Intensifying weather events are not the only threats to reliable power delivery; recent high-profile cyberattacks on energy and food infrastructure have exposed the vulnerability of critical networked systems. Following a recent string of cyberattacks, the member nations of the G7 Summit this summer declared a joint effort to address the ransomware crisis and hold member nations accountable. But in the meantime, what can the energy industry do now to protect grid security?

As part of the ongoing Power Players by Origis® podcast series, GridSME CEO John Franzino joined Origis Services Managing Director Michael Eyman to discuss how solar owners and operators can better understand the global security threats facing energy companies, implement fundamental security controls for existing facilities, and incorporate consistent design practices and compliance costs when planning new facilities.

THE THREE BAD ACTORS
During their discussion, Franzino and Eyman addressed three basic categories of cyberattackers. First, individual hackers who disrupt internet-connected resources out of curiosity or fun. Second, criminal organizations who monetize data theft and who may be passively or actively supported by governments. Third, nation state hackers who monitor, expose, and exploit vulnerabilities for geopolitical reasons.

While this third group performs the most sophisticated campaigns of surveillance, espionage, and terrorism, it is in the second category where we are experiencing the largest uptick in cyberattacks. “It’s another business entity,” stressed Franzino. Groups like DarkSide, the hackers responsible for the Colonial Pipeline attack, use sophisticated marketing, research, technology, and customer service to increase profit. “This is called ransomware as a service. . . They have a webpage, or at least they did. . . They have an ethics section about who they’re targeting, who they will not target. What their rules of engagement are.”

The threat doesn’t end there. According to Franzino, energy companies may have to scramble to protect themselves against these agile and innovating groups. “My opinion, we’re 5-10 years behind healthcare and finance industries when it comes to cybersecurity, because, until the advent of ransomware, we weren’t being targeted and beat over the head by the criminal hackers.”

PROTECTING ASSETS AND ACHIEVING NERC CIP COMPLIANCE
“So, as a company in this space, who is managing all these assets [4GW and growing], and for other people out there who are doing the same or who are worried about this, what do you do?” asks Eyman. Franzino has a clear response: “Start with the fundamentals.” For existing facilities, this includes taking an inventory of all internet-accessible resources, no matter how small. Hackers use bots to crawl the internet looking for vulnerabilities constantly, so they’ll find your weaknesses if you don’t first.

Once you’re aware of and tracking all internet-connected resources across an organization, you can apply security best practices such as inventory management, access management, vulnerability management, and patch management. These fundamental controls also share responsibility with operations. All technology needs care and maintenance. Cleaning, repairing, updating, and replacing resources not only boosts operational efficiency but also protects against cyberattacks.

In addition to these suggested best practices, there are also actions that must be taken to be NERC CIP compliant. No matter what kind of company you are—big, small, operator, owner—you have a compliance responsibility when your assets meet certain criteria. As a general rule of thumb, inverter-based resources must register with NERC when their facility has a nameplate rating of 75MVA and interconnecting at 100kV or higher. It’s also crucial to understand that each company must meet compliance for the assets they own: generator owners are responsible for solar facilities, generator operators are responsible for control centers.

REDUCE DESIGN COMPLEXITY
Facilities also have different levels of NERC CIP compliance (low, medium, and high impact) based on size, complexity, and grid context. Franzino explains: “Just to put that in context, in the CIP low impact requirements, there’s about 15 requirements/sub-requirements total, about things that needed to be done, checked off the list, controls implemented. When you go to medium impact, there’s about 190-plus requirements.” That’s a huge jump!

One way that companies can reduce the complexity and cost of both compliance and security is to consider them during planning. Define design criteria upfront, use design templates across facilities, and implement consistent networking. Incorporate consistency into planning, and it will be much easier and faster to inventory, maintain, patch, and secure facilities in the future.

Each company should have in-house security capabilities, but that doesn’t mean you have to go it alone. Michael Eyman, for example, has built both in-house resources at Origis Services and relationships with third-party experts such as GridSME. As Eyman underscored: “Make sure you get the right people in, early in the process, and incorporate those costs into your model.”

CONCLUSION
Security threats–from individuals, criminal groups, or nation-state hackers—are not going anywhere. To protect profitability and the nation’s grid infrastructure, energy companies must adopt certain practices that will allow them to secure resources from known threats and to respond quickly to emerging attacks. It starts by understanding the types of cyberattackers active in the industry, protecting existing facilities, and incorporating consistent design in project pipelines. To read, watch, or listen to Franzino and Eyman’s full discussion, visit episode #2 of Power Players by Origis “Solar Asset Grid Security in an Increasingly Insecure World.”