As cyber attacks on critical national infrastructure increase, Polly Curtin and Campbell Hayden highlight the need for clean tech and infrastructure to be secure by design to ensure a resilient energy system today and tomorrow.
Decarbonisation is big business: the UK Renewable Energy Market is predicted to grow by more than 10% between 2022 and 2027; the government’s Build Back Greener strategy committing £1.5 billion of funding to support net zero innovation projects; offshore wind capacity alone will increase five-fold to meet ambitious targets of 50GW by 2030.
However, the pace and scale of renewable and clean tech expansion required to meet the UK’s decarbonised power system agenda also exposes the need to safeguard the UK’s energy by prioritising cyber securities. While developers and operators need to keep up with technological developments to avoid losing competitive edge, system innovations, together with growing interconnectedness, are increasing the opportunity to introduce cyber vulnerabilities.
Innovation is abounding across the energy sector, particularly within start-ups, as individuals and groups collaborate to create solutions that will help address the challenge society faces to reduce its emissions. But with every innovation comes risk. As new organisations join the industry, developing technologies to help us become more sustainable and achieve our critical net zero emission goals, they become a target for cyber-attack. No matter how laudable a business’s goals, attackers will capitalise upon any opportunity to access and damage their systems – for financial gain, or as part of state-sponsored activities designed to destabilise and disrupt countries’ critical national infrastructure (CNI).
Attacks on the rise
Both CNI organisations and the renewable sector have already been subject to cyber-attack and continue to be at risk. One key method of attack is ransomware – where companies’ systems are compromised, and not released until a financial ‘ransom’ is paid. In 2021, the National Cyber Security Centre suggested that ransomware is the most significant cyber threat facing the UK, while Jeremy Fleming, the director of UK intelligence and security organisation GCHQ, said that the number of ransomware attacks on British institutions had doubled in the past year. Of particular concern is the threat of ransomware to Operational Technology (OT), which is likely to grow significantly in the next one to two years.
The renewable sector is also under attack – particularly the wind industry. Two separate wind turbine manufacturers had to switch off multiple IT systems recently following cyber incidents last year, while a cyber-attack on the KA-SAT satellite cause huge disruption to a German manufacturer’s turbines. In September 2022, a Canadian manufacturer of solar PV modules, was reportedly hit by a ransomware attack, and, earlier this year, electric vehicle charging stations in the Isle of Wight were accessed and forced to display the hacker’s chosen content on screen.
Legislating for resilience
A key factor in ensuring that current and future infrastructure is safeguarded the requirement for mandatory security legislation and regulations to be imposed. However, at present, much of the new infrastructure – from EV charging networks to offshore wind farms – are not legally mandated to protect their networks and systems; consequently, there is no guarantee that new infrastructure is secure by design or being managed in a secure way.
The Energy Security Strategy, released earlier this year, describes the government’s aim to have up to 5GW of floating offshore wind operating by 2030, backed up by up to £160 million in ports and supply chains, and £31 million in research and development. But the strategy fails to mention the need to embed cyber security, and its importance in protecting this increasingly critical national infrastructure.
In the UK, government has implemented the NIS Regulations (NIS-R), which centre on providing legal measures to improve the overall security posture of network and information systems that support the delivery of essential and digital services to the public. The NIS-R, however, were developed with a traditional energy ecosystem in mind rather than the progressive and demanding energy transitions needed to underpin a Net Zero society. This is reflected within the regulations’ restricted definitions – as they stand, for example, many wind farms do not currently meet the power output thresholds to be deemed an ‘essential service’. Despite this, however, good practice frameworks such as the NCSC Cyber Assessment Framework exist, which provide guidance on risks, while maturity assessments and compliance assessments can highlight gaps in cyber security, allowing a roadmap to be developed to prioritise cyber risk mitigation activities.
Secure by design
Whilst legislation would provide developers with a clear mandate with which to comply, cyber security must also be embedded from the outset.
Core to protecting both an individual organisation or asset’s digital and physical systems – and the UK’s future energy infrastructure as a whole – is ‘baking in’ security to the design, through identifying and mitigating these risks.
Security of supply has shifted front and centre of the energy debate in recent months: a resilient and reliable energy system is the backbone of society and, as new technology scales and becomes part of our Critical National Infrastructure (CNI), its reliability and safety will need to be assured. Recognising both the risks and the importance of protecting interconnected, vital energy infrastructure from attack means prioritising the issue is vital to secure the route to net zero.
Campbell Hayden is Managing Consultant at Atkins, and Polly Curtin is Cyber Security Consultant. More information about the cyber security risk towards Critical National Infrastructure and how to bolster resilience from these risks is available here.