates, which means that if they’re linked to internet-facing areas of the network, they can potentially be infiltrated by cyber criminals.
SCADA systems’ security can also be threatened if there’s a remote element to access, via cloud services and VPNs. Newer systems can lean heavily on remote access, but if secure login credentials or patch management isn’t looked after properly, this can provide another avenue for cyberattacks, particularly if automated systems that might not be intently monitored are involved.
Some of the most common cybersecurity advice is to patch systems with security updates to protect against attacks. But the reality is that for many energy providers, the network is based on legacy systems – and in many cases, updating or replacing those systems could potentially affect services or involve rebuilding them completely.
According to the RUSI paper, another of the key concerns facing the renewable energy sector is cybersecurity risks in the supply chain.
“If one vendor within the supply chain is compromised, this can have widespread consequences for all connected organisations,” the report warns, citing the likes of the Kaseya and SolarWinds attacks as examples of how cyber attackers can cause massive disruption through the software supply chain.
In order to combat this, some of those consulted by researchers suggest that energy providers should take a more careful approach with supply chains, asking questions of suppliers and even helping them improve their security in some cases.
But it isn’t just energy providers themselves that could be affected directly by cybersecurity vulnerabilities – products and devices used in homes and businesses are also potentially at risk.
One threat that the report warns about is Lithium-ion batteries, which use a battery management system (BMS) to monitor safety and reliability – and can be connected to networks. However, the paper warns that weaknesses in encryption, authorisation and remote access into these connected devices could be exploited by attackers.
What’s more, these aren’t the only connected devices that potentially contain cybersecurity risks that need to be examined. The paper suggests that home car chargers are “a unique point of intrusion because they serve a very specific purpose”.
Home chargers are becoming more common as hybrid and electric vehicles increase in popularity – but there’s already examples of connected chargers being found to have firmware vulnerabilities that attackers can exploit, either to gain access to networks or to rope the devices into a botnet.
“While these vulnerabilities have been patched, they provide good examples of how this technology is lacking in industry standards,” says the paper.
The final cybersecurity risk relating to renewable energy examined by the paper is IoT devices in smart homes and buildings.
Energy companies are increasingly encouraging customers to install smart meters and other sensors. However, smart meters and IoT devices can be vulnerable to cyberattacks, providing cyber criminals with a route into networks and the ability to build botnets. It can also be difficult for users to patch IoT devices – if they can be patched at all.
The paper suggests initiatives like the UK government’s ‘Secure by Design’ legislation could help improve the cybersecurity situation – and concludes that further research into risk-mitigation strategies and policy-focused recommendations are required.