Smart City

Smart City News

Smart City Home

Will IoT Implementation in Renewable Energy Create New Cyber Attack Risks?

By Cynthia S. Artin
September 25, 2018

Water, Wind and Solar energy (WWS) has the potential to replace diminishing and polluting fossil fuel, petroleum, coal and other traditional power sources in a way that can change the very course of our planet’s future.

Sustainable energy is already driving positive changes throughout the world, even as we are still early in the process of scaling WWS and making naturally generated power available through more modern grids, in the developed and developing worlds.


The challenge of scale is being addressed by Internet of Things (IoT) and Industrial Internet of Things (IIoT) through instrumenting larger and larger systems, including wind farms, water farms, hydroelectric dams, and more.

The IoT and IIoT, combined with the analytics and control systems connecting and managing sensors and other equipment will help harness clean power, but also manage that power through changes in demand by being able to store and ship power from a solar plant, for example, even through extended periods of cloudy weather.

The beauty of IoT and IIoT is in the mix: for example, with smart appliances in the home, individuals can understand and manage their own power usage to reduce their cost of energy and contribute to a more sustainable planet.

Those same consumers can allow their energy providers or suppliers of their appliances to remotely manage consumption of energy.

The energy providers can do this on a mass scale, with tens of hundreds of thousands of homes, and help entire communities conserve sustainable energy, thus improving the supply and demand cycles required for peak times, all while creating lasting improvements made possible when we make the switch in a systematic way from reliance on traditional to sustainable energy.

This works from the “top down” too, when utilities and municipalities work together to build new energy sources to serve businesses and consumers, leveraging new business models in the process (for example revenue sharing between the utility company and the government, with private-public partnerships emerging as part of not only “smart city” but “smart region” initiatives).

Coming from the ground up, or from larger, funded initiatives, this is all good – but are we missing something while imagining this new ideal world?

Security experts believe we are, and we’re starting to see more and more publishing on the security threats associated with not just traditional nuclear, electric and hydroelectric plants, and the closely related energy and communications grid, but with sustainable energy particularly when the day comes that we are applying as many sensors to that as we are applying to existing, aging infrastructure.

With sustainable energy systems instrumented, there are now tens of thousands of sensors and gateways at the edge of IoT/IIoT networks, where a huge amount of data is collected and analyzed, including electricity loads, wind energy volume based on blade resistance, solar panel temperatures and positions, and more. There is the potential to sense, measure, monitor and control any component that is electrified.

This data is also uploaded via networks to clouds for processing whatever is not being locally computed, and all this starts to add up to a growing attack surface which cyber criminals can leverage for hacking into systems (plants as well as homes and businesses) to gather information, to initiate denial of service attacks, to initiate a ransomware attack, and more.

Last year, David Vazquez Cheatham, at the UNM National Security Studies Program published a paper on “Security Readiness: Key Issues Within Civilian Critical Power Generation Infrastructure.” In this paper, Cheatham noted:

“It has been known for decades that the US Power infrastructure contains key weaknesses in both physical and cyber security countermeasures. In addition, hardware design of primary control centers and critical components are in need of a major overhaul by design engineers building in features that will address the known cyber security weaknesses. In order to address physical security weaknesses across the US, a standard must be set with a system to both guide and hold accountable energy providers physical security of critical infrastructure. Despite calls for action from the scientific community, analysts and even congressmen there has been little headway. The need for upgrades has become critical in nature for our national defense due to threats from a range of attacks: physical, cyber, electromagnetic pulse, directed energy weapons and certain severe weather conditions can all wreak havoc.”

Cheatham covered the entire range of threats coming from nation states, terrorist groups, individual hackers and organized crime, and delivered a strong call to action for regulators to fund, fix and upgrade grids, including those using sustainable, clean energy. “The economic effects of continued physical and cyber-attacks from threat actors on the grid will only increase as long as there is a dearth of political will, necessary to implement regulatory action,” he wrote.

Cheatham lays out the current means to ensure reliability, via Reliability Coordinators (RC) who have the authority to prevent or mitigate operational emergencies in both next-day analysis and real-time operations, Balancing Authorities (BA) who balance load and generation within their footprint and maintain interconnection frequency, and Transmission Operators (TOP), who direct the operations of their local transmission system.

The balancing authorities within the United States and Canada interconnect and coordinate through a series of transmission lines and authority regions.

Attacks to the power grid may come in a variety of methods, including through natural occurrences, including cyber attacks during which threat actors “attempt to breach the grid primary control systems or supervisory control and data acquisition system (SCADA) through different attack vectors like weak security protocols, or Smart technologies directly linked to the internet allowing direct access to grid control.”

Cheatham points out that “while older systems had ‘air gaps’ between the public Internet and SCADA and primary control systems as a security feature…as Smart Grid technologies are installed, there will be a greater number of access points to the critical networks.”  

The paper goes on in detail to make the case for investing in security systems specifically designed to address a more connected grid, including the newer grids coming out in the sustainable energy arena.

“According to the Center for Study of the Presidency and Congress there is an opportunity to build security in to software and hardware systems currently under development,” Cheatham writes, adding “The next generation of ICSs and electronics that will control the Smart Grid are still being designed and deployed, allowing for implementation of modifications to correct known deficiencies.”

“Utilized properly, the Internet of Things along with smart metering, cloud computing as well as wireless connected sensors could help one not only to generate and use own electricity, but also export power to a central grid,” Cheatham concludes.

There are no major (publicly declared) cyber attacks on WWS systems in the US to date, however many experts are warning that successful attacks on more traditional energy infrastructure will be replicated particularly as the sustainable energy market grows in scope and value.

Fraser McLachlan, CEO, GCube Insurance, a major provider of insurance for renewable energy projects across the globe, told PV Tech in a recent article, “There have been a number of recent attacks, but perhaps the most significant was the Triton attack a few months ago in which hackers infiltrated the safety systems used in energy plants thereby halting operations in at least one facility (rumoured to be in the Middle East). In this attack the safety systems were ‘fooled’ into thinking everything was functioning normally, while hackers were actually taking control covertly. Significantly, intelligence experts have predicted that this attack will likely be replicated.”

According to the article, “The worry is that such attacks could easily infiltrate the renewables sector as well,” which was part of the impetus of GCube’s launching an insurance offering for the protection of renewable energy projects – by including coverage for things like SCADA and excluding things like client data breaches. It’s the “natural next step” and according to McLachlan, there is significant demand for this new product.

Given that data from IoT/IIoT travels primarily over the Internet, we asked Rick Conklin, CTO, Dispersive Networks, about his experiences securing SCADA transmissions between independent power producers and the independent system operator in the Western U.S.

“We appreciate that independent system operators need real-time asset visibility from bulk systems to the grid edge in order to balance supply and demand and ensure the safe operation of the grid, Conklin said. “However, we also know that bad actors are constantly probing the grid for vulnerabilities and ways to gain access to the network. We consequently developed a software platform that implements a series of techniques to minimize the attack surface and protect against DoS/DDoS, MiTM, malware and ransomware attacks, all of which have the potential to disrupt the integrity of the grid and the power supply. Uniquely, our platform can extend to any connected device, whether it’s IoT, an electric vehicle, a RIG (remote intelligent gateway) at an Independent power producer, or an energy control network at an ISO. In totality, we’ve implemented an approach that empowers the grid with a solution that:

  1. Extends security to all endpoints
  2. Implements zero-trust perimeters and network micro-segmentation to defeat the threat of an unprotected IoT device being used as an attack vector
  3. Uses techniques to make assets invisible to those using traditional scanning and discovery tools
  4. Provides true path and link diversity

Realizing the promise of renewables requires a dynamic networking solution that exceeds NERC CIP cybersecurity controls.  We’re proud to deliver that solution today.”

According to Michael Hathaway, co-founder and CEO of Windmill Enterprise, and a technology provider to numerous energy companies over the last decade, “The current state of IoT is a total threat to energy grids due to the lack of common data models and inconsistent security implementations.”

Hathaway added, “IIoT is about data not things. Connecting a device to an app or cloud API just creates another data silo.”

On the “Internet of Data,” Hathaway pointed out “Electric utilities are slow to move. The business models around distributed energy systems are a threat to their very existence, making them even slower to adopt distributed technology.”




Edited by Ken Briodagh

Contributing Writer

SHARE THIS ARTICLE
Related Articles

Google and the Future of Machine Learning and AI at the IoT Evolution Expo

By: Ken Briodagh    12/18/2018

We spoke to Ricardo Prada, UX Director at Google, and upcoming keynoter at the IoT Evolution Expo, about his session on the future of Machine Learning…

Read More

Danalock Smart Lock to Be Featured in Z-Wave Smart Home Demo House

By: Ken Briodagh    12/18/2018

Danish smart lock and keypad now available through major North American retailers, including Amazon, Best Buy, Walmart, and Wayfair

Read More

Two Global Industrial IoT Organizations Join Forces to Advance Progress in 2019

By: Special Guest    12/18/2018

In surprise news from the Industrial Internet Consortium and OpenFog, the organizations announced they have agreed in principle to combine forces to b…

Read More

Netnod Expands in Norway with Bulk Infrastructure AS Data Center

By: Ken Briodagh    12/18/2018

Netnod, Internet exchange point in the Nordic region, has selected Bulk Infrastructure AS's data center, the Oslo Internet Exchange (OS-IX), as the lo…

Read More

Smart Devices, Smart Infrastructure in Chicago's West Loop

By: Cynthia S. Artin    12/18/2018

Can the street tell your car where to park? Can you tell a streetlight to turn on?

Read More