Energy threats have risen among cybersecurity priorities. Last year, U.S. officials reported that a Chinese government-backed hacking group called Volt Typhoon installed malware on certain energy utilities. Volt Typhoon returned to the spotlight again this month, as the joint cybersecurity advisory warned that the group now appeared to be seeking purchase on IT networks to set up disruptive attacks against U.S. critical infrastructure, should the two countries get into a major crisis or conflict.
Some legislators have also raised concerns over utilities’ use of energy storage batteries made in China. They suggest the Chinese government could hypothetically influence battery companies to install malware, per CSO Online. And some cyber experts also say battery energy storage systems must be defended against manipulations that could overcharge batteries to cause fires or a blackout, per the outlet.
Energy system cybersecurity is also a moving target. This is all to say that as the U.S. shifts to use more renewable energy, officials are thinking about how cybersecurity approaches may need to adjust.
Fossil fuel-based energy might rely on one major coal or gas-powered plant that has to be secured, whereas a renewable energy grid gets energy from a variety of smaller players, each with its own connection to the system that must be secured, said Mara Winn, deputy director of preparedness, policy and risk analysis at the federal Office of Cybersecurity, Energy Security and Emergency Response (CESER).
Many of these new players in the energy space may be unused to thinking of themselves as part of a large infrastructure, but they need to realize that attackers are likely to view each one as a potential entry point to compromising the grid, Winn said. Efforts to educate these organizations about relevant cyber risks can help, as can efforts to work with energy sector trade associations to train up everyone from attorneys to developers on cybersecurity.
New energy organizations need to prepare for resilience, in part by considering hypothetical disaster scenarios. These can help them understand factors at play and develop playbooks for how to respond and rebound. Established utilities often already go through such exercises, and new entrants to the scene can learn a lot by following suit, Winn said. How entities should respond to a situation will differ by factors such as their state, customer type, system type and integration into the system.
“What is true in California is not going to be the same as [what’s] true in Virginia,” Winn said. “And so that's why you have to work through these playbooks with all of your stakeholders at the table.”
And entities need to be aware that as they transition to providing a greater portion of the grid’s energy, their cyber postures will need to change, too, Winn said.
More modern setups also tend to involve remote access controls and connected tools, like smart grids and smart home meters — all of which must be secured, Winn said. Entities must be especially careful about protecting distributed energy resource management systems (DERMS); supervisory control and data acquisition (SCADA) systems; and any other systems for aggregating or controlling assets, Elaine Ulrich, senior adviser for CESER's Preparedness, Policy and Risk Analysis Division, said.
Moving toward zero-trust security will be helpful, as will keeping a close eye on managing software and hardware security. Much of traditional energy infrastructure was built to last 10 to 30 years, but newer tech may only have a five-year shelf life, at best, and entities need to plan for how they’ll update systems, Winn said. They also need to ensure they know the origins of their hardware and software components, as well as how their software was developed and will be kept updated.
On the bright side, the distributed nature of the renewable energy grid has security advantages. Using microgrids and grid segmentation could mean that if one part is offlined, it disrupts a small portion of the overall energy generation or distribution, said Ulrich.
The development of new energy tech and systems also provides an opportunity to see them designed with security and resiliency, Winn added. CESER recognizes that the right tools aren’t always out there yet and so has been looking to provide funding opportunities for research and development to support energy sector cybersecurity, too, Ulrich noted.
State government may also need to change how they think about the utilities they oversee, but states may get help with this work: CESER and the National Association of Regulatory Utility Commissioners recently announced guidance on minimum cybersecurity baselines for electric distribution systems and distributed energy resources — like solar and wind or energy storage systems. This could help states adopt a common set of core cybersecurity requirements, rather than ones that vary by jurisdiction.
