Perhaps you have heard about the cyberattacks hitting German renewable companies in the spring of 2022. Attacks, that disabled thousands of digitally managed wind turbines of some of the biggest operators in the German wind industry.
Whether we are prepared for it or not, cyber threats will be part of our renewable, digital future. And as the digital landscape evolves, so do the tactics of cyber attackers. Due to the complex digital infrastructure of power production and distribution, companies can easily become collateral damage in times of cyber warfare, putting everybody, including consumers and critical infrastructure, at risk.
The attacks and risks have increased overall awareness and brought greater attention to the vulnerabilities within the sector. At the same time, however, the recorded incidents also reveal that the renewable industry is not yet adequately resilient to current and future threats.
The new and profound awareness must be translated into actions.
In this blog post, we explore three of the fundamental principles that can help you safeguard your renewable software systems and protect your mission-critical data. We do so together with Andreas Nitsch, Senior Sales Engineer at SCADA International and specialist in SCADA, OT, and cybersecurity setups.
1 Make sure your systems are up to date
One of the basics in building secure, cyber-resilient software is to ensure that the systems are maintained and updated regularly with the latest security measurements. Legacy systems and unpatched software are at higher risk of security breaches because they often are outdated and neglected, living their own life.
This is a complex requirement, as renewables use OT setups and not IT setups, meaning their focus is on machine availability without human interaction with much slower product lifecycle times compared to classical IT. Due to this, other security measures around the OT components might be necessary.
However, many renewable power plants operate with legacy systems or even unsupported SCADA systems that have reached end of life in view of support by the manufacturer. And this puts the entire power plant at risk, as SCADA systems, if gained access to, allow attackers to retrieve and manipulate data, issue control commands, and perform other unauthorized actions.
Andreas Nitsch also emphasizes that in securing safe operations, the entire infrastructure must be maintained, too:
“I have seen a lot of cases where you have a plant infrastructure with routers, computers, and servers that are never getting software updates without firewalls around it. Once installed and commissioned, it is never touched again. And that is a huge vulnerability.”
Thus, recognizing the importance of security throughout the entire lifecycle of a renewable energy plant is equally crucial as ensuring security during the initial installation phase.
2 Eliminate loopholes and backdoor access
Just like any other software system, renewable software systems are exposed to unauthorized access threats. Especially because gaining digital access to renewable power plants means you can manage them and potentially manipulate the entire power production.
So, it is key to protect all access points, including restricting who has access, who has access to what, and who has the authority to give access.
However, with the rapid expansion of renewables and hybrid power plants, cybersecurity is still not the number one priority. Asset managers today deal with multiple renewable parks, often with diversified SCADA systems, and various stakeholders, each with their functionality.
Andreas Nitsch explains why this might cause problems:
“One of the biggest challenges is that owners might reduce or even remove existing security measures to make third-party access a little bit easier. The more digitalized and complex the renewable power plants get, the more people need access, meaning more doors might be opened.”
For this reason, software vendors must, at a minimum, ensure that their systems are tamperproof and set up requirements like two-factor authentication and password protection rules.
Asset owners can also accommodate this by implementing specific VPN architectures around their plants to restrict and supervise all access.
3 Monitor and modify from remote
Similar to guaranteeing regular software updates of all plant equipment, remote and reliable monitoring is just as important.
“Digitalization in renewable energy is two-sided. It can create more risks but at the same time, create fewer risks. It is all up to how you utilize and protect that connection to power plant devices.”
Andreas Nitsch points to that plant owners should take advantage of the internet connectivity and remotely monitor the data traffic in their portfolio to ensure that everything is running and on track. By monitoring, you can detect abnormal activities, traffic from unknown or suspicious sources, or even control commands sent in your systems, and in that way, react and act in time.
In product development, it’s important to remotely create a test environment where all modifications to the software systems can be tested and verified before being installed and configured at the substations on site. Likewise, you can integrate third-party API connections securely and reliably.
By deploying a test environment, you avoid opening the door to intruders during the test phase and stop them from leveraging the APIs to steal data and install malware.
3 steps to go from cyber risk to cyber resilience
To sum up, power plant owners, asset managers, and site managers can perform the following three steps to enhance the cyber security of their renewable software systems.
-
Acquire a future-proofed SCADA system
Ensure you have a SCADA solution that is updated with the latest security features, regularly maintained, and fits the existing plant OT and IT equipment. Access to 24/7 service support is key in security maintenance.
-
Manage access to your power plant
Whenever you virtually invite new stakeholders into your power plant, remember to restrict access and control different user groups according to their tasks. This can be configured remotely in a modern SCADA solution.
-
Utilize the remote connection to monitor your plants
SCADA systems are extremely useful for remote monitoring, analysis, and control. Make sure your system is up-to-date and running by surveilling all plant equipment in a control room SCADA solution that connects to your entire portfolio.