Intensifying weather events are not the only threats to reliable power delivery. Recent high profile cyberattacks on energy and food infrastructure have exposed the vulnerability of critical networked systems. In episode #2 of the Power Players by Origis podcast, GridSME CEO, John Franzino, joins Origis Services Managing Director, Michael Eyman, to describe the bad actors targeting energy facilities and to share practical security controls that solar owners should implement to protect their assets. How does the clean energy paradigm shift affect grid compliance issues and cybersecurity? Read, listen, or watch “Solar Asset Grid Security in an Increasingly Insecure World” to find out.
MEET THE PLAYERS
Critical technology is facing a global crisis in ransomware. Following a recent string of cyberattacks, the member nations of the G7 Summit recently declared a joint effort to more stringently hold cyberattackers (and the nations harboring them) accountable. But what can solar owners or operators do now to protect themselves and grid reliability? Grid security expert John Franzino and Origis Service’s Michael Eyman take a deep dive on the topic and share their suggestions in the second episode of the Power Players by Origis® podcast.
John Franzino, CEO at Grid Subject Matter Experts (GridSME), ensures the success of the company’s people and clients (in that order). His years of experience implementing compliance programs, managing fast growing teams, providing technical support and advisory services, and executing complex projects give him an expert mix of technical and business skills along with a fresh perspective on improving the cybersecurity status quo.
With decades of leadership and operations experience, Managing Director Michael Eyman leads the team responsible for Origis Service’s multi-gigawatt portfolio. Eyman’s skill in strategic and secure growth has allowed Origis Energy, third party asset owners and their clients to rapidly expand while maintaining best-in-class security systems and procedures.
SCRIPT KIDDIES, CRIMINALS, AND TERRORISTS
During their discussion, Franzino and Eyman addressed three basic categories of cyberattackers. First, individual hackers who disrupt internet-connected resources out of curiosity or fun. While these actors can certainly cause damage, they’re not typically behind high-profile ransomware. Second, criminal organizations who monetize data theft and who may be passively or actively supported by governments. Third, nation state hackers who monitor, expose, and exploit vulnerabilities for geopolitical reasons.
While this third group performs the most sophisticated campaigns of surveillance, espionage, and terrorism, it is in the second category where we are experiencing the largest uptick in cyberattacks. “It’s another business entity,” stressed Franzino. Groups like DarkSide, the hackers responsible for the Colonial Pipeline attack, use sophisticated marketing, research, technology, and customer service to increase profit. “This is called ransomware as a service. . . They have a webpage, or at least they did. . . They have an ethics section about who they’re targeting, who they will not target. What their rules of engagement are.”
The threat doesn’t end there. According to Franzino, energy companies may have to scramble to protect themselves against these agile and innovating groups. “My opinion, we’re 5-10 years behind healthcare and finance industries when it comes to cybersecurity, because, until the advent of ransomware, we weren’t being targeted and beat over the head by the criminal hackers.”
SOLAR ASSET PROTECTION AND NERC CIP COMPLIANCE
“So, as a company in this space, who is managing all these assets, and for other people out there who are doing the same or who are worried about this, what do you do?” asks Eyman. Franzino has a clear response: “Start with the fundamentals.” For existing facilities, this includes taking an inventory of all internet-accessible resources, no matter how small. Hackers use bots to crawl the internet looking for vulnerabilities constantly, so they’ll find your weaknesses if you don’t first.
Once you’re aware of and tracking all internet-connected resources across an organization, you can apply security best practices such as inventory management, access management, vulnerability management, and patch management. These fundamental controls also share responsibility with operations. All technology needs care and maintenance. Cleaning, repairing, updating, and replacing resources not only boosts operational efficiency but also protects against cyberattacks.
In addition to these suggested best practices, there are also actions that must be taken to be NERC CIP compliant. No matter what kind of company you are—big, small, operator, owner—you have a compliance responsibility when your assets meet certain criteria. As a general rule of thumb, inverter-based resources must register with NERC when the grid interconnection reaches 75 MW. It’s also crucial to understand that each company must meet compliance for the assets they own, generator owners are responsible for solar facilities, generator operators are responsible for control centers.
FINDING YOUR LEVEL OF COMPLIANCE AND SECURITY
Facilities also have different levels of NERC CIP compliance (low, medium, and high impact) based on size, complexity, and grid context. Franzino explains: “Just to put that in context, in the CIP low impact requirements, there’s about let’s call it 15 requirements/sub-requirements total, about things that needed to be done, checked off the list, controls implemented. When you go to medium impact, there’s about 190-plus requirements.” That’s a huge jump!
One way that companies can reduce the complexity and cost of both compliance and security is to consider them during planning. Define design criteria upfront, use design templates across facilities, and implement consistent networking. Incorporate consistency into planning, and it will be much easier and faster to inventory, maintain, patch, and secure facilities in the future.
Each company should have in-house security capabilities, but that doesn’t mean you have to go it alone. Michael Eyman, for example, has built both in-house resources at Origis Services and also relationships with third-party experts such as GridSME. Eyman’s final recommendation highlighted this strategy: “Make sure you get the right people in, early in the process, and incorporate those costs into your model.”
Security threats–from individuals, criminal groups, or nation-state hackers—are not going anywhere. To protect profitability and the nation’s grid infrastructure, energy companies must adopt certain practices that will allow them to secure resources from known threats and to respond quickly to emerging attacks. John Franzino and Michael Eyman recommended these three:
- Understand the global security threats facing energy companies.
- Implement fundamental security controls for existing facilities.
- Incorporate consistent design practices and compliance costs when planning new facilities.
Thank you to host Michael Eyman and guest expert John Franzino for the straightforward discussion of the complex topic of solar asset grid security.