Green Protection: Two Perspectives on How to Effectively Plan and Implement a Security Strategy for Renewable Energy Sources
Whether it’s solar, geothermal, wind or hydro, utilities are implementing more renewable energy generation sources than ever before. But with their rapid march toward these green energy sources come some new and distinct security challenges.
To learn about what risks to consider and strategies to implement, I had a conversation with Idaho National Laboratory’s Emma Mary Stewart, an expert in renewable energy and security, and Courtney Samp from Avangrid, a security strategy expert who helped coordinate a strategy for the third-largest renewables operator in the nation.
Along the way, they shared why we need to better assess vulnerabilities, why building strong relationships matter, how to address the threats of cyberattacks and much more.
Utility Security Magazine:
As the industry continues to move rapidly toward reaching net-zero targets, there are massive investments in renewable energy. What security concerns do you see as this rapid expansion moves on?
Emma Mary Stewart:
Rapid expansion is both good and bad. Our supply chain, in particular for digital infrastructure, is really only now starting to see the investment in U.S. manufacturing come to fruition. Without the rapid expansion in renewable energy, we wouldn’t have a demand signal for that investment, so it’s been a chicken-and-egg problem. The burden of securing the infrastructure—or verifying its security—has been on asset owners, but the asset owner model is also shifting to third parties and nontraditional suppliers. We have a Venn diagram of risk here that must be addressed. It’s a global issue, not local. The world does need to shift toward a cleaner energy paradigm, but the localized aspects of cyber protection—which differ from the safety aspects—make the challenge a bit less clear.
Utility Security Magazine:
Courtney, Avangrid has been very active in implementing renewable energy generation. Can you talk about some of the biggest security challenges that have come with that initiative?
Courtney Samp:
As the third-largest U.S. renewables operator, Avangrid is leading the way for U.S. renewable energy generation, with wind—offshore and onshore—and solar farms in 25 states. The company is also building the first large-scale offshore wind farm in the U.S.
Anytime you’re the first to accomplish these ambitious goals, the national attention makes security even more vital. One security challenge with renewable energy is the convergence of physical and cybersecurity, and that includes third-party vendors.
From a physical security perspective, renewable energy faces similar challenges and threats as nonrenewable sources. However, there are also organizations specifically opposed to renewable energy–which, in part, is because of the increase of misinformation and disinformation disseminated on social media about renewable energy.
From the cyber side, renewable energy has more IT and OT equipment, especially when it comes to wind farms, which means more access points for threat actors. We assess offshore windfarms to be at higher risk given the additional connection points needed due to their remote nature. We’ve also seen an increase in cyber-threat actors exploiting global conflicts to advance cyberattacks on IT and OT equipment prior to conducting attacks against U.S.-based companies using the same equipment. The water facility cyberattacks late last year are a good example of this.
It’s also getting harder to disentangle physical and cyber as physical attacks could have numerous knock-on cyber implications and vice versa. The convergence of physical security and cybersecurity will not decrease over time but is expected to increase as the country becomes more reliant on renewable energy sources.
Utility Security Magazine:
Emma, what considerations must be factored in when building a cybersecurity plan to protect these new technologies?
Emma Mary Stewart:
There are many solutions to protect the devices we install, but because of their digital nature, we also need to consider some of the features common in their design. For example, the communications to install updates in these devices are both a blessing and a curse. Without those, devices would likely remain unpatched. With them, we have an increased attack surface. At the most basic level, the guideline of no hardcoded passwords, and improving the access controls, would make a huge difference. We also need to consider how to better assess the vulnerabilities in the existing and future supply chain base as only around 15 percent of the companies on the market have a product security team.
Utility Security Magazine:
Courtney, what best practices has your team at Avangrid discovered when planning security for renewable energy?
Courtney Samp:
Partnerships are key. Internally and at the local, state and federal level, partnerships are incredibly important. Security doesn’t work in a vacuum, so building not just partnerships but relationships remains vital to anticipating and mitigating risks.
Maintaining internal relationships are essential to effectively and immediately communicating and mitigating emerging risks. The physical-threat landscape is never static, and the cyber-threat landscape changes rapidly, so having that constant open communication with physical security and cybersecurity ensures we’re all moving in the same direction.
We also have strong external relationships at the local, state and federal levels. Avangrid operates in 25 states, and the threat landscape is in constant flux and changes state to state. So, having those strong relationships with the Federal Bureau of Investigation, the U.S. Coast Guard, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency—as well as state intelligence centers—means we have specific names and numbers to call to ensure we are anticipating the right risks at the right time and implementing the right mitigation strategies.
Having these relationships also means we are communicating back what’s important to us. Critical infrastructure has the same threats and adversaries. If we’re seeing it, someone else is too—but they might have the resources to know it—which puts us all at risk.
Utility Security Magazine:
To follow up on that, what sort of aspects in your renewable energy security planning process do you feel have been the most surprising?
Courtney Samp:
This process has shown me that the transition to renewable energy sources in the U.S. is happening at an interesting time. There’s a significant amount of money being directed toward advancements and improvements for the renewable energy transition, from how solar panels and wind turbines are manufactured to making parts last longer, disposing of old parts, and even how renewable energy is connected to the existing grid. This equates to more technology, which opens the door to more vulnerabilities, making cybersecurity more important than ever.
Additionally, the ways artificial intelligence is and will be used for renewable energy in the future is exciting and scary. For example, AI has the power to streamline business processes to ensure more accurate data and predictions for grid planning. However, I cannot emphasize enough the importance of having strong cybersecurity policies and training for any employee using AI. It’s also vital to have a full understanding of how all contracted third-party vendors are employing AI as that could affect your business too.
Utility Security Magazine:
One layer of complexity is that electric customers are buying their own renewable energy equipment and installing it in ways that connect to the grid. What security challenges come with that, and what strategies should security professionals be considering in relation to this?
Emma Mary Stewart:
Reliance on people to perform cybersecurity assessments of their home generation solutions is a challenge. In the end, the devices themselves need to be designed in a cyber-informed manner for this shift to be successful, or have a degree of automated and secure configuration by default. I don’t believe we are there yet, but it is a shift the country will need to make as we shouldn’t rely on average customers or employees to be the first line of defense against sophisticated actors.
Courtney Samp:
All distributed energy resources (DERs) have an impact on security strategy. As we continue to move forward in the renewable energy transition, I think the bigger focus is that DER policies pave the way for accessibility and connectivity to ensure continued sustainability.
Utility Security Magazine:
One concern I often hear about is that the renewable energy technology and equipment being installed in homes and utilities is, for the most part, sourced from adversarial nations. How does sourcing components from overseas impact your security approach?
Courtney Samp:
This question is one of my favorite topics. Creating and delivering more clean, reliable power is our mission, which makes third-party sourcing vital. The energy sector relies on third-party vendors the same as every other critical infrastructure sector, and this affects our security approach from business to cyber risks. Working in security, everything can seem doom and gloom all the time, but at the end of the day, we need to enable the business to make the best decisions possible to mitigate risks, which means providing timely, actionable business intelligence and risk mitigation recommendations to decision makers.
Ensuring infrastructure is safe from nation-state cyber threat actors, cyber criminals and hacktivists remains a top priority. We already know these threat actor groups are using ongoing global conflicts and kinetic regions to refine tactics, techniques and procedures to conduct attacks on third-party vendors in the United States.
Simultaneously, we know adversarial nations, such as China, are conducting cyber-espionage campaigns against U.S. critical infrastructure via third-party suppliers. China has also been implementing legal frameworks around national security designed to ensure their continued dominance of manufacturing, knowledge of cyber vulnerabilities and control of critical minerals required for the renewable energy transition. This is where those internal and external relationships become key as they help us anticipate risks and implement mitigation strategies to ensure we continue to meet our mission.
As the U.S. continues its transition to renewable energy, this topic is going to continue to dominate security spaces. The easy answer from security is always no, but where security and intelligence can lead and provide business value is by digging deeper to provide realistic alternatives that ensure business continuity while protecting the business and infrastructure long term.
Emma Mary Stewart:
Resilience and reliability are layered, and we have many security solutions that will assist us in operating through such a challenge. One key challenge, though, is how we address and detect vulnerabilities in design as there is no reporting of common vulnerabilities and exposures (CVEs) on any of the Chinese-manufactured power electronic components, and our structure for integration doesn’t allow for the analysis to take place. That needs to change. The manufacturing base will evolve, but that will take time.
Utility Security Magazine:
We have seen cyber attacks on renewable energy around the globe. Can you talk about the lessons learned from those events?
Emma Mary Stewart:
While there have been cyberattacks, most of these were primarily ransomware-style events. Of the events that had any impact on operations, loss of visibility was the only real effect, and much of that was caused by external events such as the wind sites in northern Europe experiencing a satellite communications loss during the initial Ukraine invasion.
That is a consequence, but it’s not loss of generation or load, and that’s good. There are lots of lessons learned that can be derived from other industries also, but having a response plan that accounts for millions of end points potentially needing a manual reset is something that I think the renewable energy sector and, in particular, aggregators will need to consider.
Courtney Samp:
I cannot overstate the importance of relationships, both public and private. Avangrid’s Corporate Security & Resilience Department encompasses physical security, cybersecurity, resilience, policy, insider risk, incident response, third party, travel security and intelligence. Basically, it’s a one-stop shop for risk management.
Possessing a strong and comprehensive security posture remains vital to Avangrid’s mission. Having these groups under one organizational roof, communicating daily, helps accomplish that mission. Avangrid’s intelligence program monitors domestic and international events to anticipate risks and provides recommendations and best practices to inform business decisions and offer mitigation recommendations.