Solar

FBI warns of cyber risks as renewable adoption increases

FBI warns of cyber risks as renewable adoption increases
(Image by Jean Martinelle from Pixabay )

The Federal Bureau of Investigation (FBI) has released a notice warning that the growing prevalence of renewable energy resources could mean more avenues of attack for malicious actors.

Malicious actors could seek to disrupt power generating operations, steal intellectual property, or ransom information critical for normal functionality to “advance geopolitical motives or financial gain” by targeting the renewable energy industry, the FBI said. With federal and local legislature incentivizing more renewables adoption, attackers will get more opportunities for disruption.

Cyber attacks against residential solar systems have been historically rare, the FBI said, but attackers could target microgrids or inverters at solar farms to create disruptions.

The FBI highlighted one incident in 2019 when an unnamed private solar operator in the U.S. “lost visibility” into around 500 MW of wind and solar sites in California, Utah, and Wyoming after a denial-of-service attack exploited an unpatched firewall. Although it was not determined whether that incident was a deliberate cyberattack targeting a specific company rather than a target of opportunity, the FBI said the incident “highlighted the risks posed by a security posture that relies on outdated software.”

If someone wanted to conduct a cyber attack on either a residential or commercial solar system, they would likely target the system’s operational technology (OT) software and hardware, the FBI said, to gain control over the system through the inverters. Some inverters have internet-connected monitoring systems, which poses an even higher risk.

It’s not all doom and gloom in the FBI’s eyes – the Bureau provided a list of recommendations for organizations to take to improve their security posture. Apart from establishing and maintaining a strong relationship with the FBI Field Office in their region, the FBI recommends organizations:

  • Routinely monitor network activity for unusual or suspicious traffic or activity
  • Update company networks to patch any potential security vulnerabilities, along with firewalls and antivirus software
  • Report computer network intrusions to the appropriate law enforcement organizations
  • Report unexpected visits to company facilities or suspicious solicitations to employees while attending conferences or during foreign travel
  • Consider risks from vendors (including sub-vendors or parent companies) carefully to avoid exposure to deliberate exploitation of supply chain vulnerabilities as an attack vector.

Apart from these broad strokes, the FBI had more specific recommendations to prepare for cyber incidents:

  • Maintain offline backups of data and regularly maintain backup and restoration.
  • Ensure all backup data is encrypted and cannot be altered or deleted, and covers the entire organization’s data infrastructure.
  • Review the security posture of third-party vendors and those interconnected with the organization.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Require all accounts with password logins (i.e. service accounts, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies.
  • Require phishing-resistant multifactor authentication for all services to the extent possible.
  • Segment networks to prevent the spread of ransomware

Tags