Viewpoint: Are our energy systems fit to withstand cyber attacks?

The energy transition is gathering pace. Until 15 years ago, investments were mainly in large assets designed to last 40 years or more. Prolific deployment in recent years of decentralised generation technologies has resulted in a diverse mix of installations, owned and operated by a range of stakeholders.

Google Translate

Energy storage is beginning to add a new dimension, supporting the development of a more dynamic and flexible system, while mass take-up of "smart" electric technologies seems to be just around the corner.

Where does cyber security fit into all of this, and should we be worried? The attack surface for hackers within the energy space is becoming larger and more diverse as the energy transition progresses. There are far more players, assets and entry points - and therefore more ways to cause significant disruption.

Today, a range of renewable technologies contribute to the generation mix. But when it comes to monitoring and control solutions, there is a mix of old and new devices and protocols in use. This introduces possible vulnerabilities and perhaps a lack of assurance when procuring such devices.

As a result, questions arise: could a hacker spoof communications at such installations to change the behaviour of generation assets? Yes, if they were to find a route in and study the protocols used.

Could a hacker manipulate the energy market? Yes, if they have gained access to the former.

How would you know if they had, and how far could they go in an increasingly connected system? Chances are, you won't know until after the event and the true impacts may be hard to quantify.

Could an even more skilled and determined hacker cause physical damage to electricity generation and distribution systems? Yes, and such activity may in the worst case cause harm to people.

Some might say this is scaremongering, but the reality is potentially more severe. Cyber security has featured much in the media recently.

The Wannacry ransomware attack hitting healthcare, government and businesses across the globe in May, and the Industroyer malware that caused a blackout in Ukraine last year are examples of what can happen if systems are not kept up to date and lack the necessary processes and governance.

Organisations of all sizes are vulnerable, and it isn't always just a funding issue. It is time we started to tackle the issue head-on, setting up commensurate checks and balances for decentralised energy infrastructure.

Do all entities installing or operating renewables portfolios pay attention to cyber risk? Perhaps due-diligence activities should consider what security policies are in place; starting from the simple question of whether there is one at all, to a more detailed assessment of the policy's scope and how its implementation is reviewed and assessed.

Data Forum

Does the cyber policy consider or define the attack surface of the assets under review? How are risk assessments carried out, and how often are they updated? How are countermeasures implemented and reviewed?

What independent testing takes place? Is any penetration testing carried out and how are the reports used? How is log data is monitored? How would operators know if there was anomalous behaviour going on?

Compliance assessment

Whose job is it to ensure these processes are happening? The investor, the operator, or does it need to be a critical-infrastructure issue?

Of course, even if there were national standards to cover this space, there is still a need to assess compliance with such standards, and maintain compliance in the face of emerging threats and alongside system developments.

Take, for example, the smart-metering programme in the UK. It has an end-to-end security model designed to protect critical communications, which means devices going into homes and businesses are subject to a detailed, mandatory cyber-security evaluation prior to deployment.

Other elements of the overall smart-metering infrastructure are also subject to security requirements to minimise the risk to the UK's critical national infrastructure, of which energy is a part.

The question is whether in an evolving energy industry with a multitude of decentralised technologies such "assurance" regimes are needed in a much broader sense.

This leads to questions around how we check for vulnerabilities. What does "good enough" look like, what is known about potential attack techniques, and how much is known about possible countermeasures? And perhaps just as crucial, we must look at how a business case be developed to ensure best return on investment from any implementation of countermeasures.

This is not scaremongering. It is simply being prudent and prepared in the face of a rapidly evolving threat picture as the energy transition accelerates.

Matt Freeman is DNV GL's Energy head of operational excellence

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Sign up now
Already registered?
Sign in