Interview

Zero-trust cybersecurity – decentralised risk, everyone’s consequence

As decentralised power grows, the industry’s exposure to cyberattacks grows too. Andrew Tunniclffe speaks with Xage Security’s Duncan Greatwood on how the growing use of remote, autonomous and decentralised facilities heralds a new era of cyber risk.

Duncan Greatwood. Credit: Xage Security

Hackers and nation-state actors are vigorously targeting the systems that underpin our everyday lives, looking to cause chaos, warns Xage Security’s CEO Duncan Greatwood. “For example, attacks against water infrastructure can lead to contamination, and a subsequent health emergency, while attacks on the power industry can cause blackouts, impacting critical functions like healthcare and communication.”

Just 12 months ago, the Cyber Priority report, published by risk management provider DNV, concluded that energy executives anticipate life, property and environment-compromising cyberattacks on the renewables sector in the next two years. It was a sobering warning, with 84% of those surveyed saying there would be physical damage to assets, and 57% believing there may even be loss of life. However, almost a third said their company wasn’t doing enough. Worse still, a similar amount admitted to not actually knowing what needed to be done.

Today, those cyber risks escalate still. Greatwood explains that he believes implementing preventive cybersecurity capabilities should be a key priority for all industrial organisations and critical infrastructure operators in 2023 – particularly those operating in renewable energy.

Andrew Tunnicliffe: How important is it in today’s geopolitically fractious world to ensure critical infrastructure is protected against cyberattacks?

Duncan Greatwood: To protect the world’s critical infrastructure – against a backdrop of rising geopolitical tensions  – it’s no longer enough to know you’ve been hacked. When minutes of downtime can leave communities without gas or water, or cost lives, you need to stop attacks before they start. Operators need to move from a reactive to a proactive mindset and implement strategies that block hackers at the source.

Zero-trust strategies [where companies always act as if their digital security is breached] are key, and can help defend operational assets while keeping workers safe. While security is everyone’s responsibility, multi-layer defence mechanisms must be in place, helping prevent large-scale attacks and keeping assets, systems and networks – the foundation of safety, public health and economies – secure. 

Andrew Tunnicliffe: What are the unique challenges faced by renewables, and how should operators counter them?

Duncan Greatwood: One sign the renewable energy industry is maturing is the correlating uptick in cyber-attacks targeting it. Power projects often rely on IT-centric tools to meet demand for remote access to distributed infrastructure. However, these tools have security gaps and cannot natively secure industrial control systems, creating ideal circumstances for cyber-attacks.

By embracing zero-trust principles, companies can minimise potential attack surfaces and cyber-harden their systems

Power projects need to increase collaboration between public and private sectors in blocking high-risk threats. They must also take an explicit trust mindset to close their systems’ critical security gaps. By acknowledging current vulnerabilities, energy companies will gain more visibility into where new measures need to be put into place to protect their vital operations. By embracing zero-trust principles, they can minimise potential attack surfaces, cyber-harden their systems and enable those who need access to the most sensitive information to receive it promptly and securely, while keeping adversaries away.

Andrew Tunnicliffe: How have those risks evolved in recent years?

Duncan Greatwood: Accelerating clean energy adoption has become a priority across the globe, but renewable power sites rely on security models that are slow to innovate and vulnerable to compromise. Malicious attackers see these vulnerabilities and have been rapidly acting on them, leading to an increased volume of energy-related attacks.

Last year, 7,800 wind turbines were impacted.

Renewable energy companies are increasingly targeted with ransomware, causing operational disruption which can contribute to lost earnings, liability around contractual obligations, regulatory fines, outages, property destruction and more. Case in point, over 60% of organisations in the energy sector are challenged to keep pace with their evolving cyber risks. Last year, three wind-energy companies were the targets, impacting 7,800 wind turbines.

Andrew Tunnicliffe: Are autonomous facilities, such as decentralised and community-owned renewable plants, at greater risk?

Duncan Greatwood: Autonomous power plants and facilities should be on high alert as continued decentralisation shifts the risk exposure to the grid edge with hyperconnected communication systems making remote attacks easier, potentially providing an open window to exploit systems. While individual facilities may be smaller, there is risk of a hack spreading rapidly across the whole infrastructure like a “cybersecurity wildfire”.

Renewables connected by the cloud. Credit: Jim Watson/AFP via Getty Images

Autonomous facilities should do a thorough self-assessment of their security infrastructure and invest in cybersecurity frameworks that prioritise prevention and automated attack containment. For example, operators should carefully manage access to their systems for both user-to-machine and machine-to-machine interactions, ensuring asset interfaces and vulnerable protocols are not exposed, prioritise access credentials getting rotated on a scheduled basis, and more.

Andrew Tunnicliffe: Since last year, attacks on critical infrastructure have been on the increase. What are we learning from those events?

Duncan Greatwood: Critical infrastructure attacks – physical and cyber – are at an all-time high. Why? They result in widespread impacts, draw international attention and increase the likelihood of a ransomware payout. Every second of downtime at energy, utilities, hospitals and other critical infrastructure sites can leave communities stranded and even cost lives, forcing the attacked parties to respond quickly. For instance, the attack on the Colonial Pipeline served as a wake-up call to infrastructure owners and operators and caused skyrocketing fuel prices and region-wide disruptions.

Prevention is possible, even once the threat has infiltrated the network.

With the volume of attacks rising, organisations are finally beginning to see the importance of rigorous preventative cyber hardening of industrial operations. This mindset shift will not just detect and respond to cyberattacks but block them from inception. Prevention is possible, even once the threat has infiltrated the network or compromised some systems.

Andrew Tunnicliffe: Legacy systems, like supervisory control and data acquisition (SCADA), have been highlighted as potential avenues for attack. Is it possible to overhaul these, and if so, how?

Duncan Greatwood: Many traditional SCADA systems are vulnerable due to lacks of secure managed identities, secure authentication, communication encryption, an inability to be patched with security updates, and other issues. With that said, systems like SCADA can certainly be protected by overlaying them with cybersecurity capabilities such as multi-factor authentication and strict access control. While throwing legacy assets away is not an option, overlaying them with modern technology is key to success, longevity and continued secure operation.

Andrew Tunnicliffe: As supply chains become increasingly digitally integrated, how can power generators protect themselves from becoming victims – as the intended target or an indirect casualty?

Duncan Greatwood: Pay close attention to who you partner with and how you provide access to your operational technology, IT, and cloud environments. To protect power distribution, every partnership should be led with conversations around security and protection – as our society and day-to-day lives depend on it. Ensure your partner has state-of-the-art protections in place; if they don’t, it’s not the right partner for you.

Andrew Tunnicliffe: What new technologies or processes are being utilised to defend against such attacks?

Duncan Greatwood: Critical technologies to defend against such attacks include identity-based access management for on-site security, zero-trust remote access and data protection. These solutions, overlaid on top of existing environment architecture, can help power generators go beyond threat detection to protect assets, eliminate blind spots and risky implicit trust zones, and simplify access and improve user experience.

Andrew Tunnicliffe: A lack of harmonised regulation across Europe has long been criticised for the unnecessary risk it gives renewables. What are regulators and countries doing to address this?

Duncan Greatwood: Every country is responsible for protecting its renewable infrastructure; European countries are no different. While the US is finally taking major steps to put regulations in place, Europe has at times been slow to act, leaving many critical functions vulnerable. It’s in Europe’s best interest to extend zero trust principles into operational technology across all systems and critical functions. They should also establish more aggressive requirements for critical infrastructure providers and strengthen solidarity to better prevent, contain, detect, prepare for and respond to large-scale attacks. Putting these requirements in place shows attackers that Europe will not back down and continue fighting their attacks.

Andrew Tunnicliffe: What do you think the next big development will be in cybersecurity?

Duncan Greatwood: Preventative zero trust is the future of power generation and renewables cybersecurity. Best implemented using a resilient “cybersecurity mesh” architecture [where different business functions are digitally isolated from each other], preventative zero trust provides the holistic, integrated security structure needed to secure all assets and improve resilience. With a mesh overlay approach, companies can rest assured that their infrastructure will run reliably, securely and keep pace with shifting threats and compliance requirements. In fact, [technology consultancy] Gartner that by 2024, organisations adopting a cybersecurity mesh architecture will reduce the financial impact of individual security incidents by an average of 90%.

In the long-term, distributed energy resources and transactive energy may transform market-based exchanges between energy producers and consumers across the grid. Their adoption requires a distributed cybersecurity architecture that provides security controls at the edge [of company systems], edge-to-edge, as well as edge-to-centre, while addressing methods for identity-based access control and data integrity and privacy in multi-party environments. This not only keeps power secure across multi-party deployments, it upholds the integrity of the next-generation grid.