By Jason Grimbeek
Cybersecurity has long been a task left to business IT teams to perform, typically by protecting email, making sure we change our passwords, and doing the odd phishing test to see if we take the bait. In recent years, there has been a shift away from cybersecurity as an afterthought; regulatory standards are forcing the utility industry to apply some control to interconnected systems, largely through the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards (CIP) standards. The last 18 months has seen a significant increase in the number of attacks in industrial sectors. Ransomware is the go-to tool for most attackers now as it brings even the largest organizations to their knees, becoming a lucrative market for nation states and organized crime alike.
Some rogue nations have been struggling to survive through crippling western sanctions, forcing them to find new means of obtaining valuable foreign currency. The rise in ransomware has been partly attributed to these agents as it is a reliable and relatively easy way of gleaning large sums of money from western companies. The May 2021 Colonial Pipeline cyber attack was achieved by using a simple password compromise; it led to 11 days of fuel shortages across the Southeastern US and impacted seven airports and flights, causing widespread travel delays. The company ultimately paid $4.4 million to the attackers to decrypt their systems. Analysis of the event indicates it was perpetrated by a Russian group calling themselves the DarkSide Group. While not officially state-sponsored, the Russian government has no interest in cooperating with any investigation efforts, leading political analysts to speculate that the DarkSide may be linked to the government or influential Russian leaders. Through an analysis of the bitcoin wallet used, researchers were able to determine that the group had been paid over $90 million in ransom over the last year alone.
The bottom line is that these attacks are profitable - no industry or company is immune. Boards and Executives must understand the impact of these events, not only to their organization, but to the upstream and downstream players as well.
Cybersecurity for solar
One of the key lessons the solar industry can learn from the Colonial Pipeline attack is that the government will react and force change. Within 5 days of the attack, President Biden issued Executive Orders on improving national cybersecurity.
For 15 years, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards (CIP) has slowly been changing the way the electric utility industry applies cybersecurity to their industrial systems. Solar has largely been able to dodge the heavy requirements, as the thresholds of applicability are generally higher than most single solar installations. However, as demand for renewables has increased, so have the sizes of the arrays, many of which now cross the 75-megawatt threshold for low impact compliance. Additionally, larger organizations are beginning to operate multiple solar power plants across the continent from a central control center, putting them into a potential medium impact category under NERC CIP.
While NERC CIP is designed to secure the critical infrastructure for the purpose of reliability, it is by no means a comprehensive cyber program, particularly as most solar power plants would be considered a low impact. Low impact under NERC CIP has four key requirements:
Wading through the minefield
Executives need to understand that a cybersecurity incident is now a significant business risk to not only their solar operations, but the overall grid and any interconnected businesses. Too often, NERC CIP compliance is used as a checkbox to indicate all is well. Organizations committed to cybersecurity have a strong cyber program; CIP compliance is a mere subset of that overall program. Insurance companies are beginning to require that companies demonstrate the health of their overall cyber program before determining insurance rates. Customers and business partners are starting to require assurance from the organizations they connect with, that cybersecurity is managed within those entities. A crippling attack on a central control center for multiple solar power plants could have a devastating effect on a region’s power stability.
Too many cybersecurity consultants produce reports on cyber program maturity and control deficiencies that focus on the immeasurable gaps between current state and the final “gold” level of cyber maturity. This tends to leave management feeling helpless in their inability to reach such a high goal. Instead, executives should go for “bronze”: Start with a foundation like the National Institute of Technology (NIST) Cyber Security Framework (CSF), which can easily be tied to NERC CIP, and slowly build each component one-by-one. Much like building a home with a limited budget, it’s important to start with a plan, then focus on the next block. The key is placing each block in the right place according to that plan and priority. This provides a tool to manage and report on your organization’s cybersecurity health, as well as the ability to demonstrate progress over time.
Future attacks are inevitable. Expect to see American and Canadian governments working together to increase the regulatory control over cybersecurity in the renewable energy sector. The days of solar being under the radar are limited. Organizations must begin building their overall cybersecurity programs now to minimize the cavernous gap to more stringent regulatory requirements that will be necessary in the future.
Jason Grimbeek is CEO of Iron Spear, a cybersecurity advisory firm for the industrial sector.
Iron Spear | ironspear.ca