Green energy is on the rise. According to the International Energy Agency (IEA), global dependence on renewable energy sources has increased steadily over the last few years. But as existing power producers and new players make the switch to solar-, wind- and water-powered alternatives, what happens to existing network borders? Are renewable resources the harbingers of new cybersecurity best practices?
Powering Up
Current power providers face a host of challenges when it comes to defending critical — and often national — assets. As noted by a recent PwC white paper, for example, energy companies are under threat from nation-states, malicious insiders, hacktivists and run-of-the-mill cybercriminals alike. Some are looking to steal data and make a profit, some want to destroy information and others are hoping to expose corporate secrets.
Making these attacks more worrisome is the triple threat of strict energy regulations, high-value intellectual property (IP) and aging technology concerns. No other industry faces the same level of compliance demands from federal agencies combined with the risk of devastating loss if the location of oil and gas fields are leaked or new specs for clean energy generation are made public. And specialized technology — now long in the tooth but still an integral part of energy systems — often contains multiple backdoors for attackers to open.
There are efforts under way to increase the cybersecurity of traditional and green energy providers. According to the Data Protection Report, the House Subcommittee on Energy and Power recently approved a proposed energy reform bill aimed at providing increased digital security for energy companies. Among the highlights is the creation of a voluntary Cyber Sense program, which would encourage the use of vetted and effective cybersecurity products.
There’s also the Energy Policy Modernization Act of 2015, which includes guidelines for the Secretary of Energy to carry out programs targeting “cyber-resilience component testing and operational support.” Real need already exists for this kind of reform: As reported by The Hill, the Department of Energy had its computer systems hacked more than 150 times over the past five years.
Going Green
The addition of green energy sources has the potential to muddy these waters even more. Adding solar cells or wind turbines to existing energy grids requires either significant changes to existing software controls or the addition of new, often cloud-based control protocols able to handle multiple energy inputs.
The problem? With energy companies and the federal government struggling to keep cybercriminals at bay, adding new devices to existing networks simply increases the total attack size. The issue is made more worrisome as companies turn to the use of Internet of Things (IoT)-enabled devices to help monitor energy performance. As noted by CSO Online, recent digital crime waves will spur IoT security spending to the tune of almost $29 billion by 2020 in an effort to lock down these new devices.
Green Energy Best Practices
So where does this leave CISOs and CSOs of energy companies looking to move beyond fossil fuels and take advantage of new clean energy initiatives? In some cases, at odds with federal best practices. While government proposals are now taking steps to encourage the use of cybersecurity products and regular testing, experts know this is just the beginning. Simply put, federal lawmakers have it backward: It’s always better to test first and implement later rather than rolling out new technologies and then playing catch-up with security.
For CISOs and CSOs, green energy cybersecurity best practices center around detection and isolation rather than defense and elimination. Just like retail companies and financial institutions, attacks on energy companies are a matter of when, not if. And as a result, companies must plan to fail in order to succeed: What’s the order of operations after an attack occurs? How quickly can designated teams respond, find the intruder, patch the vulnerability and isolate the damage? This kind of disaster planning forms foundational best practice in a world that’s going green — one that assumes breaches are an inevitable part of the energy production cycle but aren’t beyond the purview of IT professionals to manage and defeat.
Green energy offers the possibility of clean power. Cybercriminals, meanwhile, want to dirty corporate systems with data destruction, thefts and misdirection. Best bet? Design new best practices to suit emerging renewable resources.