Solar power shines light on security for the renewable energy industry

Solar power plants have massive numbers of vulnerable internet-connected devices. Its recent focus on cybersecurity is awakening the rest of the renewable energy industry to the threat.

A hand holds a lightbulb swathed in leaves and surrounded by symbols of renewable energy.
ipopba / Getty Images

Cyberattacks on energy companies are becoming more common. State-sponsored groups such as Hexane or DragonFly target them routinely to sabotage operations and steal intellectual property (IP) while criminal groups try to extort money with the ransomware attacks like the one that hit Portugal’s Energias de Portugal (EDP) recently.

Renewables such as solar are a small part of the energy industry but has its own large and largely unaddressed cybersecurity issues. “In the past, I don’t think the developers that built the solar plants didn't really have security on their radar,” says Rafael Narezzi, CIO/CISO at renewable asset management firm WiseEnergy, which manages solar assets totaling around to 1.2 gigawatts with plans to reach 4 gigawatts in two years. “Their focus was on developing and building the assets, rather than the risks that need to be managed for operating assets. They didn’t look sufficiently on the security cyber-hygiene of the aspects [of connecting assets to the internet].”

Narezzi says that some of the first cybersecurity pen test results he saw exposed a broad set of issues, including “CCTV that had been hijacked with cryptojacking malware, passwords left in the communications room, weak passwords on the routers, and routers already compromised and used as proxies -- even malware that was getting distributed by one of the assets.”

The distributed nature of the assets along with the lack of vertically integrated manufacturers are some of the reasons behind the cybersecurity challenges within the renewables space, says Christopher Blauvelt, director of operational technology, eastern region, at Fortinet. “Usually, you’ll have one supplier for the panels, another supplier to the support structures, another supplier for the solar tracking, and another supplier for the inverters,” he says. “All these third parties don’t always share the same knowledge or understanding of cybersecurity best practices.”

“To combat any risks associated with a lack of vertically integrated manufacturers, you need to look at the control protocols,” adds Blauvelt. “These are often chosen based on what is the least expensive to implement and integrate, which leads to the adoption of older control protocols with little to no security.”

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.