It has recently been reported that a renewable energy provider in Utah was hit by a cyber attack. This is the first instance of power grid operator in the US to have lost connection with its power generation installations as a result of a cyber attack. The root of the problem was traced to an unpatched firewall and the attacker used a vulnerability in a Cisco firewall to crash the device and break the connection between sPower’s wind and solar power generation installations and the company’s main command centre. sPower said it mitigated the intrusion by patching outdated devices.
A Utah renewable energy developer was hit by a first-of-its-kind cyberattack that briefly cut contact to a dozen wind and solar farms this spring https://t.co/6FphwGM679
— Citizens For Responsible Solar (@ForGoodSolar) November 2, 2019
Following the developments of this story, below are several comments from industry experts about the situation at hand.
With attackers breaching and disrupting left and right, to say that another “wake up call” has come is stating the obvious. Let’s get specific. The cyber-attack on sPower, the Utah-based solar and wind power utility, is specifically a lesson in anti-fragility and resilience. There’s very little public information here, so attribution isn’t really possible and the motivation of the attacker is unclear. However, it’s clear that a single piece of equipment was the single point of failure between the command center and the power generation machinery and mechanisms. If this had been step one in a more serious attack: followed up with sabotage, coordinated with other organisations being attacked or a number of other activities, the damage and impact could have been much worse. This isn’t a message for just sPower: everyone in the massively interconnected.
SmartGrid has to pursue being healthy in three key places:
1. Prevent “left of boom” and hunt opponents long before the “boom” of a breach.
2. Ensure that single points of failure are reduced and removed; redundancy is a virtue in business continuity and disaster recovery.
3. Work “right of boom” since with an active human opponent someone will always get through at some point to maintain availability and command and control. If you can weather the storm and preserve ownership of an environment, the public will be much, much safer. This is as true in SmartGrid as in any other part of critical infrastructure.
As the world moves towards a clean energy future, renewable energy infrastructures will likely become an increasingly attractive target for hackers or nation-state actors. The attack against sPower is likely not going to be a unique incident and demonstrates the growing threat to the renewable energy sector.
Cybersecurity is just as important for a wind farm or hydroelectric plant as it is an oil refinery or gas pipeline. Therefore, energy companies within this sector need to recognise the reality of these vulnerabilities and begin investing in adequate cyber defences. This includes implementing physical security measures, software and hardware security, remote management and employee cybersecurity training.
Well, smartgrid and IoT and so on are rather similar in its basic setup and proper maintenance. They belong more on M2M networks than on the open internet, and they clearly need proper maintenance and automated patch distributions. There are excellent guidelines such as the GSMA IoT guidelines covering everything from protection of communication to good design of update mechanisms. In essence this is where they pay the price of the chosen design for their setup. It has advantages and drawbacks.