Rapid growth in environmental, social, and governance (ESG)-driven investment, combined with the ongoing availability of financial credits, continues to fuel consumer demand for renewable energy sources, such as solar, wind, rain, tides and geothermal heat. As a result, the renewables sector has seen consistent growth in recent years, and in 2020, renewables were the only energy source to experience increased demand. Renewables now account for 90% of new power capacity expansion globally.
The growth in demand for renewables has put dizzying speed-to-market and innovation pressure on renewable technologies. In the face of those pressures, organizations developing renewables can’t afford to overlook a critical facet of renewable energy tech—cyber resilience, especially as renewable technologies get plugged into existing national critical infrastructure, according to Deborah Golden, the US Cyber & Strategic Risk leader for Deloitte Risk & Financial Advisory and a principal with Deloitte & Touche LLP.
While everything from wind and solar projects to more nascent tech like green hydrogen production, carbon capture storage, and software-defined electricity address critical energy challenges like efficiency and climate change, Golden points out that these solutions also come with new digital and physical vulnerabilities. “To truly achieve a greener future,” she says, “organizations must not only develop cutting-edge technology; they must also integrate cybersecurity into the very foundation of these investments—it’s an opportunity to drive meaningful and socially responsible change.”
Changing the Renewable Energy Security Paradigm
Today, energy infrastructure worldwide faces escalating cyberattacks. Even though utilities are highly regulated, the digitization of operations—like automating controls and enabling remote access to those controls through the network—opens the door to threats like ransomware and distributed-denial-of-service (DDoS) attacks.
Alternative energy companies may be tempted to deprioritize even the most basic security protocols as they focus on speed-to-market and go through different stages of ownership. The renewable solutions themselves are also more vulnerable than traditional utilities because of the vast scope, variety, and decentralized nature of the “smart” technologies built into them—from solar panels to electric vehicle chargers to thermostats. Individual entry points can give hackers access to entire networks of commercial and consumer IoT products. With this access, malevolent actors could take remote control of certain devices, cause equipment damage, and create service disruption, all of which may lead to higher costs and lost revenue for the industry—not to mention the public health and safety impact.
Take software-defined electricity, for example. The product, which increases the efficiency of electricity generated by any renewable source, uses advanced real-time computing to collect and analyze a tremendous amount of electricity data to adjust and correct electricity delivery, thereby dramatically reducing waste and increasing efficiency. But like any software connected to the internet, the underlying code is vulnerable to manipulation.
“Software-defined electricity will increase the cyber risk profile of companies that adopt it, but it can also provide value through data analytics and increased cyber resiliency,” says Sharon Chand, Deloitte Risk & Financial Advisory’s Secure Supply Chain Leader and a principal with Deloitte & Touche LLP.
Software-defined electricity can directly be used to increase cyber resilience, she explains, by aligning all the data it collects to help companies identify threats virtually undetectable through other sources. Meanwhile, renewable energy more broadly enables companies to enhance their overall business resiliency by providing alternative generating capacity when needed. However, as a broad range of commercial and residential customers begin to rely on these technologies to support their day-to-day activities, it’s critical to take a 360-degree view of continuous security operations, says Chand.
“The paradigm around security and renewables has to change,” Chand says. “The industry must build security into its products from the start and also focus on continuous security monitoring for emerging threats, in addition to considering segmentation or isolation to manage the impact of a cyber event.”
An Interconnected and Evolving Ecosystem
Securing renewable energy tech has another challenge that traditional energy companies don’t face: rapid development, divestiture, and acquisition cycles. The nascent and innovative nature of the renewables business creates a rapidly changing ecosystem that is inherently difficult to secure, according to Sam Icasiano, a senior manager with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP.
What’s more, questions about accountability and who’s responsible for security run rampant, notes Chand, when one company installs the technology, another operates it, and third-party vendors service it—or when ownership of one or more of the companies changes hands.
And there’s another, perhaps bigger, issue at play: Virtually all of these security concerns are inextricably intertwined. As it stands, cybersecurity standards and practices vary widely among the ecosystem that provides our national critical infrastructure. But the responsibility for guarding against evolving threats must go well beyond the security decisions made by a single device manufacturer or traditional power utility company.
The U.S. government has long called on organizations operating the nation’s critical infrastructure to share information on threats and collaborate in other ways to improve cyber resiliency. As the role of renewables in the nation’s energy infrastructure grows, providers of renewables will have to play by the same rules. “Sharing information will be key to building a cyber resilient renewables industry and an alternative energy infrastructure that the public can trust,” says Golden. “It’s the socially responsible thing to do.”
Going forward, Deloitte expects to see an ever-increasing need for public-private collaboration around renewables cybersecurity and more involvement from the federal government.
“The theme of interconnectedness across this extended ecosystem is crucial to secure the future of alternative energy. It’s both an opportunity and a mandate for all of these different entities to come together, collaborate, and figure out improved ways to secure the renewables industry,” says Chand.
Enabling ESG Targets
As renewables begin to play a larger role in corporate ESG strategies, it may put even more pressure on the industry to focus on security and cyber resilience, especially if CISOs and ESG leaders at companies investing in renewables have an open dialog about the value and risks of these technologies.
“ESG and security leaders don’t want their companies’ efforts to mitigate sustainability risks to end up increasing their exposure to cyber risks, so they’re in a strong position to demand increased focus on cyber resilience from renewable energy companies,” says Chris Ruggeri, the Crisis & Resilience leader for the Cyber & Strategic Risk practice of Deloitte Risk & Financial Advisory and a principal with Deloitte Transactions & Business Analytics LLP. Additionally, the SEC has included ESG and cybersecurity disclosure on its rulemaking agenda with proposed cybersecurity rules expected this fall. “Although we are still a ways away from any final cyber disclosure rulemaking, we are heading in that direction and this could not only impact a public company’s brand and reputation but also its access to capital,” says Ruggeri.
And as the renewables industry matures and transforms its underlying operations, customers and regulators will come to expect that alternative energy companies will have also subsequently evolved their cybersecurity capabilities to drive performance and economic results. Those companies that begin weaving security into the fabric of their operations and product development processes today will be in a more competitive and resilient position— reinventing their approach towards tomorrow.
This article was produced by WIRED Brand Lab on behalf of Deloitte.
