‘There’s a gap’: A cybersecurity expert’s advice for renewable energy

Last month, President Biden met with energy executives to discuss his administration’s cybersecurity initiatives and ongoing threats facing critical infrastructure in the U.S.

Attention on cybersecurity in the energy sector has been heightened by attacks against SolarWinds and the Colonial Pipeline. In an executive order signed on May 12, Biden called on the private sector to lead on advances in information technology (IT) and operational technology (OT), arguing government regulation isn’t enough to thwart the attempts of bad actors.

Ian Bramson, the global head of industrial cybersecurity at ABS Group, and a risk management adviser to the energy sector, said renewable energy providers, developers, and asset owners face an increased risk of attacks because of gaps in cybersecurity plans.

“There’s a lot more new technology in renewables than in many of the other sectors. Well, attackers feed off technology,” Bramson told Renewable Energy World in an interview. “When things are growing rapidly, it’s very hard to manage the cybersecurity risk.”

Most organizations have IT nailed down, Bramson said, but are severely lacking in OT protections.

“The OT side, there’s a giant lag behind the IT side,” he said. “Most companies on the OT side can’t answer my first question: do you know what assets you need to protect?”

Bramson outlined 4 key pieces to a renewable energy cybersecurity plan:

Asset inventory“You need to figure out an automated way (to inventory assets that need cybersecurity protection). When you’re expanding and growing, even that basic step is a challenge — it’s not always done.”

Vulnerability management“Where are my holes? Any time you connect with anything, there’s a point of attack– both ways. What are you connected to?”

Configuration management or management of change“If a bad guy wants to change something, he’s going to change a configuration of how something works in that system and so you’re going to have to know if there’s an unauthorized change going on.”

Monitoring“You need to understand if something (bad) is happening.”

“Sometimes, people skip to the monitoring piece but all of those pieces fit together,” Bramson said. “If an attack happens and I have a great asset inventory and I know what they’re going to attack next, I’m a lot faster in my response than if I just have one piece of that equation.”

Watch the full interview with ABS Group’s Ian Bramson and Renewable Energy World’s John Engel.