Design & Development
The United States Cybersecurity & Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors “whose assets, networks, and system, whether virtual or physical, are considered so vital to the United States that their destruction or incapacitation would have a debilitating effect on national economic security, national public safety and health, or any combination thereof.” Energy is one of those sectors.
Renewable energy facilities operate in a largely distributed environment, and such facilities face many risks—both targeted and indiscriminate. It is the responsibility of these renewable energy facilities to meet these challenges by holding themselves accountable and implementing critical cybersecurity measures.
In 2022 alone, there were numerous incidents, including cyber attacks on three German wind-energy companies by players hoping to benefit Russian oil and gas companies. As these cyber risks increase, many companies are focusing more efforts on prevention. At the same time, more and more businesses in this sector are falling under the umbrella of NERC-CIP standards.
Every successful cybersecurity deployment involves a comprehensive plan. The specific details of your program will depend on your unique business operations, technology environment, and risks.
This is the first post in a three-part series that will discuss the cybersecurity deployment process for renewable installations. In this post, we will discuss some of the major factors and potential pitfalls associated with the design and development phase for renewable installations.
There are many reputable standards to choose from, such as NIST and ISO. You can choose not to select a standard, but it’s beneficial to choose one that fits your environmentthe solutions, recognizing that there is a significant gap with regard to standards within the renewable energy space compared to more mature industries like healthcare and even fintech.
Defense in Depth
This is the concept of creating security in multiple layers. For example, you have a door on your home, but you also have a lock on that door, giving you two layers. You can add even more layers by having a camera next to the door and an alarm. Within a cybersecurity context, you also need multiple layers applied during the design phase.
To protect a renewable installation from cyber threats, there should be a defined separation of critical functions from non-critical functions. For example, if you’re in the office of a renewable installation and need to access the internet, this should not be done from a network that is also part of the control system.
This type of segmentation requires careful analysis during the design phase. Creating a “secure by design” system is much less costly than having to analyze and fix security issues after the fact.
Renewable businesses are often remote facilities, so owners and operators must be mindful of how these properties are physically accessed. Specifically, control features should be in a locked room, perhaps with a keypad and another lock on the server cabinet. Additionally, a limited number of people should be given access to the facility and equipment.
Similar to physical access, there must be a means and hierarchy in place to restrict electronic access to the operations equipment and systems.
Few plans come without some pitfalls and potential minefields. Here are some of the common ones we see as a cybersecurity design takes shape.
- Change Orders — If you don’t plan carefully and think things through, you’re going to have a lot of change orders, which can be costly.
- Not a Scalable/Robust Design — Your original design might be perfect for your current needs, but if your requirements change, is the design scalable and changeable without significant expense? Things to consider include physical space, power, ventilation, and cooling, among a variety of other factors.
- Incomplete Documentation — Again, your system may be well-designed, but no one will be able to manage it effectively if you don’t tell anyone what you’re doing and document everything thoroughly.
Moving through the design and development phase, here are some of the core principles we adhere to with our clients.
- Interconnectivity — There isn’t just one party that designs and implements these facilities. Instead, there are many parties and hundreds of stakeholders, all contributing together to realize the installation. This interconnected dependency also informs the cybersecurity posture which is determined by the aggregation of all stakeholders and efforts.
- Defined Expectations — All parties must know and understand what the others are doing because this is a collaborative process that impacts everyone.
- Cyber-Informed Engineering — Every party involved needs to make value-based decisions as early in the process as possible. This doesn’t mean choosing low-cost options, but rather making decisions that will provide the most value to the organization and its customers.
- Understanding Risks and Consequences — Prudent engineering requires that leadership and stakeholders fully understand the risks and consequences of each decision in this process.
- Physics Don’t Lie — If there are no penetration spots on the network, then there is less risk.
In the second post in our three-part series discussing the cybersecurity deployment process for renewable installations, we will talk about significant factors and challenges associated with the implementation and construction phase.
Complying with NERC standards is a significant undertaking for renewable facilities that fall into the established threshold. Failure to comply with NERC-CIP standards can lead to severe penalties for your business. Radian Generation can help you manage your renewable energy assets and ensure that your business complies with NERC requirements. NERC’s thresholds are changing, and your business could be affected. If you’re unsure of whether or not your business will fall into the expanding umbrella, reach out to us. We can help.