Cyber threat actors see an opportunity as African energy companies embrace renewable energy and digital microgrids writes Bernard Montel at Tenable.
Green energy is a key piece of the puzzle for the future of our planet, and while there is an uphill battle to build sufficient renewable energy capacity across the globe, there is another critical issue decision makers should not lose sight of — cybersecurity. The sad reality is threat actors see the renewable energy sector through the same dollar-sign lenses that they see every other industry through.
Last year, ahead of CS Hub’s Government and Critical Infrastructure Digital Summit, Anuj Sanghvi, Technical Lead at the National Renewable Energy Laboratory, said renewable energy penetration is on the rise and warned, this adoption makes them a lucrative target for cyber-attacks due to the interconnectedness with the power grid and their potential catastrophic consequences.
A Google search will reveal that renewable energy players have already fallen prey to cyber-attacks in recent times. Three German wind-energy firms, Deutsche Windtechnik AG, Nordex SE, Enercon GmbH, saw their operations disrupted by cyber-attacks and, in late 2021, wind turbine manufacturer Vestas was targeted by cybercriminals, and saw its IT systems and data compromised.
These are few examples of cyber-attacks against the renewable energy sector. Threat actors will continue their assault as attack paths and surfaces evolve in-sync with the adoption of modern technology and systems. All this points to one thing, the renewable energy sector must up its cybersecurity game.
Interconnected and vulnerable
A variety of drivers have pushed organisations to adopt technology that allow new ways of working, which means background infrastructure is now far different compared to years past.
As an example, enabling remote working and the modernisation of operational systems including engineering and manufacturing applications, has seen organisations embrace the cloud. A knock-on effect of this is physical devices and systems of all types are connected to a network and are programmable. At the same time, new compute platforms and development shifts including cloud, DevOps, mobile and SaaS have made it possible to move from concept to capability with ease.
For this to work properly, two systems that traditionally operated in silos have converged: one side comprises IT systems such as servers, routers, notebooks, while the other includes operational technology systems such as human machine interfaces and programmable logic controllers.
And whereas in the past OT systems and environments had restricted or no connectivity and may even have been air-gapped, the deployment of smart technology has meant internet-connected assets are mandatory and encompass IT and OT systems, thus dissolving the once defined network perimeter.
Network challenges
In the past, traditional network security has seen the fortification of a network’s perimeters, and, with regards to OT security, a discussion was rarely given much thought as those systems were typically seen as protected by air-gap. Both concepts have been rendered invalid since organisations have adopted hybrid infrastructure comprising on-premises systems, private and public cloud, and connected devices.
This significantly increases organisational risk as it effectively expands available attack vectors, while inadvertently making cyber-threats harder to detect, investigate and address. It is also worth remembering that an attack against OT systems can have physical consequences for individuals or company infrastructure on top of the threat to the organisation’s data. Complicating matters further is the fact that cyber breaches that occur on one side of the connected, converged infrastructure can migrate to the other – from OT to IT and vice versa.
A key issue, particularly to the OT side of an organisation – given the business criticality of these systems – is the zero-downtime tolerance policy. Another challenge is legacy infrastructure; OT environments typically feature legacy technology that is built for process functionality and safety, along with static devices and a perimeter protective layer.
Considering modern systems increasingly connect devices, machines, sensors, thermostats and more to the internet – which means the number of vulnerable touchpoints keeps increasing – securing OT systems is of the utmost importance.
When looking at IT and OT systems, it is worth recognising the difference between these systems’ lifecycles. Whereas IT infrastructure is designed to be updated on a regular basis, OT systems are designed to operate for years or even decades without updates, upgrades.
In some cases, OT infrastructure could be as old as the physical plant it is installed in, which means a full inventory of assets along with maintenance and or change management records may not be up-to-date or may not even exist. This makes it difficult for an organisation to protect its industrial operations and should be addressed by maintaining a detailed inventory of all assets and infrastructure.
Exposure management
There has been a marked increase in ransomware attacks, nation-state sponsored threats and zero-day vulnerabilities weaponised within the last 12 months. This has put under-resourced security teams under yet more pressure, and forced them to balance working practices, improvements to security systems and posture, and tight budgets. Though this may seem like an impossible task, going back to the basics with cyber-hygiene can have a dramatic impact on lessening an organisation’s cyber exposure.
The impact of cyber incidents can only truly be understood when business and security leaders combine efforts. Business leaders must ensure that security leaders fully understand the organisation’s mission and take initiative-taking steps to protect the assets, data, staff, and tools needed for critical activities.
Determining where weaknesses and vulnerabilities exist is only possible when a holistic view of cloud and on-premises, IT and OT environments, and everything in between including the interdependencies that exist for critical functionality, is available to experts.
With this established, the next critical step is to identify what could cause theoretical versus practical damage. Organisations can safely assume that there is a plethora of hidden OT systems that were temporarily installed, forgotten about and so are under-protected. Keeping this in mind, steps can be taken to address risks where possible or monitor assets that could fall prey to attacks.
Vulnerability management in its most traditional sense focused on addressing flaws in software that could be taken advantage of, leveraging common vulnerabilities and exposures, CVEs glossaries. Exposure management goes beyond this as it offers additional context such as how a system is configured, who is using it and what they have access to. It enables cybersecurity teams to operationalise their preventative security programs, which means organisations have a clearer understanding of the effectiveness of their security suites.
The writing is on the wall, renewable energy organisations must step up and stop cybercriminals from infiltrating their infrastructure, and the best way to do this is to anticipate cyber-attacks and communicate those risks for favourable decision support. Organisations that do this well will be able to successfully defend against existing and emerging threats and will be key players in a future based on renewable energy.