Digitalization and the internet of things have increased productivity and improved energy companies' safety and environmental performance, particularly in the power generation sector. (While in college, I worked at a municipal utility that converted its power plant's pneumatic controls to digital versions. I now am a dinosaur, or at least I am old enough to have seen them roam the earth). Today's power plants are controlled by complex digital systems that monitor and adjustusing algorithms and predictive routines. More of our electricity is generated by large solar and wind farms, often not supported by on-site personnel.

“Despite the complex networks that support a power plant, a key vulnerability to reliability remains people, whether employees or contractors”

Meanwhile, as a society, we crucially depend on a reliable electric system. With this dependency, we have become vulnerable to any disturbances in the availability of electric power supply. As we rely more on the electric grid, the power plants that anchor the critical network have increasingly come under attack by bad actors seeking to wreak havoc and extort payments in exchange for returning the affected plant to service. While the importance of our electrical grid has increased,  the nature of cyber-attacks has become less sophisticated, less costly to perpetrate, all the while seeking to exploit larger attack surfaces. In response to this situation, the Department of Energy asked Congress for a $201 million budget request to address digital vulnerabilities after multiple cyber-attacks this year. 

A Tale of Two Networks and Renewable Generation Risks:

The two types of networks that support today's power plants are classified as either business or operations. Business networksare networks where everyday productivity and collaboration applications run –your MS Office, email, internet, etc.  These networks are directly connected to the external environment – the world wide web. On the other hand, operations networksare internal networks where control systems, for example, those that directly affect the power plant, are managed and run. Ideally, these two systems should be "air-gaped," meaning there are no physical connections between the two. This separation is designed to ensure that any malware or bad actors on the business network can't worm-hole their way into the critical control networks. While these two systems are distinct, they both utilize digital networks and are both vulnerable to attack.

Why Bad Actors Attack:

The following are some of the reasons and motivations behind attempts to attack our electric grid:

State-Sponsored Terrorism – Anti-American nations seek to attack the power grid to debilitate the US economy. In our electrically dependent world, any widespread and prolonged power outage would create catastrophic damage – to lives and our economy. Given the international attackers' location, and time difference to the US, these attackers are often wide awake trying to implement their nefarious plans while most of us in the US are asleep. Since the control rooms in most renewable projects are not staffed, no operating personnel are present to detect any potential. These attacks can typically occur overnight when U.S. staff is offline.

Ransom –Hackers seek to extort payment from companies in exchange for undoing their cyber-locks or other malicious code that renders the infected network non-operational.  Further, thanks to the anonymity of certain crypto-currencies, once a hacked company pays any ransom, it is difficult for law enforcement agencies to investigate and apprehend the offenders.

Internet Activism – Otherwise known as Hacktivism, hacker groups use computer-based techniques as a form of civil disobedience to bring down the power grid to make a political statement. These ideologically motivated "cyber-punks" seek to cause damage in the name of their movement and benefit from any press coverage of the cyber attack and the resulting aftermath.

Why NERC Compliance Alone Is Not Enough

The North American Reliability Cooperation (NERC) is responsible for monitoring, regulating, and implementing the compliance policies of power system operators, ensuring a safe, reliable power supply. In response to major power reliability events, like the infamous power outages in the 1960's, to the recent winter event, NERC promulgates compliance policies and programs for electric utilities, independent power producers, and wholesale market participants.  NERC can assess steep penalties for those firms that do not comply with its requirements. Given the complexity of the power grid, the numerous stakeholders, and the ever-growing threat of potential cyber-attacks, the agency seeks to anticipate future problems and provide appropriate counter measures. Still, as long as people are needed to operate and maintain equipment, our networks can be compromised whether by accident or on-purpose. The programs policies and procedures are only as secure as the people who use them.

Common Attack Vectors

Despite the complex networks that support a power plant, a key vulnerability to reliability remains people, whether employees or contractors. We all are imperfect, and cyber-hackers seek to exploit this any chance they get.

Employees: Prevalent Phishing attacks by criminals. send employees official looking emails requesting information that once provided can allow a bad actor to monitor email correspondence and potential learn more about an organization, uncover passwords and other credentials. Unfortunately, the employee who has been compromised through the phishing attack is often unaware of the breach until the damage is already done.

Contractors:  Renewable power plants are often serviced by contractors providing routine maintenance or inspection.  Often during the time on site they will have access to both business and operational networks.  Further,, the makeup of the contractor's personnel who visit a site may change, so the potential risk of infection may increase with the number of unique, unsupervised visitors. Possible introduction of compromised devices to the plant network also increases.

Recommendations: 3rd Party Audits and Training

Given the business risks and increasingly sophisticated nature of cyber-attacks, it is recommended that firms, particularly those in the renewable power generation space, engage a 3rd party cyber-security firm to review its business practices and assess the security of both its operational and business networks.   Hiring an independent firm ensures that a knowledgeable industry expert can identify vulnerabilities during an audit and then develop recommended counter measures following best practices.  Similar to hiring an outside auditor is needed to validate a firm's financial health, the same is true for managing any potential cyber-security or NERC compliance risks.  On-going employee training should be conducted as well.  This training could include a live-fire experience in which employees are purposefully targeted with fake emails to help identify any too trusting employees and to provide them with specific training on how to deal with any subsequent phishing or spamming tactics from the real, badguys.

Julian Kaufmann is responsible for corporate and business development activities across all of CAMS’ operations. With nearly 20 years of experience, Mr. Kaufmann is an experienced originator of both power and gas commodity deals, specializing in long-term structured transactions. CAMS  provides sustainable, value-added services for owners of infrastructure assets, including some of the largest financial institutions, independent power producers (IPPs), manufacturers, and private equity firms in the world.