Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1178848
14 | 25TH - 31ST OCTOBER 2019 | UTILITY WEEK Operations & Assets Market view As the UK moves to a clean energy future, it is even more crucial to address the physical and cyber-security challenges of renewable energy infrastructure, says Andrea Carcano. R enewable energy technologies play a signi cant role in the UK's energy mix, producing more than 20 per cent of its electricity. As the UK looks towards diversifying energy supplies, the traditional geopolitics associated with securing oil and gas imports could become a thing of the past. However, diversi cation creates new problems and just like fossil fuels, renewable energy sources are vulnerable to disruption. As the UK moves towards a clean energy future, these new energy infrastructures will be vulnerable to hackers or nation state actors. Whether attackers are nancially moti- vated, intend to cripple a country's electricity supply or focused on intelligence gathering, there is no doubt that the threat to critical infrastructure is real. Hacking groups such as Dragon€ y have already turned their attention to Europe's renewable energy companies. Scottish Power became the rst major UK energy rm to completely drop fossil fuels in favour of wind power. In addition, in the rst six months of 2019, wind power in Scotland generated close to double the nation's power requirements. Our growing dependency on renewables is an exceptional step forward for creating a clean energy future. However, as cities and countries increase their dependency on renewable energy sources to power homes, oŠ ces and infrastructure, renewable energy assets have only become more attractive targets to cyber-criminals. What makes renewables vulnerable? Renewables depend on industrial control systems (ICS) and distribution networks to operate, and these systems were o' en built with eŠ ciency rather than security in mind. The convergence of IT/OT (operational technology) environments alongside digital transformation, the expansion of the indus- trial Internet of Things (IIoT) and increased connectivity has expanded the attack sur- face, making renewable energy assets even more vulnerable to hackers. Securing renewable assets Further, the distributed and remote nature of many renewable energy assets, such as wind farms, creates physical security along- side cyber-security challenges. Researchers at the University of Tulsa, Oklahoma, in a cyber-attack stimulation on a US onshore wind farm, were able to bypass the physical security of one of the wind turbines and use a Raspberry Pi minicomputer to access the ICS network switch. E• ectively, this allowed them to turn all the wind turbines on and o• . The researchers were also able to install so' ware that allowed the attack to take place without detection. Physical security, such as fences, CCTV, alarms and locking devices, should be considered the rst line of defence against attempted sabotage. The growing importance of renewable energy technologies in securing the UK's power supplies means that it is vital that appropriate security controls are imple- mented. Energy companies within the renewable sector need to recognise the real- ity of their vulnerability and begin investing in adequate cyber-defence. Defending our energy supply The rst step is to develop an inventory of all the assets within systems. Understanding this provides security teams with the knowl- edge of what assets are on their network and how they can e• ectively protect them. Furthermore, known and suspected con- trol system vulnerabilities should be docu- mented and prioritised. This can be achieved through implementing a vulnerability man- agement programme, which helps security teams identify vulnerabilities that need to be patched and mitigated before any damage is done. ICS visibility is a critical component of protecting renewable energy assets from cyber-threats. ICS should be continuously monitored in real time, allowing security teams to visualise the entire industrial net- work and identify anomalous behaviour that could pose a threat to power supplies. Cyber-security is just as important for a wind farm or hydroelectric plant as it is for an oil re nery or gas pipeline. Therefore, with today's attackers showing no sign of slowing down it is critical that renewable energy companies prepare themselves and instigate strategies that place cyber-security at the forefront. Implementing policies for physical security, so' ware and hardware security, remote management and employee training will help to secure the infrastructure that will play a major role in our energy mix. Andrea Carcano, chief privacy o cer and co-founder, Nozomi Networks