Energy businesses are deploying advanced digital solutions to upgrade and connect their legacy technology and infrastructure. From A.I. to automation, a new suite of complex and connected digital platforms is enabling businesses to improve safety, increase efficiency and decarbonize faster. 

A forecast of the world’s energy system up to 2050 estimates that Solar PV & Storage capacities will total 15.3 TW, a 13-fold increase from 2022. We expect total installed wind capacity to grow from 950 GW in 2022 to 6,400 GW by 2050. To meet this demand on the overall grid, annual investments through 2050 are expected to reach the US$1 trillion threshold. A trillion dollars buys a lot of digitally connected infrastructure – an investment that is needed if the industry is to reach its net-zero ambitions. 

With the rapid increase of distributed energy resources, energy companies can no longer rely on the relative ease of defending single physical generation sites. We now have distributed solar generation sites, wind farms with large numbers of turbines on and offshore, and energy storage systems all interconnected as independent generating sites. This greatly expands the boundary which cyber defenders must protect.  

As Swantje Westpfahl, Director of the Institute for Security & Safety GMBH, states “Clean energy has created a much larger attack surface because we have new energy generation run by small computers – solar parks and wind farm – as well as smart meter expanding the grid into houses and cars. There is more risk that the whole system can get rocked if there’s a successful attack.” 

Several defense-in-depth practices are recommended to create an effective cybersecurity posture that will reduce the likelihood and severity of attacks against distributed energy resources:

Securing remote access

As distributed energy resources are geographically separate from the primary business locations, remote connections are necessary to reduce maintenance and management costs. 

Establishing encrypted Virtual Private Network (VPN) connections by using encryption standards such as AES-256 is vital to the end-to-end security of the connection. 

This helps prevent a malicious actor from hijacking the communications session or intercepting the data transfer between the two locations. 

Further, Jump Hosts are recommended to provide authentication of remote users as they access the operational network. Jump Hosts can be configured to grant or deny access to certain systems or network segments based on the user’s profile. They can also act as part of the network’s auditing infrastructure – they can be configured to log and audit all access attempts and report that information to a centralized security monitoring infrastructure.  

Network awareness

Many organizations don’t understand the cyber-nature of the specific systems and components that enable their business function. Network mapping helps operators discover and categorize all elements that connect to the network. 

This is typically conducted in a combined automated and manual fashion to discern what components are connected and their respective relationships to other interconnected devices. Network mapping can aid an organization in optimizing its network performance as well as identifying areas where security can be improved. 

Vulnerability assessments form the second part of network understanding equation. These assessments evaluate the security of the system or network by identifying weaknesses that can be exploited by malicious actors, enabling operators to identify vulnerabilities that can be present in the hardware or software configurations of interconnected devices and network components (e.g. Firewalls, routers, switches, etc.). 

The severity of identified vulnerabilities can be mapped against a business process to provide an objective assessment of risk that the organization can prioritize for remediation. Implementing an event detection and alerting infrastructure will greatly reduce the time, effort, and cost required to respond to suspicious activity.

Segmenting the network

This security strategy involves dividing elements of the system or network into smaller limited enclaves that have protection measures specific to the devices within the segmented area. 

These segments are often controlled by firewalls, and can limit the types of traffic between the segments at large or how individual components communicate outside of the segment. 

An example would be to prohibit any network traffic to a device that only needs to send data to another segment. Additionally, segmentation can be achieved at the protocol level – only allowing necessary protocols such as MODBUS to pass through the firewall. This limits the impact of vulnerabilities on specific devices in the event they can’t be patched (defense in depth), and limits lateral traversal in the event of a successful network breach. 

Controlling dataflows & access

Given the advent of high-speed cellular and WiFi access, non-homogenous ownership and maintenance relationships have exploded in the renewable energy sector. 

Operations and maintenance of many distributed generation facilities can easily be subcontracted to third-party integrators and support vendors. They want to reduce onsite costs and look to the same remote access that we previously described. 

This presents a new security dynamic as vender processes and employees are outside of your control. We can reduce the risk of system exposure through vendor actions by mandating specific cybersecurity access and data protection controls within the support contract. While this may be seen as a passive approach, it can be augmented with active efforts such as limiting network segments to which each vendor has access. 

Similarly, the owner/operator can implement a data mapping strategy that identifies and reduces the data to which a vendor may have access. Not only will this reduce the likelihood of data spillage but will also facilitate quicker response in the event of a third-party data breach. 

Essentially, you’ll know which contractors have access to the data that has been affected. 

Educate your workforce 

Cybersecurity recognition is paramount in your organization, whether it is expert cyber defenders or system operators and maintainers. 

Everyone plays an essential role in safeguarding systems, so it is critical that they have the right skills to understand, recognize and respond to suspicious behavior. 

This can range from identifying phishing attempts to understanding cyber threat prevention techniques to implementing initial triage actions. Knowing how to act, who to call, and when to do it can be critical in the case of a cyber incident. DNV recommends a formal training program that includes cybersecurity concepts combined with scenario-driven simulations to reinforce how to secure your OT systems and respond during an incident.

No singular cybersecurity concept will make your systems and networks completely secure. Effective cybersecurity is a constantly evolving effort that is performed by well-educated and cohesive teams. Implementing the security controls mentioned above will enhance your ability to protect your investment in distributed energy resources. 

Adam DiPetrillo is a Senior Cybersecurity Consultant with DNV Energy Insights. With over 500 global cybersecurity experts, DNV provides tailored cybersecurity services such as Risk & Vulnerability Assessments, Governance Compliance Assessments, 24/7 Managed Detection & Response Services, Owner’s Engineering, Cybersecurity Training and Strategy & Program Development for clients in the Electricity, Oil & Gas, Renewables, Maritime and Manufacturing industries. Contact the author at [email protected] to discuss how DNV can assist with your cyber concerns. 

DNV Energy Insights | www.dnv.com