Biden is eyeing renewable energy. So are hackers

Source: By Christian Vasquez, E&E News reporter • Posted: Tuesday, December 22, 2020

President-elect Joe Biden’s rush to renewable energy may open up a host of cybersecurity dangers if more isn’t done to secure the technology from hackers.

Fast-evolving solar and wind technologies pose new risks to power grid security, especially as smaller renewable energy companies often lack resources to fight against hackers, experts warn. And a recently discovered hacking campaign targeting federal agencies and potentially hundreds of energy companies only underscores the scale of the challenge (Energywire, Dec. 18).

Biden’s push to zero out electricity-sector carbon emissions by 2035 could force the administration to contend with a rising cybersecurity threat from nation-states and criminal hackers while protecting new technologies in the grid that are heavily reliant on internet-connected devices. While hacking clean energy networks poses little risk of a blackout now, that could change as thousands of megawatts of new wind, solar and battery storage resources link up to the grid.

Experts say that the challenges of protecting grid-edge technologies from hackers are increased by the distributed nature of renewables, lax or nonexistent cybersecurity standards, and an industry that may be more focused on building first and leaving cybersecurity as an afterthought.

“The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today,” Jim Guinn, global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture, said in a recent interview.

The lack of attention isn’t limited to new or smaller companies, Guinn said: Established energy giants pivoting to renewables seem to be repeating past mistakes of adding cybersecurity as an afterthought — even as they make strides in cybersecurity in other areas.

“Wind or solar, we’re not seeing clients engaged in the conversation, we’re having to take the conversation to them,” Guinn said.

The more renewable resources enter the playing field, the greater the concern of impacts on grid reliability, experts say. But clean energy’s rapid rise — wind energy alone has risen from 2.3% of the U.S. electricity mix a decade ago to around 7% today, according to the U.S. Energy Information Administration — could also present an opportunity to embed a security-by-design framework, where defensive measures are built in alongside the technologies.

That would take buy-in from device manufacturers all the way up to Biden, who could shape cybersecurity priorities at agencies including the standards-setting National Institute of Standards and Technology and the Energy Department.

Researchers at DOE’s National Renewable Energy Laboratory are already exploring security fixes in hardware and software associated with technologies like electric vehicles, battery storage and energy-efficient buildings that interface directly with the wider power grid, as well as wind and solar generators.

“Envisioning that each device and sensor creates a tripwire to detect or stop malicious actors allows for renewables to have hundreds of ways to detect and stop malicious intents,” said Jonathan White, director of NREL’s cybersecurity program office.

The renewable electricity sector has already seen its fair share of cyberattacks. In March 2019, a Utah renewable energy developer was hit with a “denial of service” attack that temporarily left grid operators blind to solar power sites (Energywire, Oct. 31, 2019). While the incident didn’t cause any blackouts, it was the first publicly known disruptive cyberattack to occur anywhere on the U.S. power grid.

More recently, a ransomware attack in February hit an unnamed renewable energy facility in Sterling County, Texas, according to DOE records. While the attack also didn’t disrupt the grid, it showcased that the ransomware threats that have crippled U.S. hospital and school networks this year will continue to plague critical infrastructure in years to come.

And experts are continuing to assess the fallout from the far-reaching breach of information technology service provider SolarWinds, which counts most Fortune 500 companies as well as global renewable energy developers and manufacturers in its customer base. Companies or agencies that downloaded a hacked version of a SolarWinds software update — one that’s circulated since at least March — could be vulnerable.

Speeding past defenses

As with any new technology, espionage remains a key concern for clean energy developers. The renewable space is a prime target for other nations hoping to steal U.S. intellectual property, experts say. In an October analysis, the Department of Homeland Security warned that hostile nations like China and Russia continue to target the U.S. energy sector. The threat posed by China, given its background in industrial espionage, is especially concerning, said DHS.

“China already poses a high cyber espionage threat to the Homeland and Beijing’s cyber-attack capabilities will grow,” the agency concluded in its Homeland Threat Assessment. “Chinese cyber actors almost certainly will continue to engage in wide-ranging cyber espionage to steal intellectual property and personally identifiable information (PII) from U.S. businesses and government agencies to bolster their civil-military industrial development, gain an economic advantage, and support intelligence operations.”

Nation-backed and criminal hackers are constantly looking for the weakest link in the energy sector, said Marty Edwards, vice president of operational technology security at Tenable Inc. and a former DHS cybersecurity official. “If the weakest link happens to be renewables because we’ve deployed them in a nonsecure manner,” there could be an increased interest in attacking those technologies, he said.

DOE said that cyberattacks “are outpacing cybersecurity capabilities, posture, and expertise” in a road map for wind cybersecurity released earlier this year.

An individual wind turbine is not likely to threaten the grid if a cyberattack disables it, DOE said, but because generators typically connect to each other via “smart grid” communications, there are many more attack paths for hackers. If a turbine is breached, the hackers could use that foothold to gain access to more networks and perhaps find their way into the bulk electric system, DOE warned.

“The new energy system depends on renewables and [on] distributed generation, which also depends on connectivity,” said Leo Simonovich, head of industrial cybersecurity at Siemens Energy Inc. “And that connectivity is greatly expanding the attack surface; it also makes it more complex.”

Supply chain fears

Wind energy also has supply chain cybersecurity concerns, the DOE report noted. Much of the industry’s equipment is built overseas, bringing a risk of embedded malware or other hidden vulnerabilities. Cybersecurity experts and government officials have raised the same worries about solar power gear.

“What happens if every single solar inverter that is connected has the same communications [equipment] that’s all made by one vendor, and that vendor has a significant vulnerability?” asked Edwards.

Supply chain security has been a key focus of the Trump administration. President Trump issued a May 1 executive order aimed at protecting the bulk power system from supply chain threats from nations that pose a national security risk, including China.

In a blueprint for the Biden administration, the American Wind Energy Association recommended that the former vice president revoke Trump’s order. AWEA said that the resulting DOE rulemaking could lead to “unnecessary restrictions on transactions involving non-U.S. bulk-power system electric equipment.” AWEA said ambiguous wording in Trump’s order could set back or even halt ongoing projects.

“There are pervasive industry fears that contracts deep into development or construction or operations are no longer economic, and this has created uncertainty over whether to proceed with current supply orders with equipment that might be impacted for new projects,” AWEA wrote.

AWEA said the Biden administration should instead “leverage existing industry standards in its development to mitigate major threats.”

Michele Mihelic, senior director of standards and asset management for AWEA, added in a statement that “standards development, if done correctly, encourages growth while setting a predictable, level playing field across the renewable energy industry.”

“While renewable energy remains a relatively low cybersecurity risk, AWEA supports efforts from the federal agencies to protect our nation by looking ahead to potential cybersecurity issues that could arise and address them in a comprehensive and transparent manner,” she said.

But existing cybersecurity standards for renewable energy are slim to none. The Federal Energy Regulatory Commission and the nonprofit North American Electric Reliability Corp. (NERC) set and enforce cybersecurity requirements for any networks interacting with the bulk power system, but there are no wind-specific rules, DOE said in its road map.

“The wind industry largely depends on standards developed for other energy systems and technologies, meaning that the specific cybersecurity needs of wind energy technologies are not well understood,” DOE said.

However, developing cyber standards for wind isn’t an easy task, DOE warned. For one, standards aren’t the end-all, be-all for defense against hackers, cybersecurity experts agree, and mandatory requirements drafted by NERC and FERC can take up to four years to come into effect. A recent FERC white paper concluded that current critical infrastructure protection standards aren’t enough to protect the grid from hackers.

Solar assets are even more widely distributed than wind turbines and could pose bigger challenges as sales of rooftop panels rise. A solar installation at a home or small business could be a lucrative target for criminal hackers looking to make money from a ransomware attack. Like wind energy, solar has few cybersecurity regulations and standards in place, though some guidance exists in California and Hawaii, and through the SunSpec Alliance of solar manufacturers and service providers.

More robust standards are currently being developed by organizations like the Institute of Electrical and Electronics Engineers and the International Electrotechnical Commission, alongside U.S. national labs and industry, said White of NREL — but time is running out.

“In some areas and seasons, wind and solar provides significant percentages of the overall generation,” White said. “As the penetration of renewable generation and EV charging stations increases in the future, the consequence of a successful attack is likely to be similar in aggregate to those of a successful attack to a natural gas, coal or nuclear plant today.”