The wider renewables industry is realising the criticality of cybersecurity in holistic asset resilience. Since many of the systems currently in use were built prioritising efficiency over security, cybersecurity now poses a serious challenge for renewables operators.
As such, incident response and threat-hunting capabilities are being developed to safeguard business readiness for potential security events, and companies without in-house capabilities are taking on managed security services to run their cybersecurity operations.
The question is, why the peaked interest in building cyber resilience in the renewables industry, and what can be done to ensure these efforts are successful?
Risky gaps in the ecosystem
Many renewables operators have significant technical, people, and process security gaps. Security gaps can be exploited across the entire renewables value chain by a variety of malicious actors, from nation states to hacktivists to disgruntled employees.
These threats are constantly evolving and have potentially severe consequences such as loss of production and revenue, damage to assets and infrastructure, leakage of sensitive commercial information and reputational damage, regulatory non-compliance and fines, and health, safety, and environmental (HSE) risk.
To alleviate these risks, renewables operators need to develop a clear understanding of their cybersecurity gaps, apply mitigation steps, and evolve their approach to cybersecurity along with the cyber threat landscape.
Without visibility into what devices and systems are on the network and how they communicate and operate, they cannot be easily or fully secured. Renewables plants often include devices not designed for increased connectivity, so additional safeguards such as network segmentation should be considered.
There is significant threat exposure from limited or no capabilities to monitor access to and from devices by authorised people and applications. A lack of automation to produce utilisation reports, lifetime patch status, recall and other important capabilities. Incomplete security controls to support inline, real-time prevention of cybersecurity threats without intrusive patching, downtime or service interruption.
With people, the problem lies in accountability as roles and responsibilities are often unclear. Governance is rarely well established in areas of identity access management (IAM), change management, and patch management, and does not often involve security.
There are often generational succession issues, coupled with staff that lack security expertise. Industrial device manufacturers’ product development processes often do not address or incorporate cybersecurity qualities or values.
Lastly, response plans do not address cyber events as the focus is on maintenance and repair operations (MRO), and security is not directly addressed.
Benefits of being a cyber secure operator
Research conducted by our Security shows that, on average, utilities companies are improving on cybersecurity basics.
The companies surveyed had an 11% reduction in direct attacks and a 27% reduction in security breaches over the past year. There has also been significant innovation investment, with 94% of respondents spending more than 20% of their cybersecurity budgets on advanced technologies.
Common areas of investment include governance and management, asset management and inventory, network segmentation, remote access, backup and restore, cloud security and security monitoring.
There are strong incentives to improve cybersecurity, both for operators early in their digital transformation journey and those further along. Our most recent Annual State of Cyber Resilience Report for Utilities identified an elite group of organisations outperforming in cybersecurity.
These leaders are 4X better than the rest of the industry at stopping attacks, finding and fixing breaches quickly, and reducing breach impact.
Three key differentiators set them above the competition and guide renewables operators on what they should do to develop greater cyber resilience:
- Invest for operational speed: Leaders prioritise speed of breach detection, recovery and response, and measure the success of their resiliency. They invest in advanced technologies such as a next-generation firewall, artificial intelligence (AI), and Security Orchestration, Automation and Response (SOAR). These technologies can help reduce the number of successful attacks and the impact and cost of breaches.
- Drive value from new investments: Leaders scale their security technology investments: they are better at training their personnel and they collaborate more with internal and external ecosystem stakeholders. Consequently, they are better at discovering and defending attacks and aligning with regulatory requirements.
- Sustain what they have: Leaders focus more budget on sustaining their existing core capabilities while the rest of the pack place a greater emphasis on piloting and scaling new capabilities. Leaders perform better on fundamental data protection practices, with a greater emphasis on data-centric security.
Where to begin
Building up cyber resilience requires direct action from renewables operators and collaboration with their ecosystem stakeholders.
To effect change, two main approaches can be employed, but a simultaneous combination of both could yield the best results.
Firstly, security must be assessed and prioritised at every stage of the project lifecycle and in all initiatives or business solutions. From the construction and commissioning of new plants to the adoption of emerging technologies like AI, machine learning and advanced analytics, security should be embedded in all of the processes.
Secondly, improving cyber resilience requires a program with an evolving playbook of people, process and technology initiatives coupled with constant vigilance. The considerations and approach to setting up a cybersecurity program will vary depending on the project scenario.
Cybersecurity should be considered as vital as data quality processes in plant design or health, safety and environment (HSE) and fault monitoring and analysis in operations. Operators will need to be proactive in creating their tailored cybersecurity roadmaps. The resiliency of renewables is more important than ever, and cybersecurity is at the core.