Big Picture:

Energy systems across the country are becoming increasingly digitized. As the U.S. switches to renewable energy, solar energy in particular, this infrastructure has become a target for our cyber adversaries. Whether these adversaries are opportunistic hackers or nation-states, enhanced cyber-resilience is required in the solar energy space.

Operative Definitions:

1. Operational Technology: The control and operation of physical devices, such as an industrial control system.
2. Information Technology: The processing, storage and communication of data.
3. Ransomware: Malicious software that blocks a user’s access to an electronic system until a ransom is paid.
4. Distributed Energy Resources: Smaller-scale electricity sources that are linked to the electric grid. 
5. Inverters: Devices that convert direct current into alternating current which is used in the home. These are increasingly becoming connected to the internet. 
6. Supervisory Control and Data Acquisition (SCADA): A system comprising both software and hardware that permits industrial organizations to regulate and control industrial processes; garner, monitor and interpret real time data; directly correspond with their devices and infrastructure (e.g. sensors); and document events. 

Important Facts and Statistics:

1. The average annual growth rate of solar energy from 2010-2020 is 33 percent.
2. Fifty-four percent of critical infrastructure suppliers (out of 500 surveyed) reported previous cyber attacks attempting to take control of a system. 
3. The total cost to the U.S. of cybercrime in 2021 was $6 trillion.

Four-Point Plan:

(1) Design new renewable assets with cybersecurity in mind. Currently, energy industrial networks are managed by cheap supervisory control and data acquisition systems (SCADA). These SCADA systems were not analyzed for cybersecurity and are extremely vulnerable as a result. In some cases, they can be so old that they are unable to receive security updates. SCADA systems are particularly vulnerable to attacks that take control of devices via remote access, especially since appropriate authentication and authorization measures haven’t been followed. Modern renewable infrastructure needs to phase these systems out because cybersecurity is a major concern moving forward.

(2) Perform frequent threat intelligence and develop industry-wide incident response plans. With the poor security functions of current renewable energy systems, utility providers will nearly always be on the defensive. However, staying ahead of the threat landscape will allow energy providers to anticipate certain attacks and deploy appropriate measures to mitigate those effects. Moreover, developing incident response plans based on the type and severity of the incident is critical so that there is an industry-wide consensus on how to approach issues. Since vulnerabilities are more and more interconnected, it is vital that information sharing become the norm.

(3) Document all electronic systems currently on the network and include information about how they operate, who they communicate with and how they can be accessed. Building robust security apparatus will take years, and in the meantime the demand for renewable energy will not decrease. Since cybersecurity is a relatively new concern, many energy providers don’t even know what systems are on their network and who has access to them. Maintaining a database of all such information and continually authenticating users who request access to a particular device is the bare minimum needed to prevent a cyber attack.

(4) Implement cybersecurity training programs for all staff members. Regardless of the sophistication of technology used, the weakest link in a security system is always human beings. Energy providers and government officials should collaborate to develop training materials for employees on how to improve their cyber safety practices. This includes seemingly obvious behaviors such as logging out of systems once work has been completed, refusing to grant access to others without appropriate credentials and refraining from clicking links in phishing emails. Employees should be aware of their particular roles in regards to security so that there are no operational gaps. 

Why This Initiative Is Important:

Societies rise and fall with their technology. Solar energy is becoming prominent in the United States, but its cybersecurity is falling behind. We have to protect our country from malicious actors who'd jump at the chance to cause energy disaster. 

Acknowledgements:

The following student(s) worked on this nonpartisan proposal: Vedant Vamshidhar, University of Southern California.

Sources:

IEA. “Renewable Electricity Generation Increase by Technology, 2019-2020 and 2020-2021 – Charts – Data & Statistics.” IEA, 19 Apr. 2021, https://www.iea.org/data-and-statistics/charts/renewable-electricity-generation-increase-by-technology-2019-2020-and-2020-2021. 

“Cyber Attacks on Critical Infrastructure.” AGCS Global, June 2016, https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html. 

Bailey, Tucker, et al. “The Energy-Sector Threat: How to Address Cybersecurity Vulnerabilities.” McKinsey & Company, McKinsey & Company, 5 Nov. 2020, https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-energy-sector-threat-how-to-address-cybersecurity-vulnerabilities. 

“Building Greater Cyber Resilience in Renewables | Accenture.” Accenture, 2020, https://www.accenture.com/_acnmedia/PDF-125/Accenture-Cybersecurity-Renewables-Services.pdf. 

Palmer, Danny. “The Race towards Renewable Energy Is Creating New Cybersecurity Risks.” ZDNet, 14 Jan. 2022, https://www.zdnet.com/article/the-race-towards-renewable-energy-is-creating-new-cybersecurity-risks/. 

“What is SCADA? Supervisory Control and Data Acquisition.” Inductive Automation, 12 September 2018, https://inductiveautomation.com/resources/article/what-is-scada.