In this brave new world of energy, cyberthreats abound. The digital transformation of the energy sector, the rise of clean energy and distributed energy resources, the advent of smart meters and other connected devices—all these advancements are also creating a vastly larger potential attack surface for cybercriminals, rogue nation-states and other bad actors to exploit.
Efforts at every level
“The White House Office of the National Cyber Director (ONCD) provides a special focus on key critical infrastructure sectors that underpin systems we rely on every day. That includes healthcare, water, education infrastructure, and certainly the energy sector as well,” said Brian Scott, deputy assistant national cyber director for cyber policy and programs at the White House Office of the National Cyber Director, Washington, D.C.
Brian Scott, deputy assistant national cyber director for cyber policy and programs at the White House Office of the National Cyber Director
Electric utilities, solar and wind installations are attractive targets for hostile nation-states and cybercriminals, because the owners are typically large enterprises with deep pockets that are willing to pay to protect their operations and reputation.
In response, regulators are mandating that the interfaces between distributed energy resources and the grid be routinely tested by utilities in charge so that if something happens, the interfaces can be quickly disconnected.
Utilities are sending auditors to any operation feeding into the grid to determine if it is abiding by security requirements. Many distributed operations are also directly seeking the guidance of third-party consultants on their own, to obtain a much sharper view about their current risk profile.
“Incidents can always happen, so you must have the capabilities and readiness to respond to it in a timely manner,” said Jalal Bouhdada, global segment director for cybersecurity at DNV, a Norwegian company that provides assurance and risk management services to the energy industry worldwide. “It’s about raising awareness with the end-users and collaborating with governments, suppliers and with the whole broad ecosystem, because we are all in this together.”
Jalal Bouhdada, global segment director for cybersecurity at DNV, Hovik, Norway
In the United States, “energy-related cybersecurity issues are much broader than a particular electric generation source or fuel,” said David Terry, president of the National Association of State Energy Officials (NASEO), Arlington, Va.
“It’s our entire energy system—electric grid, generating, transmission, distribution, fuels, pipelines, critical facilities—and our general way of life where digitization of all kinds of products—dishwashers, washing machines, vehicles, lighting—require some level of cybersecurity,” he said.
David Terry, president of the National Association of State Energy Officials, Arlington, Va.
Unfortunately, the number of cyberthreats, hacks and attacks grows, whether it’s on the country’s electric utility system—a large and substantial target—a small device or something in between that may not be directly energy-related, but affects the energy sector, he said.
“Because cybersecurity is broad, so too are state perspectives on how to approach this threat,” Terry said. “We have to think about resilience along with cybersecurity, and then consider the steps needed to take to make sure the system is restored and running again quickly as possible.”
Private sector energy providers are well aware of the threat, and most state energy offices communicate regularly with utilities and other energy providers to improve prevention, preparedness and response. State officials and energy providers are attempting to consider all the risks, both cyber and physical, and then determine those that may have the greatest effect on lives and livelihoods.
Mitigating risks
With that risk assessment in mind, the challenge is to determine what steps are most practical and necessary to mitigate or avoid those risks, Terry said. State energy offices across the nation are in the process of updating security plans, which include addressing these issues.
“We can’t prevent every energy disruption, but we can attempt to protect against the most damaging cyber and physical threats,” he said. “For lower-priority risks, we can also work to improve energy system resilience so that restoration of service can happen more rapidly. Many states and utilities have made great progress in this area.”
Investor- and consumer-owned utilities have spent a “tremendous amount” of money and attention to defend energy operations against cyber and physical threats, as well as potential natural disasters, he said. State energy officials are extremely involved in the process of assessing risk and collaborating with energy providers to improve resilience.
It is often more difficult for smaller utilities and energy providers because, while they are aware of and committed to addressing these threats, the level of resources and staffing is limited.
“For example, if a nation hostile to the United States is attempting to ‘hack’ a small U.S. energy provider, that provider is clearly being put in a very challenging position that will likely require state and federal assistance. We need to get in front of this challenge,” Terry said. “For this reason, the states and the Department of Energy, as well as the organizations that represent utilities, are increasing efforts to ensure more access to cyber-related assistance.”
Workforce gap
“Across every industry, there’s a need for cybersecurity talent, so ONCD is leading the effort to build a cyber workforce that can protect the nation in every critical infrastructure sector. We promote skill-based hiring to build the talent pipeline, and ultimately the workforce we need to protect the critical infrastructure on which every American depends,” Scott said.
The cybersecurity workforce gap is a global issue, said Swantje Westpfahl, director of the Institute for Security and Safety in Ettlingen, Germany. She said that many security professionals are working with legacy systems “that are very sensitive. Legacy machines might falter and switch off. But for some of those old machines, there simply are no patches, nor are there any updates,” she said.
Swantje Westpfahl, director of the Institute for Security and Safety, Ettlingen, Germany
Energy companies must also make sure newer technologies can interface smoothly with legacy systems, and that every part of the ecosystem can be adequately monitored to pinpoint exactly where an intrusion attack may have occurred so it can be immediately segregated, she said.
Smart meters may present another area of cyber weakness. For example, bad actors posing as energy company techs might manipulate the devices so they can remotely send information from to the energy production facility, requesting that more energy be generated and distributed.
“But if in the next instant, the attackers use the smart meters to say that households don’t need energy anymore, there will be too much energy in the grid,” Westpfahl said. “This is extremely dangerous—triggering a massive production of energy, and then at the same time stopping the facilities from using it. If too much energy is in the grid, then transformers cannot handle the energy.”
Bad actors could also introduce malware into smart meters for other nefarious purposes, she said. Moreover, homeowners might find ways to manipulate their smart meters to hack into their utilities’ servers.
‘Insecure by design’
“Now that we’re connected with so many touch points—our smartphones, smart grids, smart cars—with some of those linked to critical infrastructures, all of us need to understand that we ourselves play a role in the cybersecurity of our society. It’s not like there’s some person somewhere solely responsible for cybersecurity—each and every one of us really needs to step up a little,” Westpfahl said.
Grid technologies develop quickly, and not all manufacturers are able to cope with the speed. This means that with innovation, comes vulnerability.
“That’s what we call ‘insecure by design,’” Bouhdada said. “If they are not tested and validated, there is a big chance that the technologies will be implemented with those issues. That opens an attack venue for cybercriminals or nation-states that are on reconnaissance missions to find out if there are anomalies and vulnerabilities to the infrastructure that can be used—or to also keep secret that they could use in future conflicts.”
Energy companies have been doing their best to thwart potential threats by onboarding more secure technology, redesigning infrastructure and testing the security of their systems through third-party assessments, he said. They’re trying to harden the infrastructure, and they’re also investing in capabilities in terms of incident response and forensics—all of which are increasingly being mandated by energy regulators.
“While awareness is increasing, it’s really about the execution,” Bouhdada said. “Given the nature of this environment, it’s not always very easy to have this speed of execution. But energy companies are really trying to make sure they can handle an incident when it arises.”
Beyond private sector energy providers and utilities, thousands of other devices interact with the electric grid and other energy-related systems, Terry said.
These devices range from commercial building energy controls to distributed energy systems and utility-scale energy storage, and “manufacturers of these devices and systems—and end-users—need to think about cybersecurity and how it may impact not only their operations, but [they should also] consider potential grid implications,” he said.
With support from the DOE’s Solar Energy Technologies Office, NASEO launched the Cybersecurity Advisory Team for State Solar to examine ways to mitigate cybersecurity risks and consequences in solar energy developments. The project identified model solar-cybersecurity programs and actions for states to take in partnership with utilities and the solar industry.
“From a state perspective, we are most focused on elevating awareness of cyberthreats, making sure businesses and consumers realize that while we can’t protect every part of our energy system from every threat, we can assess risk and protect those vulnerable systems that present the greatest threat to lives and livelihoods,” Terry said.
At the federal level, ONCD’s Scott added, “We are focused on strengthening Sector Risk Management Agencies, those agencies charged with primary risk management for sectors, such as the Department of Energy, bolstering its capabilities to ensure cybersecurity priorities are clear, and that it has the needed resources to perform its mission,” he said.
About The Author
KUEHNER-HEBERT is a freelance writer based in Running Springs, Calif. She has more than three decades of journalism experience. Reach her at [email protected].