Introduction
The world is going through a radical shift in respect of power generation. Over a third of global electricity supply now comes from renewables[1], and McKinsey forecasts that renewable energy sources (RES) are expected to account for 45 to 50 percent of the global power supply by 2030.[2]
This will also lead to a transition to a smarter, distributed grid; in contrast to a traditional energy grid which involves a one-way flow of power from centralized sources. The grid of the future will allow energy supply and demand to be managed faster, more efficiently, and with more resilience.
The smart grid will, however, require an advanced level of distributed control to be deployed to manage and optimize the highly distributed intermittent loads introduced. RES may also utilize the public internet for communications, and often involve smart inverters as the interconnection between distributed renewable sources and the power system.[3]
The upshot of this is that we will be increasingly relying on IT/OT systems in the energy sector in a way which has not been done before, and this exposes potential for cybersecurity threats. The purpose of this excerpt is to briefly shed some light on why cybersecurity is essential in the energy transition and propose some proactive measures for actors to take. This will be done through reflections on standards implemented by SMA Solar, a leading renewables manufacturer.
Increasingly Important Consideration
As mentioned above, smart inverters (SI) and digital communication networks are being leveraged by households, businesses, and power utilities worldwide in a growing fashion. With digital technologies inextricably intertwined with critical infrastructure, electricity grids are targets. The energy sector’s importance makes it an inviting target for states or private actors seeking to disrupt society for political, military, or economic advantages.
Examples of this risk can be seen in recent events. Towards the end of 2023, hackers compromised 22 energy organizations in a coordinated attack against Denmark’s critical infrastructure. As part of the attacks, hackers exploited firewall vulnerabilities to gain control over the impacted systems.[4]
A similar attack started in December 2015 in Ukraine which experienced the first-ever known blackout caused by malicious code (malware) designed to autonomously attack the power grid. Further attacks took place after Russia’s invasion of Ukraine in 2022.[5]Attacks like these are ramping up. Reports indicate that 39% of cyberattacks on critical infrastructure are targeted at the energy sector.[6]
The threat to private persons outside of public utilities is also severe. The average cost of a data breach for a South African organisation sits at a hefty R49.45 million (€2.49m) according to an IBM Security publication.[7] Even residential rooftop solar operators are stewards of a tremendous amount of private customer data. As cyber threats evolve and become more sophisticated, private & public sector agents in the energy sector should prioritise making proactive efforts to implement resilient cybersecurity infrastructure & practices.
Strengthening Cybersecurity in your Organisation
Stakeholders in the renewable energy space can consider a variety of measures when seeking to reduce their exposure to cyber threats. This includes technological, organizational and supply chain measures. All of them benefit from an overarching risk management evaluation by locating potential threats, evaluating their impacts, and putting controls in place to reduce risk.[8]
Technological
- Upgrading Legacy Systems
- Renewables companies need to progress from legacy systems to modern, tiered-security systems. This involves implementing firewalls, intrusion detection systems, encryption, access controls, and routine security audits.
- Continuous Monitoring:
- Prompt detection and response to security incidents depend on continual monitoring of user actions, system logs, and network traffic.
- Good security practices for RES [9]
Organisational
From an organisation perspective, executives can look to prioritise the below. It is worth thinking about where artificial intelligence can be applied in each use case as this will play an important role in security in the coming years.
- User Education & Awareness:
- Humans are the target in most breaches. Best practices include implementing privilege control in your organization, improving password management, and avoiding phishing efforts.
- Incident Response and Recovery:
- It is important to quickly contain, investigate, and lessen the effects of breaches. In the event of a successful assault, putting strong data backup and recovery protocols in place can help mitigate downtime and data loss.[10]
Supply Chain
In terms of supply chain risks, operators in the renewables space generally rely on a host of third-party suppliers. Implementing supply chain risk management practices such as vetting vendors, conducting security assessments, diversifying suppliers, and implementing contractual security requirements can help mitigate supply chain risks.[11]
When selecting equipment providers, it is worth taking the time to evaluate the track-record and cybersecurity practices of the manufacturer. Look into the standards the supplier is implementing and whether they prioritize cybersecurity and have leaders in charge of driving cybersecurity standards.
In respect of utility scale grid-tied energy projects, the consideration may need to go even further. As is evidenced above, cyber attacks executed in national interests are a growing consideration. Certain jurisdictions mandate local entities to make certain information available if needed, and in some cases actively support national interests dictated by government. [12] This blending of state and private sector interests has implications on the confidentiality of information, but also about integrity and availability of the data and systems of critical infrastructure from where these products are supplied.
Whilst this can be taken with a grain of salt, grid planners and operators, IPPs, and other relevant actors should nonetheless take this point into account when considering their operational exposure to cyber threats.
SMA Solar as a Leader in Cybersecurity
SMA Solar, a leading global specialist in photovoltaic and storage system technology, has long been recognized for its commitment to cybersecurity. With a strong emphasis on product reliability, safety, and data protection. The German company has developed advanced cybersecurity features to safeguard its inverters against potential threats.
One of the key strengths of SMA Solar’s cybersecurity strategy lies in its comprehensive approach to risk management. The company conducts thorough risk assessments to identify potential vulnerabilities in its products and employs encryption techniques and secure communication protocols to protect against unauthorized access and data manipulation. The company not only complies with internationally recognized standards, but also shapes them.
Conclusion
In conclusion, the energy transition instils a bright vision of a cleaner and smarter power grid. As the energy sector continues to digitize, the importance of cybersecurity cannot be overstated. By understanding potential threats and implementing effective countermeasures, participants in the energy industry can protect their critical infrastructure and ensure reliable energy supply for all.
Please check SMA’s cybersecurity approach and contact information here: Cybersecurity | SMA Solar
Authors: Marek Seeger- Information Security Manager, Claudius Link- Cybersecurity Specialist and Jason Bruce-Brand, Key Account Manager- Project Sales Southern & East Africa for SMA.
References
[1] ember-climate.org/app/uploads/2024/05/Report-Global-Electricity-Review-2024.pdf
[2] Global Energy Perspective 2023 | McKinsey
[3] Taha Selim Ustun; “Cybersecurity Vulnerabilities of Smart Inverters and Their Impacts on Power System Operation”
[4] 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure – SecurityWeek
[5] Brin Humphreys; Attacks on Ukraine’s Electric Grid: Insights for U.S. Infrastructure Security and Resilience
[6] Energy sector faces 39% of critical infrastructure attacks | Security Magazine
[7] Cost of data breaches for companies in South Africa – BusinessTech
[8] a Ogunleye; “Improving resilience and efficiency in the energy sector: A perspective on cybersecurity and renewable energy storage”.
[9] SMA Guidelines for a Secure PV System Communication
[10] Yaacob, Idrus, Idris; “Managing Cybersecurity Risks in Emerging Technologies”
[11] Boyens, Smith; “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”.
[12] Falk, Brown; “Power Out? Solar Inverter and the Silent Cyber Threat”.
