Outdated software leaves developers 'vulnerable' to cyber attacks

Renewable energy developers are "very unprepared" for cyber security attacks, a senior analyst for underwriter GCube told Windpower Monthly, after an attack victim was named in government documents.

Last month, sPower was named as the victim of a cyber attack in March (pic: Pixabay)

The denial of service (DoS) attack suffered by US wind and solar PV operator sPower in March, but only made public through a Freedom of Information (FOI) Act request in October, is also more common than media coverage suggests, Geoffrey Taunton-Collins said.

Most cyber attack stories only make the news because of third-party data being affected and victims being legally obliged to inform customers, he added. 

Utilities excluded, most renewables developers do not hold this data about customers, and so there is no obligation to go public about the attack.

"Victims in the renewables sector are very reluctant to make this public," Taunton-Collins told Windpower Monthly.

"It’s quite telling that it had to come from an FOI request. We’re aware of lots of people who’ve been hit. It’s reasonably common." 

'Known vulnerability'

AES-subsidiary sPower suffered a series of brief, intermittent communication outages between their control centre and their remote sites over a 12-hour period on 5 March, according to US Department of Energy documents released to media outlet E&E News under the Freedom of Information Act.

The outages were caused by a cyber attack "exploding a known vulnerability" causing the developer’s firewall to reboot, an email from the department’s office of cybersecurity, energy security and emergency response revealed.

However, sPower did not find any evidence that its logged files were breached, and the attack had no impact on operations, according to the e-mail. 

In more severe attacks, the attack could interrupt operations, Taunton-Collins said.

"Wind turbines or solar panels would just stop working. That can have huge ramifications for individual projects in terms of their revenue, and for power supply in places where a large proportion of their energy supply is from renewables."

'Very unprepared'

While developers are generally well-covered and prepared for physical damage to their assets — for example, through severe weather conditions — they are not well-equipped to handle cyber attacks which cause non-physical damage, Taunton-Collins said.

"What causes vulnerability with renewables is that, to a large degree, the industry still uses legacy technology, which doesn’t offer protection from attacks," he told Windpower Monthly.

"They are very unprepared."

Other steps developers can take to protect their assets include habitually backing up data on a daily basis, training their employees in best practices, and restricting privileged access to assets appropriately, Taunton-Collins suggested.

However, even these steps might not be enough to protect wind farms and solar arrays from criminal attacks or administrative errors caused by "someone pressing the wrong button", or "migrating to a new computer system", he said.

Criminals might launch ransomware attacks — and demand a ransom in return for returning the asset to normal operations — or so-called ‘hacktivists’ might carry out ideologically driven attacks to "cause as much disruption as possible", he suggested.

"If someone with basic knowledge of how to do it wants to attack your wind farm, they can," he warned.

Craig Richard recommends

Keeping the hackers at bay

Read more