The renewable energy industry is becoming increasingly important as countries attempt to move away from fossil fuels, but the continued growth of the sector must be managed with cybersecurity in mind or else there is danger. that vulnerabilities in everything from power plants to smart meters can disappear. energy suppliers and their customers exposed to risk.
The energy industry is already a prime target for hackers, including those looking to deploy espionage campaigns, ransomware and even attacks in an attempt to sabotage systems to cut power – and the rapid transition to renewables could open up new avenues for cyber criminals to exploit.
A new report from defense and security think tank, the Royal United Services Institute (RUSI), has outlined some of the key cyber risks when transitioning to renewable energy from fossil fuels.
SEE: A winning strategy for cybersecurity (ZDNet special report)
“Renewables offer huge opportunities for the UK to become more self-sufficient in energy generation while mitigating the effects of climate change. This transition must be made with cybersecurity in mind, taking into account future cyber threats to society due to the massive digitalization of the sector,” said Sneha Dawda, Cybersecurity Researcher at RUSI.
One of the main targets of cyber attackers is supervisory control and data acquisition (SCADA) systems responsible for managing industrial networks.
There are two key security issues in SCADA systems – the first is that many of these networks are old, sometimes to the extent that they cannot receive security updates, which means that if they are linked to areas of the network facing the Internet, they can potentially be infiltrated by cybercriminals.
The security of SCADA systems can also be at risk if there is a remote element to access, via cloud services and VPNs. Newer systems may rely heavily on remote access, but if secure login credentials or patch management are not properly managed, this can provide another avenue for cyberattacks, particularly if automated systems that might not be carefully monitored are involved.
Some of the most common cybersecurity advice is to patch systems with security updates to protect against attacks. But the reality is that for many energy providers the grid is based on legacy systems – and in many cases updating or replacing these systems could potentially affect services or involve completely rebuilding them.
According to RUSI’s paper, another of the main concerns facing the renewable energy sector is cybersecurity risks in the supply chain.
“If one supplier within the supply chain is compromised, it can have far-reaching consequences for all connected organizations,” the report warns, citing attacks like Kaseya and SolarWinds as examples of how cyber attackers can massively disrupt the software supply chain. .
In order to combat this, some of those consulted by the researchers suggest that energy suppliers should take a more cautious approach with supply chains, asking suppliers questions and even helping them improve their security in certain areas. case.
But it’s not just energy providers themselves who could be directly affected by cybersecurity vulnerabilities – products and devices used in homes and businesses are also potentially at risk.
One threat the report warns of is lithium-ion batteries, which use a battery management system (BMS) to monitor safety and reliability – and can be connected to grids. However, the document warns that weaknesses in encryption, authorization and remote access to these connected devices could be exploited by attackers.
Moreover, these are not the only connected devices that potentially contain cybersecurity risks that need to be examined. The document suggests that home car chargers are “a single point of intrusion because they serve a very specific purpose.”
Home chargers are becoming more common as hybrid and electric vehicles gain popularity – but there are already examples of connected chargers with firmware vulnerabilities that attackers can exploit, either to gain access to networks or to connect devices to a botnet.
“While these vulnerabilities have been patched, they provide good examples of how this technology falls short of industry standards,” the document says.
The final renewable energy cybersecurity risk the paper examines relates to IoT devices in smart homes and buildings.
Energy companies are increasingly encouraging their customers to install smart meters and other sensors. However, smart meters and IoT devices can be vulnerable to cyberattacks, giving cybercriminals access to networks and the ability to create botnets. It can also be difficult for users to patch IoT devices – if at all.
The paper suggests that initiatives such as the UK government’s ‘Secure by Design’ legislation could help improve the cybersecurity situation – and concludes that further research into risk mitigation strategies and policy-oriented recommendations are necessary.