President Biden declared January 27, 2021 to be Climate Day, and released a set of Executive Actions to address the Climate Crisis. The strategic goal of these policies is to “lead a clean energy revolution that achieves a carbon, pollution-free power sector by 2035 and puts the United States on an irreversible path to a net-zero economy by 2050”. It also directs federal agencies to procure carbon, pollution-free electricity and requires the government to “identify steps that can be taken to double renewable energy production from offshore wind by 2030.”
The renewables revolution poses new risks to power grid security. Renewable energy systems are connected to the wider energy grid, which greatly expands the attack surface and makes it more complex. A recent story in EE News highlights how expanding renewable energy resources will lead to increased cybersecurity risks. One of the issues this article cites is that the smaller, decentralized entities who are managing these projects often lack the appropriate resources to protect themselves from hackers. And it’s not just the smaller companies who aren’t taking cybersecurity seriously enough. The article also states that “established energy giants pivoting to renewables seem to be repeating past mistakes of adding cybersecurity as an afterthought — even as they make strides in cybersecurity in other areas.”
Unfortunately, there are few current cybersecurity requirements for renewable energy. The Federal Energy Regulatory Commission (FERC) and the nonprofit North American Electric Reliability Corp. (NERC) only create and enforce cybersecurity requirements for the bulk power system, and there are no specific rules for renewable energy assets. While major utilities conform to these NERC CIP requirements, there are no current guidelines for expanding coverage into renewable energy.
Although there are no regulatory requirements just yet, federal agencies are beginning to signal that they understand the importance of cybersecurity for this new frontier. In July 2020, the Department of Energy (DOE) released their “Roadmap for Wind Cybersecurity” plan, and in November 2020, they released their plan for improving cybersecurity in Energy Efficiency and Renewable Energy (EERE). As noted in the article, “Advances in the connectedness and interoperability of EERE technologies require an increased focus on cybersecurity,” said Alex Fitzsimmons, Deputy Assistant Secretary for Energy Efficiency. “Cyber threats targeting EERE technologies present an immediate risk to the integrity and availability of energy infrastructure and other systems critical to the nation’s economy, security, and well-being. New technologies must be designed with cybersecurity as a requirement.”
Integrating cybersecurity into new renewables projects from the start, rather than applying it as an afterthought, is going to be critical for the stability of the electric grid moving forward. Investing in tools that provide comprehensive OT asset management capabilities to automate asset inventory data collection will be critical to achieve this. With the increased emphasis on renewable power by the Biden Administration, there are likely to be many new vendors creating products to support this expanding market.
Industrial Defender has been used by some of the world’s largest utility companies for decades and is an ideal fit for monitoring renewable energy resources. Using agent, agentless and passive methods, Industrial Defender can identify and monitor any new hardware and software added to a network, including products that manage and report on wind energy or solar power. Depending upon the asset, there is a wide variety of device configuration information that Industrial Defender can collect, including any changes to configurations, which is a possible indication of a cyberattack.
A key differentiator of Industrial Defender is that we have a team dedicated to adding new products to our supported device list as they become more widely available and used by customers. Our new IT-OT Integration Lab is designed to allow us to react quickly when new devices come to market to ensure that there are minimal gaps in security coverage.
At some point, industry regulations such as NERC CIP will be expanded to include smaller, distributed renewable energy assets. Industrial Defender already includes reporting for major standards, including NERC CIP, NIST, the NIS Directive and ISA/IEC standards. So, when customers add those renewable assets to their network, compliance reporting is already built-in and ready to go from day one.
Since 2006, we’ve been solving the challenge of safely collecting, monitoring, and managing OT asset data at scale, while providing cross-functional teams with a unified view of security. Many of our long-time customers are now using Industrial Defender to monitor their solar and wind assets. To learn more about how we’re helping customers secure their renewable energy projects, check out our Clean Power Generation and Smart Grids case studies.