16 September 2022
Digitalisation and Sustainability: Convergence or Divergence?
Cyber security has become one of the top preoccupations for energy and power – the cyber attack on the US Colonial pipeline in particular raised both sectors’ awareness of the potential of cyber threats and the financial impact of an attack. In 2020, more than 94% of respondents in an Accenture survey of the renewables sector said they spent more than 20% of cyber security budgets on advanced technologies, and this figure is only set to rise. But how is cyber risk evolving in the renewables space? And how can firms ensure their risk strategy keeps pace?
The increasing necessity of cyber security in renewables is partly the consequence of a greater trend of convergence/divergence between sustainability and digitalisation. Yet an increasing trend towards a malign weaponisation of digital networks on the whole indicates that the risks to renewable asset operation and, therefore, critical infrastructure and specialist cyber risk management, are becoming more significant..
It is also partly the result of an increasing trend towards a malign weaponization of the digital networks which operationalise renewables production and therefore critical infrastructure.
Convergence
Convergence is particularly evident in the EU’s combined approach of sustainability and digitalisation as the pillars of its post-COVID-19 Next Generation EU Recovery Strategy to build back better, implying its intention to become greener, more digital (and more inclusive). To access its Recovery and Resilience Facility, EU members must allocate at least 37% of funding to climate investments to sustainable projects, and at least 20% to digital ones. Furthermore, there is a direct overlap between the two areas, as the achievement of climate goals requires innovative solutions which are increasingly digital and which also need to be future-proof technologies. New digital technologies improve sustainable innovation, and allow companies to use digital tools to map their environmental footprint or assess the impact of environmental shifts on their business. However, they also create vulnerabilities like cyber crime and privacy loss, which some view as grounds for a divergence between sustainability and digitalisation.
Divergence
Cyber security concerns are particularly pronounced in the renewables sector for multiple reasons. Renewables are heavily dependent on original equipment manufacturers (OEMs) and third-party operators, all of which have access to renewable assets and networks, increasing the likelihood of a leak through an indirect attack on weak links in the supply chain. The power system is also transforming to accommodate more variable generation, with plants that are fleets of intelligent, connected, rotating and static equipment, while operators are incorporating automation, robotics and hyperconnectivity in the construction and operation of wind and solar farms. Both aspects of this power system transformation raise the risk of cyber attacks.
The fact that renewables assets are geographically dispersed and are mostly left unmanned aggravates the threat and results in gaps in technical, people and process security. Damage to assets and infrastructure can ensue, as can data leaks and even health and safety issues.
More specifically, energy companies (including renewables firms) have traditionally classified cyber threats as risks affecting information technology (IT) or operational technology (OT). Now the two have converged through the Internet of Things (IoT) and digitalisation, meaning that they are considered as one risk, and therefore managed in a much more holistic fashion, and by accountable stakeholders across multiple business functions. Furthermore, the attack surface available to malicious actors is growing, as there is a talent shortage of OT security experts and significant disparity in maturity levels of IT security and OT security.
As renewables are becoming increasingly critical infrastructure, they are also affected by a variety of regulations, which on the whole, merely require cyber threat detection and demonstration of remediations capabilities. Yet companies need to add a layer of cyber security measures specific to their business model.
Accenture highlights the need for three measures to improve cybersecurity in renewables:
- Bridge the maturity gap between IT and OT security, as IT security extends from the cloud to connected IT devices and is more mature than OT security. OT security must be tackled first and then extended to maintenance and operations. Key steps in implementation should include security patching on operating systems, disabling removal media drives (think USB sticks etc.), disabling unauthenticated access, installation of a company-wide antivirus system
- Bridge the security gap between renewables operators, their supply chains and their interfaces among third party providers
- The objective of creation value through production of renewables should be reconciled with that of improvement in the provision of security
As renewables are becoming increasingly critical infrastructure, they are also affected by a variety of regulations
As noted elsewhere, there is a rationale for improved cyber security systems both for a renewables company at the beginning of its digital journal and for a more established firm with pre-existing systems in place. Companies running out-of-date and vulnerable IT systems, which is often the case in the water, electricity, nuclear and transport sectors, are particularly at risk.
What does it take to be a cyber security leader in renewables?
- The outperformers tend to prioritise speed of breach detection, recovery and response and measure resilience
- They have more efficient communication channels with internal and external actors to scale cyber security more effectively
- They focus more on data-centric security and their own core capabilities
- They also have a clear protocol for disclosing the nature and scope of a breach to customers and stakeholders
- They have ensured that the rest of the team, which is not the direct attack source, has received proper security training
- They therefore make their staff their top barrier to attackers, and they demonstrate that cyber security is a core business objective as opposed to a one-off, intangible and unlikely risk, touched upon merely in a workshop at the point of onboarding.
However, the menu of cyber security options available to different companies varies. One issue to consider is the size of the company. In general, while small and medium enterprises have been seen as hotbeds of innovation from a Silicon Valley perspective, they often lack the economies of scale and budgets to create effective systems for digitalisation and even more so for cyber security. Effectively, that makes these businesses the low-hanging fruit for cyber criminals.
Many also lack cyber security knowledge, and they can suffer from a dearth of technical continuity, often using mobiles in their technological systems, which are more vulnerable. Most of all, they tend to be unprepared for cyber attacks. Their challenges are very different from those of the four clean energy supermajors, Enel, Iberdrola, NextEra Energy and Orsted, which prioritised the building or buying of clean-power plants when those assets were still alternative and expensive and are now leading the race to electrify the global economy. While these companies have the budgets for expensive cyber security systems, which are critical for them given the major assets at risk, they are also more likely to be a prized target of more sophisticated cyber attackers because of their greater scale and media visibility.
Above all, cyber security systems must be constantly revised, in line with changing threats. While systems should already differ based on whether a new plant is being constructed, an existing plant is being updated, or a renewables company is undergoing M&A, all systems must always be dynamic and specific to the firm. Hence a cyber security governance and risk management framework unique to each company is central to a well-functioning system. That is arguably the strongest guarantee that a security breach will not occur, as specificity and a lack of predictability make it much harder for a cyber threat to be effective.
The 'Big' Risk
The criticality of effective cyber risk management in ensuring a renewables asset can operate safely, efficiently, and profitably remains the predominant concern of investors and operators at this point in time. However, the longer-term outcome of greater digitalisation converging with renewables assets and becoming increasingly important to national infrastructure is worth considering.
The 2020s will likely see technologically advanced infrastructure that collects data through the IoT providing the foundations for smart cities and connected buildings. Alongside the expected and bountiful benefits of gained efficiency, sustainability, and improvements to quality of life, these developments could also offer an opportunity for malicious actors to conduct bigger, more impactful cyber attacks.
Cyber attacks have already evolved from immediate process disruption to shutting down a plant, and compromising the integrity of industrial production with an intent to create physical harm, as in the Colonial Pipeline event. Renewables firms have not been immune to this threat. Back in 2019 the attack on sPower – one of the largest private owners of operating solar assets in the US – was seen as one of the earliest known cyber hacks on a renewables firm. Since then, there have been numerous examples of global renewables firms’ infrastructure and data being compromised, but the sPower attack is noteworthy; though there was no loss of generation, the attack did temporarily prevent the company from controlling 500MW of wind and PV assets across California, Utah and Wyoming. If the attack had been sustained, this could have had a significant impact.
Looking ahead, management consultancy Gartner has warned that by 2025, cyber attackers could reach a point where they could even have the capabilities to weaponise OT environments to inflict human casualties.
In this context, an evolving risk approach is required to address more systemic cyber risks. We would argue in favour of diverse security controls for private companies, systemically important state-owned companies and governmental institutions, which should include the following:
- Specific roles and responsibilities with respect to cyber threats, with an OT security manager for each facility
- Rigorous training
- A clear incident response protocol
- Rigorous backup and data restoration systems
- Portable media screening, with USD sticks and other portable devices and computers being scanned, even when they belong to internal employees
- Frequent asset inventory of all OT equipment and software
- Network segmentation to limit the scope of an attack
- Log collection and detection to identify anomalies
- A secure configuration for all applicable systems like endpoints, servers, network devices and field devices.
"By 2025, cyber attackers could have weaponised operational technology environments to successfully cause human casualties"
Finally, it is worth noting that power and energy assets at various sites around the world were already being targeted by cyber attackers even before the events of 2022 made energy supply a major political issue and a weapon of war.
In fact, beyond energy, over the last five years, cyber operations have become a more central part of regional conflict and great power competition. State-backed hackers have mapped critical infrastructure, disrupted democratic systems with disinformation campaigns, held information hostage, and stolen personal data, proprietary information, and state secrets. The international rules governing these actions have failed to keep pace, and the risks to international stability are further heightened with the rapid emergence of technologies that could change the strategic landscape, such as artificial intelligence and quantum information sciences. More than ever, it is time to take cyber security seriously, both at the corporate and systemic levels.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.