The European Union (EU) is warning of cyber risks facing global energy transition and asks governments to be aware.
The EU has plans to boost its wind and solar power generation capacity by orders of magnitude in order to hit decarbonisation goals and capacity is heavily reliant on software and that software can be hacked.
“Cyber risks to renewable energy assets are extremely acute. Many of these generation facilities will be directly connected to a regional or national grid and most now rely on smart systems, allowing their owners and operators to manage them digitally – all of which creates cyber risk interfaces.” This is what law firm Fieldsfisher partner and cybersecurity specialist James Walsh told Oil Price back in 2021. Since then, things have not changed for the better.
“I am not sure I want to comment on how often we find holes in our system. But what I can say is that we have found holes in our system,” Henriette Borgund, an “ethical hacker” who works for Norwegian Hydro, told Reuters this week.
That wind parks and solar farms can be hacked was established years ago. But it seems that little can be done about it. And this means that energy security in a wind and solar-heavy grid has an additional layer of risk. Especially with war on Europe’s doorstep. And especially with a war involving Russia, which has something of a reputation in cyberwarfare.
“As cyberattacks against the energy sector increase in both frequency and destructiveness, renewables are likely to become a regular target. To build up their defenses, energy companies banking on renewables will have to face the reality of their vulnerabilities and acknowledge the importance of investing in cyber defence.” This is according to two experts from the energy security section of NATO’s Emerging Security Challenges Division.
In an article for Politico, Michael Ruhle and Lukas Trakimavicius pointed to previous cyberattacks targeting the energy infrastructure of certain countries and noted the increase in wind and solar generation capacity, which has gone up as a portion of the total from 19 per cent in 2006 to 24 per cent in 2016.
The increase, they noted, is particularly marked in the European Union. That’s why people like Henriette Borgund have every right to be concerned about cyberattacks. And Hydro, for one, is preparing. Company officials told Reuters that there has been a ramp-up of cyber defenses after the start of the war in Ukraine.
The same has been happening at German power utility EnBW. It has expanded its cybersecurity team and has been paying close attention to Russia’s cyberattacks on Ukrainian infrastructure. The sophistication of these attacks, EnBW officials said, according to Reuters, is concerning in the context of highly digitalised grids.
Indeed, the situation is highly concerning and it would have been concerning even without a hot war because the very nature of wind and solar-heavy grids make them tempting for hackers.
“The new energy world is decentralized. This means that we have many small units – such as wind and solar plants but also smart meters – which are connected in a digital way. This networking increases the risks because there are significantly more possible entry points for attacks, with much greater potential impact.”This is the state of affairs, plain as simple, as explained by the director of the German Institute for Security and Safety, Swantje Westpfahl, again per Reuters. This is what makes a low-carbon grid so vulnerable, and this is what cannot change about it.
The distributed nature of wind and solar has been hailed as a major convenience. Indeed, a rooftop solar installation that powers the home does create a nice sense of independence and energy security.
Until the software running the system gets hacked along with a few hundred others managed by the company that installed them. Hypothetically, of course.
Mainstream reporting about wind and solar does not often involve information about any of their drawbacks or inherent problems. When mentioned, these are only mentioned in passing, such as the intermittency of these two energy sources or their land requirements.
Yet their cyber vulnerability is no less of a problem in a world where they are planned to be the dominant sources of energy. Of course, this has to happen first before the cybersecurity problem becomes a pressing one, but even now, when wind and solar make a smaller part of the energy mix, even in Europe, the threat is real, and not only from state actors.
There are plenty of hacker groups that run ransom businesses. One such group two years ago hacked the Colonial pipeline, which carries some 45 per cent of the gasoline and diesel fuel the East Coast of the U.S. consumes. The company operating it eventually had to pay close to $5 million to have it restarted.
But here’s the thing: a pipeline is managed centrally, and so is its cybersecurity, not that it did much good to Colonial Pipeline Co. With solar farms, for example, you have a field with a thousand panels and several dozen inverters, necessary to convert the DC electricity the panels produce into AC electricity that runs through the grid. These inverters can be hacked easily.