Governments across the globe are investing in the energy transition, but the speed of the shift means a rapid integration of renewables and distributed energy resources (DERs), more attack surfaces and, often, less robust cybersecurity.

Critical infrastructure components are common targets for cyberattacks, and power utilities are particularly favoured. Recent examples include BlackCat/ALPHV’s ransomware attack on Empresas Públicas de Medellín (EPM) in 2022 and a series of attacks that have affected three Germany-based wind-energy companies since Russia’s invasion of Ukraine.

The energy transition is increasing grid vulnerabilities

Globally, 50% more renewable capacity was added to the grid in 2023 than in 2022, equating to almost 510GW. Solar PV comprised three-quarters of these additions, and the IEA expects that the next five years “will see the fastest growth yet”.

While the integration of clean energy sources is good news for the climate, cybersecurity measures are struggling to keep up. Alfie King, associate analyst at GlobalData, explains: “The traditional electric grid is undergoing a transition with the integration of renewables and DERs, which lie at the grid edge.

“DERs such as solar PV units create an expanded attack surface for hackers to exploit, and the management and operation of these assets creates a greater need for automation. This introduces information exchanges between the DER and an energy company’s distribution control system to manage the flow of energy in the grid, and the industrial internet of things (IIoT) technologies that enable this communication can sometimes lack security. Therefore, the need for adequate cybersecurity protection of these assets becomes clear.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

In 2022, the US Department of Energy reported that, at that time, DER cyberattacks would have “a limited, local impact” for grid operations but warned that the introduction of high solar and DER deployment would see a rising “potential for a broader impact”.  It further reported that “all providers of DER infrastructure and services should be aware of and plan for this eventuality as a threat to their business models”.

Cybersecurity risks are growing as attack surfaces increase, but the issue of authentication and encryption poses the make-or-break question for the energy transition. This is particularly true for IoT devices, which can be susceptible to ransomware or malware infections, and attacks targeting operational technology (OT) and industrial control systems (ICS). These attacks are already putting grids at risk and, in 2015, BlackEnergy and Industroyer2 (OT/ICS-specific malware) were responsible for the attack of Ukraine’s power grid, which interrupted electricity supplies and compromised the systems of three distribution companies.

GlobalData senior energy transition analyst Francesca Gregory, comments: “The increasing prevalence of renewable energy and smart grids within electricity networks creates heightened cybersecurity challenges for the power sector. Disparately located generation, transmission and distribution infrastructure has increased the need for digitalisation to manage assets, which in turn has caused the power sector’s attack surface to rise rapidly.

“Network and endpoint security will be key focus points for power players’ digital strategies going forward, as companies across the sector attempt to keep pace with the energy transition by capitalising on digitalisation while simultaneously fortifying the digital security of their assets. It remains to be seen if all will be capable of maintaining this balancing act.”

A myriad of changing threats

The delicate “balancing act” of expanding assets and securing them adequately is exacerbated by an ever-changing array of external risks. It’s a point made by King, who highlights the issues raised by a volatile geopolitical scene: “Russia’s invasion of Ukraine in particular has demonstrated the increased focus of state-sponsored cyberattacks on power sector critical infrastructure, and therefore the increased importance of cybersecurity in the sector.

“While geopolitically motivated attacks on power infrastructure were already occurring before the Russia-Ukraine conflict, state and non-state actors are now increasingly attacking businesses and state institutions inside and outside of Ukraine. State actors may invest in specialised malware that has been written to target specific equipment or operational processes, but power companies need to be vigilant and proactive in ensuring the security of both their IT and operational technology (OT) assets.”

The need for vigilance comes particularly from the digitalisation of the energy sector – another constantly evolving risk. The introduction of digital systems, telecommunication equipment and sensors across the grid has increased the number of potential entry points for malicious actors, while their connectedness offers an extended attack surface.

The frequency of attacks is increasing, as is the need for improved cybersecurity, as companies adapt to the energy transition. A recent report from cybersecurity asset intelligence firm Armis identified that the utilities sector saw an increase in cyberattacks of over 200% in 2023, making it the most at-risk industry ahead of manufacturing, which saw a 165% increase.

Companies must take measures to protect their assets then, a point King emphasises.

“Due to the importance of cybersecurity for a company in the power sector and the fact that just one attack can bring down an entire power network and have severe cross-sector implications, companies should virtually invest across the entire cybersecurity value chain,” he says.

“Different types of cyberattacks focus on different sections of the value chain. For example, email security is important for preventing phishing attacks, whereas threat detection and response, which may likely include endpoint detection and response, would be useful for finding and countering malware or zero-day threats. Companies can also implement a zero-trust security model, meaning that verification is required from internal users, programs or devices trying to gain access to resources on a company’s network. An added layer of security can be successful in preventing data breaches.”

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up