Cybersecurity isn’t easy when you’re trying to be green

Renewable energy companies lag behind their more traditional peers when it comes to the cybersecurity readiness of their infrastructure, raising concerns that attackers targeting critical infrastructure could find easier prey among “green” energy firms.

In a study of 250 energy companies worldwide, oil and natural-gas firms scored the highest — with the average company scoring a 94, or “A” — while the lowest scores belonged to renewable energy companies, which scored a median of 85, or a “B.” Green energy firms tend to have distributed generation infrastructure (such as rooftop solar or wind turbines) and are usually more Internet-connected than traditional energy companies — both attributes that can undermine their defensive posture, says Ryan Sherstobitoff, senior vice president for threat research at SecurityScorecard, the cybersecurity risk firm that conducted the study.

Overall, the attack surfaces between traditional energy infrastructure and renewable energy infrastructure can be quite different, he says.

“Oil and gas have legacy technologies, but these legacy technologies are most likely not Internet-facing,” Sherstobitoff says. “Whereas the cybersecurity posture of renewable energy may not necessarily be [to the level of other] critical infrastructure itself … but nonetheless has public-facing portals and other public-facing issues.”

The concerns come as the US and other countries invest in green energy infrastructure and scramble to put in place more cybersecurity defenses to protect their critical infrastructure. Nation-state groups have targeted the critical infrastructure of the US and its allies, and while the distributed nature of green energy generation could mitigate widespread outages, their Internet connections represent a weak point, according to the SecurityScorecard report, which was in collaboration with consultancy KPMG.

Distributed Green Systems Harder to Defend

Overall, the energy sector did quite well in the survey of firms. Of the 250 organizations on which data was collected, 81% either scored an A or B. Only 8% of energy firms showed signs of compromise in their external infrastructure, but two-thirds of the breaches were connected to third-party partners, SecurityScorecard reported.

Attacks could prevent renewable energy companies from managing their generation sites to disrupting consumers’ power, Sherstobitoff says.

“You could imagine disrupting the ability for these renewable energy devices to connect back and phone home, then you have chaos, because then they can’t check in, can’t get their status,” he says. “If [the infrastructure] depends on getting a status code in order to function, it needs to connect back … that’s another breaking function.”

To read the complete article, visit Dark Reading.