Dive Brief:
- The Federal Bureau of Investigation on Monday warned private industry that expansion of U.S. renewable energy capacity increases the risk of being targeted by hackers who may want to disrupt power generation, steal intellectual property, or ransom critical information.
- Attacks on residential solar systems “have been rare,” the FBI said, but hackers looking to make a bigger impact could target microgrids, or inverters at larger solar farms. “However, researchers are working to counter this potential risk through a passive sensor device that can detect unusual activity in the electrical current,” the federal law enforcement agency said.
- The problem with rolling out new defenses to existing infrastructure, however, is that it leaves hackers with gaps of time when renewables may not be properly guarded. A “secure by design” approach, where monitoring and defenses are built in from the beginning, can address the issue “but the reality of it is, most companies don't do that yet,” said Avishai Avivi, chief information security officer of SafeBreach, a California-based cybersecurity firm.
Dive Insight:
Most of the FBI’s recommendations to protect renewable resources from hackers are general best practices, but Avivi said they are necessary because many people’s security practices simply aren’t very good.
“It's amazing how many people don't practice basic cyber hygiene,” he said, comparing malware to the covid pandemic. “It’s like washing your hands. ... It's a very simple, primitive solution, but it's very effective in staving off the infection. Not reusing passwords, segregating between functional areas, all kinds of very basic concepts that can help you, at the very least, minimize the potential impact of a malicious incident.”
Unpatched systems can lead to threat actors gaining access to critical systems, said Tom Marsland, vice president of technology and technical service for security training group Cloud Range. But the FBI’s warning contained little specific advice, he said.
“Nothing here is special. People just need to do the basics, and companies need to invest in the basics," he said.
The FBI’s warning recommended:
- Renewable industry stakeholders should routinely monitor network activity for unusual or suspicious traffic;
- Company networks should be updated to patch security vulnerabilities, along with the use of firewalls and antivirus software;
- Offline backups of data should be maintained and all backup data should be encrypted;
- The security posture of third-party vendors should be examined;
- All passwords should comply with the National Institute of Standards and Technology’s standards for developing and managing password policies;
- Networks should be segmented to prevent the spread of ransomware.
“The FBI encourages current and former employees of companies within the renewable industry to report cyber intrusions targeting either themselves or their organization, as well suspected elicitation attempts by foreign nationals outside of the organization,” the FBI said.
The FBI’s recommendations are a good start, “but really constitute a minimum baseline of security controls necessary to mitigate the specific threats they outline: manipulating power inverters and targeting microgrids,” Mike Hamilton, former chief information security officer for the city of Seattle and now chief information security officer and founder of cybersecurity firm, Critical Insight, said in an email.
Developing and deploying specific power monitoring technology to detect attempts at compromise “may take time in existing deployments, however might be included in projects going forward without much delay,” Hamilton said. But he added that the recent decision by the U.S. Supreme Court to strike down the Chevron doctrine and limit federal agency authority, means “uptake of these FBI recommendations is likely to be spotty without an enforcement mechanism.”
It may be “technically correct” that expansion of the U.S. renewable energy industry could increase the risk of targeting by malicious cyber actors, said Malachi Walker, security advisor, DomainTools. But the majority of risks outlined by the FBI “seem to be applicable to any industry that grows in size and scope or leverages IoT connected devices.”
“The development and deployment timelines of a standardized passive sensor are uncertain,” Walker said, but when combined with more general defense approaches would likely serve to protect renewable resources. However, those solutions “should not be excluded to only renewable energy projects.”
"The problem facing renewable energy isn't unlike the problem facing the rest of the electric sector,” Gregory Pollmann, principal industrial hunter at Dragos, said in an email.
The developing nature of inverter-based resources means they rely heavily on vendors and third-party organizations for operation and installation, he said. “Those connections can add attack surface to industrial networks and be very difficult to monitor without robust visibility. With all of that said, the FBI's recommendations ... is what the OT cybersecurity industry has been advocating for years.”