With the world shifting rapidly towards an ever-increasing connectivity, cyberattacks are gaining pace in both frequency and severity. Escalating threats due to highly evolved malicious software, and inflicted financial losses and damaged assets are particularly noteworthy in the energy industry.
The significance of the cyberthreat not only lies in its calamity but also in its unpredictability. As the countries around the world strive to install a greater volume of renewable energy in their energy mix in tandem with increasing dependence on renewable energy, cybersecurity has become of paramount importance.
Renewable energy technologies are more vulnerable to cyberattacks that could easily be exploited unless necessary measures are taken. Security threats for renewable energy can basically be divided into two: physical and cybersecurity.
A well-planned cyberattack with the aim of creating a large-scale grid blackout could damage the project’s physical assets through maloperation and disruption of project financing.
The 2012 cyberattack on Saudi Aramco and another one on the Ukrainian power system in 2015 provide pertinent examples of how cyberattacks could become catastrophic.
In 2012, Saudi Aramco’s IT infrastructure suffered a highly malicious attack through an infected web link, which resulted in the destruction of over 30,000 computers and the termination of company e-mails and phone system.
Following the devastating attack, the company was forced to use typewriters and fax machines having disconnected all electronic devices from the Internet. Although several groups have claimed responsibility for the attack, no one has been arrested so far.
Another example, where over a quarter million of people were left without power for over six hours with the shutdown of six power stations, shows how unpredictable and catastrophic cyberattacks could be.
The Ukrainian power grids were taken offline both in 2015 and 2016. The Black Energy group, who are related to Russian secret security forces, were widely suspected of behing behind this calamity. While cloned control software was used in the 2015 attack, the attackers changed their tactics in the following year, and took charge of the electrical control room, forcing a shutdown of all the computers inside.
The malware used to attack Ukraine’s power grid system has also been found in other cyberattacks targeting Poland and the U.S. All renewable energy generation connected to the national grid could therefore come under attack using the same tactics.
To better measure the true impact of a cyberattack, the U.S.-based University of Tulsa carried out a mock cyberattack on an onshore wind farm in 2017. The attack was carried out with permission from the company, whose staff members were involved in the process. The result has shown the extent and devastating impact of a well-planned cyberattack.
The researchers taking part in the mock attack managed to gain access to the control system, and they repeatedly started and stopped the system for over a period of time. This incident proved that a real attack could easily degrade the gearbox, clutch and brake system, resulting in the total loss of a wind turbine.
Furthermore, the researchers were also able to successfully install a software that would transmit false signals to the system.
All of the three incidences mentioned above reveal the true magnitude of a cyberattack and its social and financial implications.
In order to maintain a secure environment for greater functionality of renewable energy, IT managers and cybersecurity analysts across the globe have started to see the need for an advanced level of Internet connectivity, continuous improvement of hardware and software applications, and appropriate personnel training.
Only by increasing awareness against such attacks, and adequately trained personnel could it possible to prevent or at least minimize risks associated with cyberattacks.
Due to the unprecedented growth of cyberattacks around the globe, the most vital mitigation measure that any company can implement would be a regular update of its IT infrastructure. Current security measures could easily become useless since the most current technologies could easily be superseded and become inadequate and obsolete over time with the introduction of newly introduced capacities and features.
Over 2,000GW of electrical energy capacity was installed across the globe in 2016, according to the Renewable Energy Statistics 2017 published by the International Renewable Energy Agency. This data signifies the potential renewable growth level in the years and decades to come.
Given the vulnerability of renewable energy infrastructure and software applications to devastating cyberattacks, the critical infrastructure and computer systems have to be protected from any malicious cyberintrusion to ensure the continuity of the operation.
In conclusion, significant challenges await policymakers and IT managers in terms of protecting energy infrastructures in case of a cyberattack, which could result in financial loss, degradation of assets and national security risks. Only through a comprehensive assessment of their cybersecurity posture, can the major cyberattack risks be mitigated.