With the increase of interconnected renewable energy forms and high-tech nature of green power generation, multiple federal government-backed efforts are underway to give owners and operators tools to thwart cyberattacks.
Central to the development and end use of renewable energy are computer systems with inherent cyber vulnerabilities. Complicating the issue in the march to decarbonize the power sector are rapid technical leaps occurring in a myriad of energy forms—solar, wind, hydropower, geothermal and hydrogen—as policymakers set ambitious deadlines for consumers to use more and more renewable energy.
Consequently, government organizations tasked with public safety want to ensure cybersecurity measures are included in this green power race.
One key national government stakeholder is the Federal Bureau of Investigation. In July, it issued a six-page private industry notice about “malicious cyber actors” having a wider variety of renewable energy targets due to growth within the green power industry fueled by federal and local governmental policies.
The FBI warned of possible attacks “to disrupt power generating operations, steal intellectual property, or ransom information critical for normal functionality to advance geopolitical motives or financial gain within the U.S. renewable energy industry.”
To underscore vulnerabilities, the FBI outlined how residential or commercial solar panel systems could be targeted by bad actors seeking to control inverters (which determine electrical currents) to cause sabotage by overheating solar panels. The agency then listed multiple preventative recommendations. It also encouraged companies and organizations to establish relationships with regional FBI field offices for assistance identifying renewable energy system vulnerabilities and mitigating risks.
A second leading federal player in the green movement is the U.S. Department of Energy. DOE’s Office of Cybersecurity, Energy Security and Emergency Response provides news, resources, training and even a cyber challenge for college students to compete with cyber security pros in thwarting fake attacks.
Also the DOE is working on an EV consortium project for cyber physical security involving EV charging systems. The objective is to identify and manage risks to power system operations using computer simulations, threat models and penetration tests on EV supply equipment.
To illustrate the complexity of safeguarding EV supply equipment, DOE created a graphic depicting three important cybersecurity junctures (represented by locks) in EV charging infrastructure.
1. An electrical grid must securely connect to an internet cloud system.
2. That cloud system then needs a secure link to an EV charging station.
3. Finally, the EV charging station must be able to securely connect to the EV.
A hacker could invade any of those entry points unless cybersecurity measures are taken at each of the charging process areas.
A third important federal source to improve renewable energy security is the Cybersecurity and Infrastructure Security Agency based in Washington, D.C. CISA provides constant cyber alerts, best practices and other resources easily tailored to meet different business needs.
CISA’s mandate as the nation’s coordinator for critical infrastructure security and resilience means the agency collaborates with public and private sectors to manage risk and promote best cyber security practices. Recently CISA released an 18-page guide called “Ten Steps of Resilient Power” for critical infrastructure facilities and sites. The guide contains a cybersecurity section recommending a “zero trust security” policy be created to merge cybersecurity in both IT and industrial controls instead of each having its own cybersecurity mechanism. CISA says this guide can help organizations develop action plans that not only enhance resilience to deter power outages, but also build better defenses and faster recovery times after attacks.
Another key government source offering useful information is the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology in Maryland.
“Today, we connect cyber-physical systems that run the power grid, oil and natural gas pipelines, and other energy systems to business networks, billing systems, and monitoring systems. While this offers efficiencies in grid operations and real-time system awareness, it could make our energy infrastructure vulnerable to cyberattacks,” the NIST Cybersecurity Center explains.
Its drill-down approach categorizes security guidance into 16 technologies, such as applied cryptography, artificial intelligence, critical cybersecurity hygiene, data security, digital identities, internet of things, mobile device security, supply chain assurance and zero trust architecture.
Within these technologies are different types of guides, fact sheets, security guidance and lists of collaborating corporate vendors. NIST also cites ongoing projects while inviting stakeholders to collaborate and provide comments.
NIST’s Cybersecurity Center offers another way to find helpful material by grouping it into sectors, some of which are relevant to renewable energy:
- Consumer data protection
- Energy
- Financial services
- Healthcare
- Manufacturing
- Public safety/first responder
- Water/wastewater
The fifth federal government resource is one of the DOE’s national laboratories called the National Renewable Energy Laboratory in Golden, Colo. It focuses squarely on renewable energy and has a group exploring countermeasures against hacking electricity grids.
To match the latest scientific cyber applications to renewable energy innovations from industry, NREL is inviting companies and utilities to validate their latest technologies prior to launch. NREL can offer companies virtual tests on their systems to identify cybersecurity risks.
Despite some of these five arms of the federal government having different roles in cybersecurity and renewable energy, they are all united in providing public assistance and resources to thwart hacking to boost resilience of the U.S. energy supply chain.
