Gareth Baker
Partner
Co-leader of Energy (UK)
Article
Recent news surrounding potential flaws in the cyber security of the infrastructure of some onshore wind farms has highlighted the need for a robust and comprehensive approach to this area within the UK renewables sector generally, if the major role renewable energy generators are set to play in the energy industry's future is to be properly safeguarded. For example, a lack of efficient encryption procedures and a reliance on default passwords were both key risks raised in relation to the management of wind farms. A similar warning has been made about solar power, with reports circulating that a Dutch researcher has identified 17 vulnerabilities in certain inverters. Given the wider political uncertainty that exists in the UK at the moment, security of supply is more important than ever.
Some of these flaws were highlighted at the recent Black Hat Cyber-Security Conference in Las Vegas and serve as a reminder to the industry not to overlook the issue of digital risk.
This article will explore the need for the energy sector to be more preventative and work closely with contractors to take precautionary steps around digital risks and cyber security, instead of simply adopting a reactionary approach to attacks and suffering the negative consequences and associated brand damage that goes with this. Pro-active, preventative steps are now becoming a core aspect of an organisation's approach to managing risk.
Recently, a number of Irish energy firms were reported to have been targeted by hackers, with this occurring, crucially, immediately after a warning was given to the industry about potential vulnerabilities. Further to this, The Times recently reported that individuals at the Electricity Supply Board (ESB) had been sent personalised emails containing malicious software. While the attack did not cause disruption to the network, it is clear with attacks happening in such quick succession that there is a clear and present risk to firms in the sector. As well as the business disruption and reputational problems that can be caused by a cyber-attack, the loss of personal and confidential data could compromise the day-to-day and long-term security of a provider and leave them vulnerable to further breaches.
Furthermore, security agency, GCHQ, has recently highlighted that Britain's energy grid, as well as a number of other sectors, may have been actively targeted by cyber criminals after citing a report obtained by Motherboard. As well as the active warning about hackers targeting the energy sector, the document claims that some industrial control system organisations are already likely to have been successfully compromised.
When taken with the lessons of recent attacks in the energy sector as well as throughout other sectors and industries, the force to recognise the need for preventative efforts becomes even greater.
The recent wide-ranging external cyber-attacks such as the Wannacry and Petya related hacks reinforce the real and immediate threat of cyber-crime to all organisations and businesses. However, there can be an "it won't happen to me" attitude amongst some business leaders. Within the recent Gowling WLG Digital Risks survey of around 1,000 European business leaders, two thirds stated that external cyber risks are the most concerning category of digital threat for businesses. This risk is anticipated to grow even further, with 51% of respondents believing that it will increase within the next three years. However, a much smaller proportion identified such areas of risk as a concern for them. Whilst this might be because some businesses are fully prepared, it is likely that many are still failing to prepare sufficiently for the full extent of the digital threats that they may face.
One area of concern raised about wind power at the conference was that the various checkpoints at which data is exchanged are too exposed and are therefore vulnerable to attack. By compromising just one of these individual access points, hackers could potentially cripple an entire network. The potential magnitude of such an event has a direct effect on the potential cost of an attack, with this reaching a staggering US$700,000 a day for major wind energy providers, according to experts at the Black Hat conference. Of course, the indirect costs could amount to a multiple of this number. While it is easy to band figures like this around, it surely demonstrates the scale of time and resources that should be invested before, not after, the event. The practical implications of interrupting a business service are obvious but the money it costs to restore this and vitally, the negative reputational effect it has, all combine to compel business leaders in the energy sector to act now. The sheer cost of 'downtime', should a cyber-attack occur has the potential to cause real long-term damage that can, with the right level of commitment and effort, be avoided to ensure that customer service continues uninterrupted and a market position is protected.
Ensuring that there are no gaps in the data security network of a wind power facility is therefore crucial. Simply applying blanket protection without addressing individual points of weakness could mean the objective of being 'cyber-secure' is not achieved. Instead it is better to apply customised protection designed to isolate weaknesses at key junctures in the network.
Furthermore, much of this functionality is outsourced to service providers, thereby relinquishing a certain level of control. It is therefore vital to ensure that preventative steps aimed at cyber-security are covered in any operations and maintenance contracts that are granted, to an adequate standard with the objective of ensuring recourse against the contractor if the systems are inadequate or improperly implemented. This also means undertaking upfront due diligence on the provider and reviewing that their systems are fit for purpose on an ongoing basis. As well as ensuring that contactors actually put the relevant protections in place, incorporating regular due diligence checks and creating fictional scenarios to test cyber incident response is also important. Here, this means that there is an intensified need for providers and contractors to work with external, as well as internal experts covering legal, technology and network-driven expertise - not only to get the right spectrum of input and advice, but also to ensure that any checks are externally verified to help ensure the overall approach is as robust as possible. Working in partnership with contractors to verify their ongoing preventative efforts should be a central feature of the overall management of a facility.
Protecting the country's infrastructure should now, as it has ever been, be a core priority. Safeguarding the renewable energy sector needs to be an integral part of wider efforts, especially as competition increases and the need to provide uninterrupted service to businesses and end users intensifies.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.