Will distributed electricity production increase cybersecurity risks?
With the growing share of Solar, Wind and other renewables electricity production (for Belgium: ~15% in 2019 to ~18% in 2020), the question arises whether or not we’ll be more resilient to cyberattacks with distributed production facilities.
In the typical scenario, with centralized production, the threats are aimed at the large production plants and the main high-voltage transmission systems. These plants have to invest heavily in a whole array of mitigations to withstand the most relevant threats, and most often also implement a risk management system or Information Security Management System (ISMS). These are expensive to implement and maintain, especially in complex environments. Production plants, depending on their size and whether or not they are crucial to control our grid, will also have to comply with legislations and directives like NIS-D.
With the move to decentralized, distributed generation of electricity, a new threat landscape emerges for renewable energy production. Threats will no longer be aimed at central points, but will be directed to “weak links” in our system: more specifically the grid itself (the high-voltage transmission points and cabins) and the organizations that operate large-scale, geographically spread production plants. These targets have not been leading the class with regards to risk management, as they were not the target of crucial cyberattacks until now. Due to their geographically spread set up, they are often thought of as resilient because an attack would need to compromise each location separately. Attacking wind farm managers, solar farm managers or suppliers of hardware that provide monitoring and remote control is now the best way to conquer a large part of the production capacity. It eliminates the need for compromising each separate location and these companies are typically less well-protected, as their services were “not interesting” to attackers until now.
When looking at the consumer market we see some efforts being made to protect the consumer devices, but these are rudimentary. A large share of the home installations have either:
- Vulnerable hardware: firmware is not consistently maintained and/or exposed to the public internet. The estimated lifecycle of +20 years makes this economically challenging to keep supporting the systems from a supplier’s point of view
- Vulnerable suppliers: no secure development of software, no security by design due to the low risk of “losing” a small home system
- Vulnerable installers: installers that keep “maintenance” lines to their installed systems provide attackers with a simple platform for maliciously controlling all their systems
So, summarising, the distributed production does not increase the risks per se, but will shift them from the traditional centralized production plants to the suppliers which have access to the most production capacity.