Renewable energy companies are falling behind in terms of cybersecurity readiness compared to their traditional counterparts, posing a potential risk to critical infrastructure, according to a recent study. The study, which surveyed 250 energy companies globally, found that oil and natural gas firms scored the highest, with an average rating of 94 out of 100, while renewable energy companies lagged behind with a median score of 85.
One of the main reasons for this discrepancy is that green energy companies typically have more Internet-connected distributed generation infrastructure, such as rooftop solar panels and wind turbines. These connections make them more vulnerable to cyberattacks compared to traditional energy companies, which often have legacy technologies that are not Internet-facing, according to Ryan Sherstobitoff, a senior vice president at SecurityScorecard, the firm behind the study.
The concern over cybersecurity in the energy sector is particularly pressing as countries like the US invest in green energy infrastructure and ramp up their cybersecurity defenses to protect critical infrastructure. Nation-state groups have increasingly targeted the critical infrastructure of the US and its allies, making cybersecurity a top priority for energy companies. The distributed nature of green energy generation may help mitigate widespread outages, but their Internet connections remain a weak point, as highlighted in the SecurityScorecard report.
Attacks on renewable energy companies could disrupt their ability to manage generation sites and potentially lead to power outages for consumers. For example, electric vehicle charging stations, which require connectivity, have been vulnerable to compromise and disruption. In some instances, attackers have targeted green energy infrastructure, including a solar firm that lost control of its wind and solar sites after a denial-of-service attack on an unpatched firewall.
The risk extends beyond the companies themselves to individual homeowners with rooftop solar panels, as they become potential targets for cyberattacks. As more households adopt solar energy systems, the need for robust cybersecurity measures becomes increasingly crucial to prevent disruptions in power supply.
Third-party suppliers also pose a significant risk to the energy sector, with nearly half of breaches involving third parties. Green energy projects, in particular, often involve local management or smaller startups, which can increase vulnerabilities. As the US pushes for more green infrastructure, the industry may become a larger target for cyber actors.
Regulations are driving investment in cybersecurity for energy firms, with many citing regulatory requirements as a top reason for allocating budget to cybersecurity. Companies are increasingly recognizing the importance of cybersecurity in the renewable energy sector, with a growing focus on addressing vulnerabilities and complying with regulations.
In conclusion, while renewable energy companies may be lagging behind in cybersecurity readiness compared to traditional energy firms, there is a growing awareness of the need to bolster defenses and protect critical infrastructure. As the energy sector continues to evolve, cybersecurity will play an essential role in safeguarding operations and ensuring the reliability of green energy generation.