close
close

Renewable Energy, Microgrids Face Growing Cyber ​​Threats: FBI

Posted on by darion

Brief description of the dive:

  • The Federal Bureau of Investigation warned private industry on Monday that the expansion of U.S. renewable energy capacity increases the risk of falling victim to hackers seeking to disrupt power systems, steal intellectual property or hold critical information ransom.
  • Attacks on home solar systems “have been rare,” the FBI said, but hackers looking to make a bigger impact could target microgrids or inverters in larger solar farms. “However, researchers are working to counter this potential risk with a passive sensing device that can detect unusual activity in the electrical current,” the federal law enforcement agency said.
  • The problem with implementing new security measures into existing infrastructure, however, is that hackers have a window of opportunity where renewable energy sources may not be adequately protected. A “secure by design” approach, where monitoring and security are built in from the start, could solve that problem, “but the reality is that most companies aren’t doing it yet,” said Avishai Avivi, chief information security officer at SafeBreach, a California-based cybersecurity firm.

Diving Insight:

Most of the FBI’s recommendations for protecting renewable energy sources from hackers are general best practices, but Avivi said they are necessary because many people simply don’t follow good security practices.

“It’s amazing how many people don’t follow basic cyber hygiene,” he said, comparing malware to the COVID pandemic. “It’s like washing your hands. … It’s a very simple, primitive solution, but it’s very effective at preventing infection. Not using passwords, separating functional areas, all kinds of very basic concepts that can help, at the very least, minimize the potential impact of a malicious incident.”

Unpatched systems may lead to threat actors gaining access to critical systems, said Tom Marsland, vice president of technology and technical services for the Cloud Range security training group. But the FBI warning contained little specific advice, he said.

“Nothing is special here. People just have to do the basics, and companies have to invest in the basics,” he said.

The FBI warning recommends:

  • Renewable energy industry stakeholders should regularly monitor network activity for unusual or suspicious traffic;
  • Corporate networks should be updated to eliminate security holes and firewalls and antivirus software should be used;
  • Data should be backed up offline and all backup data should be encrypted;
  • The security level of third-party providers should be investigated;
  • All passwords shall comply with the National Institute of Standards and Technology standards for developing and managing password policies;
  • Networks should be segmented to prevent the spread of ransomware.

“The FBI encourages current and former employees of renewable energy companies to report cyberattacks targeting them or their organization, as well as suspected attempts to induce action by foreign nationals outside the organization,” the FBI said in a statement.

This FBI The recommendations are a good start, “but they are really the minimum baseline of security controls necessary to mitigate the specific threats they describe: power inverter tampering and targeting “microgrids” Mike Hamilton, a former Seattle chief information security officer and now chief information security officer and founder of cybersecurity firm Critical Insight, said in an email.

Developing and implementing specific power monitoring technology to detect tampering attempts “may take some time for existing implementations, but could be included in future projects without significant delays,” Hamilton said. He added, however, that a recent U.S. Supreme Court decision destroy Chevron doctrine and the limitation of federal agencies’ authority means that “the FBI’s implementation of these recommendations is likely to be spotty without an enforcement mechanism.”

Malachi Walker, a security adviser, said it is “technically correct” to say that the expansion of the U.S. renewable energy industry could increase the risk of becoming a target for malicious cybercriminals. DomainTools. But Most of the threats described by the FBI “appear to apply to any industry that is growing in size and scope or that uses devices connected to the Internet of Things.”

“The timeline for development and implementation of a standard passive sensor is uncertain” Walker said, but combined with more general defensive approaches, it would likely serve to protect renewable resources. However, these solutions “should not be excluded from renewable energy projects.”

“The problem facing renewables is not much different than the problem facing the rest of the power sector,” Gregory Pollmann, chief industrial search officer at Dragos, said in an email.

The evolving nature of inverter-based assets means they are highly dependent on vendors and third-party organizations for service and installation, he said. “These connections can add an attack surface to industrial networks and be very difficult to monitor without solid visibility. With all that in mind, the FBI’s recommendations … are what the OT cybersecurity industry has been advocating for years.”