In Aesop’s fables an eagle is shot by arrow that had been feathered with one of its own plumes, in its dying breath the eagle bemoans the fact that we often give our enemies the means of our own destruction. Whilst Aesop was no specialist in cybersecurity the nature of his dilemma will be familiar to those that are. In 2019 a solar and wind business Utah became the first US power grid operator to be disconnected from its power generation station. The cause was an unpatched firewall, a 21st century equivalent of a discarded eagle’s feather.
The benefits of smart grids are largely derived from their connectivity, giving the traditionally creaking energy grid significant flexibility. The ability of a smart grid to use data flows also contributes to their vulnerability, unethical or malicious actors could launch an attack on the IoT infrastructure that makes up the grid, which in turn could unbalance the load in unpredictable ways. Increasing use of microgrids makes the impact of these attacks more local in nature, which is an improvement on the centralised infrastructure of the past, however it is not enough to merely limit the damage of a potential attack and the tech sector is coming up with some innovative ways to help improve grid security.
A smart grid offers plenty of avenues of attack for those with malicious intent. A smart grid is an ecosystem of operational technologies including power line communication devices, supervisory control, intelligent electronic devices, and data acquisition (SCADA) and energy management systems. Alongside these specific technologies are generic problems for cybersecurity including organisational communication systems and electronic information, from a security perspective a smart grid has a large attack surface. The key challenge historically for the cybersecurity sector has been the lack of standard reference architecture and a lack of release mechanisms have hampered the growth of the sector.
A positive step towards common standards has occurred this August (2020) with US’ Smart Electric Power Alliance (SEPA) adding standards governing distributed energy resources (DER), smart energy, and data exchange to its Catalog of Standards for the first time. Given the centrality of the US to the global cybersecurity industry these new standards may lay the groundwork for improved interoperability in the sector; the standard includes requirements for interconnection & interoperability, information exchange between networks and a very focused smart energy profile application protocol.
Hopefully more common ground will help the industry develop a more robust response against would be attackers.
The sophistication of smart grids represents another challenge for security, there is also an issue from a security perspective of having too much data. This means that any effective cybersecurity solution for smart grids needs to embrace automation and the benefits of AI and machine learning. AI can be deployed to help resist malware, ransomware attacks and social engineering attacks, whilst machine learning is critical to threat intelligence, identifying new cyber-attacks, drawing statistical inferences, and getting that information to endpoint security systems. The value of detecting anomalies in the data of smart grids will see increased deployment of AI and machine learning in the sector.
In the EU, AI, Cyber Security and Renewable Energy are among three of the technologies being targeted in €750bn pan-EU support package agreed in May 2020 as part of the coronavirus recovery plan. The grouping of these technologies together in the stimulus package hopefully bodes well for the future of this approach.
Another technology that received EU funding was 5G. There seems to be a growing belief that 5G will be an Important part of the cybersecurity landscape for utilities. However, it is early days, the sector is largely split between those using fibre or 3G and 4G solutions (utilities were big adopters of 4G). The cost aspect of helping to develop 5G resources for the grid may be less appealing to those who have already invested in other technologies, but it is certainly a space to watch.
The modern sector of clean energy may benefit from the attentions of an older sector. The first rule of business is to protect your investment. As renewable energy developers and providers globally adjust to a post-subsidy world, the role of sustainable impact funds and green finance becomes increasingly large. Finance is very good at understanding and managing risk, it is likely that this will provide increased impetus to improve the cybersecurity profile of projects if they want to be attractive to investors.