From Cold War to Code War – the Cyberwar on Renewables
Cybersecurity of Renewables, 2 February 2024
In our latest blog, Claudia MacKenzie dives into the risk of cyberattacks on renewable energy infrastructure, notable past incidents, and what preventative measures can be taken to help deal with this growing threat.
I don’t think a day goes by, at the moment, where my phone doesn’t get a news notification about another missile being sent, even more innocent lives lost, or new conflicts and tensions rising. Whilst I would like to offer this blog as a more uplifting and lighter read, I do think that it is worth shedding light on another, more silent, form of warfare that is ongoing and will increasingly impact the renewable energy industry.
I read a book last year called “This is How They Tell Me the World Ends” which, despite its cheerful title, I found very interesting. Nicole Perlroth, the author, takes a deep dive into the ongoing cyberweapons arms race, explaining the origins of this unregulated market, how countries buy and use such weapons, and why they represent a substantial threat to our near future.
The first chapter, spoiler alert, explains the concept of “zero-days”, which are basically flaws in a piece of software or hardware which, when exploited, allow undetected access to a system. The name stems from the fact that such flaws in the system are unknown to system owners or operators and therefore there have been zero days for the company to fix the fault. An example of this would be if a hacker had a zero-day for the web browser you were using, they could invisibly hack into your browser, download your data or record your keystrokes, giving them the ability to access your emails, passwords and credit card details (not nice stuff). These attacks can be both dangerous and costly. According to the World Economic Forum, in 2021 a ransomware attack (essentially stealing, locking, and encrypting a target’s data until a ransom is paid to the hacker) occurs every 11 seconds, and antivirus software provider Emsisoft estimates costs connected to ransomware hacks stood at USD 7.5 billion for 2019 alone1.
An interesting fun-fact about zero-days is that there is a whole marketplace for them, and one of their main customers are actually governments around the world. Most will remember the Edward Snowden case, where his leaks helped give a pretty good insight into just how extensive the US’ National Security Agency’s catalogue of zero-days was. Whilst this famous example helped raise public awareness of cyber-intrusions, it was largely focused on the data and privacy aspects of cyberattacks. As daunting as such consequences are, the impact of cyberattacks on critical infrastructure may be even scarier.
One of the first main incidents was the Stuxnet worm, discovered in 2010. Stuxnet took out thousands of centrifuges at Iran’s nuclear weapon facilities, and although its origins are uncertain, many believe it was a joint US-Israeli creation. Another famous attack was Triton, which occurred in 2017 and targeted a petrochemical plant in Saudi Arabia. This one was particularly notable because it was designed to manipulate or disable the plant’s safety systems, posing a serious threat to both the industrial processes and the safety of personnel. This was the first time the cybersecurity world had seen code used to deliberately put lives at risk.
In 2017, one of Russia’s most famous cyberattacks on Ukraine, named NotPetya, unintentionally spread beyond Ukraine’s borders by attacking all connected systems indiscriminately. All sorts of international corporations were infected globally, resulting in more than USD 10 billion in damages.
There are other terrifying examples, such as a hacker attacking a treatment plant for drinking water in the US and altering the chemical composition used to purify the water. Thankfully the amount of sodium hydroxide in the water was only briefly increased before a worker spotted it and reversed the action. Needless to say though, that if unnoticed, the implications of this could lead to poisonings, an unusable water supply and water scarcity.
Without scaring you too much and veering back towards the intended focus of this blog, these cyberattacks evidently pose a threat to energy systems. There have already been multiple attacks on the oil and gas industry. A few months after the 2017 Triton incident in Saudi Arabia, hackers shut down monitoring systems for oil and gas pipelines across the US. The US and Russia have apparently been fighting over remote control of each other’s energy infrastructure for years, and news headlines in the past days have claimed Chinese hackers are continuously attempting to infiltrate US’ critical infrastructure, which includes their power grids. In 2018 a cybercriminal gained access to the UK’s whole electricity grid. In 2015, 2016 and 2017, major sections of Ukraine’s power grid were shut down by hackers (believed to be Russian), with further recent attacks in April 2022. One survey found that nearly 75% of energy companies surveyed in the US had experienced some sort of hacker network intrusion in the past year2. Long story short, it’s a very real problem.
As is evident from these examples, monetary gain is not the only motivating factor for cyber-attacks, with political interests driving cyber-warfare between nations. Another cause of cyberattacks though is apparently just for respect and recognition within the hacking community, while the NotPetya attack mentioned earlier shows that you don’t even have to be the target to be affected.
To date, the majority of cyberattacks on energy infrastructure have targeted traditional assets, however renewables are unfortunately not safe either. Supervisory Control and Data Acquisition (SCADA) systems are used to monitor and control renewable energy facilities. If these systems are not adequately secured, they are vulnerable to cyberattacks. Attackers could potentially manipulate control systems, disrupt operations, or even cause permanent damage to the infrastructure. As renewable projects become increasingly advanced and digitalised, enabling remote monitoring and improving efficiency, they are unfortunately becoming more vulnerable to cyberattacks. In 2022, 5800 Enercon onshore wind turbines in Ukraine, equivalent to ~ 11 GW total capacity, were inoperable for months due to a cyberattack (assumed to be Russian) on satellite communication. In 2019, a renewables company based in Utah had their wind and solar generation across 3 states affected by a hacker entering through a vulnerability in their firewall and breaking the connections between the generation assets and the main command centre. Such incidents can cause enormous losses, which insurance companies are increasingly attempting to reduce their exposure to. Some insurance companies have already started introducing exclusionary clauses and introducing buyback options specifically for cyberattack losses.
How can renewable energy companies help protect themselves from this impending threat? Well although some attacks, such as Triton, consist of complex algorithmic weapons, the most common mode of entry for an attack is actually still via means such as phishing emails designed to extract data from employees’ passwords to gain access to the network. It is also important to note that as AI develops, phishing techniques can be dramatically improved making it harder to spot the difference between genuine and fake messages. Therefore, if your IT team is like ours and enjoys sending out fake phishing emails (amongst other security measures taken) to help train us not to fall for attacks, then that’s a great start. As joked by my colleague, “I was promised Christmas presents if I followed the link, and all I got was a 2-hour training session on IT security”. Other good industry practices for increased cybersecurity include ensuring software updates are installed promptly (these updates often include fixes to known system vulnerabilities), monitoring the network for any unusual activity, access controls, layer defences and segmenting the network. In order to implement the required security measures and keep up with ever advancing cyberattacks, it is increasingly important to hire employees with cyber defence expertise. Many companies are already doing so, for example EnBW is expanding its 200-strong cyber security team to protect their renewable operations3.
As hackers become more and more sophisticated, it is essential for energy companies to ensure they are taking sufficient measures to protect their assets and the citizens and companies that depend on the energy they are producing. As quoted on AP news yesterday, cybersecurity expert Amit Yoran, CEO of Tenable, said “Continuing to turn a blind eye to the risk sitting inside our critical infrastructure is the definition of negligence”4.
- How common are ransomware attacks? | World Economic Forum (weforum.org)
- Why Energy and SCADA Meters for Utility, Industrial and Commercial Applications Need Cyber Secure Encryption (automation.com)
- Insight: Cyberattacks on renewables: Europe power sector’s dread in chaos of war | Reuters