Opinion - 11/January/2022

Cybersecurity resilience is critical to reaching net-zero

Digital transformation in renewables is accelerating the green energy transition, exponentially expanding both the energy sources that can connect to the grid and the avenues for cyberattacks, says Clinton Firth from EY

The views expressed are those of the author and do not necessarily reflect the position of FORESIGHT Climate & Energy

Smart grids accelerating the green energy transition raise cybersecurity challenges

The rapid expansion of renewable energy capacity since 2006 has largely been made possible by digital transformation in clean energy, which relies on disruptive technologies and innovations to integrate different types of renewable energy into the grid. But this rapid growth has added an enormous cybersecurity complexity to wind and solar assets, as well as the entire grid.

Until now, conventional grids have operated using a centralised power generation model with power and information flowing in one direction. As the grid adopts and integrates more distributed renewable energy sources—such as residential solar panels—it requires a two-way flow of both power and information. Similarly, smart grids enable the bidirectional flow of energy, as well as two-way communication and control capabilities.

These transformations increase cybersecurity risk. According to the latest EY Global Information Security Survey (GISS), more than half (53%) of Power & Utility cybersecurity leaders have never been as concerned as they are now about their ability to manage the threat.

Distributed Energy Resources (DERs) simultaneously increase the number of actors and devices and decrease cybersecurity compliance. Consumers and small companies primarily own these smaller distributed sources, increasing the number of non-utility actors. At the same time, the number of devices connected to the grid is increasing, widening the attack surface. In this environment, unified cybersecurity practices are difficult to achieve and owners typically lack the expertise to implement and maintain sufficient cybersecurity.

 Furthermore, renewable energy resources connected to legacy operational technology (OT) introduces opportunities for scaled attacks. Renewables are often geographically distributed in remote areas and operate using advanced controls and digital sensors near generation sources. OT is an integral part of renewable energy plants, not originally intended to connect to the internet. Connecting these resources to the power grid also creates a higher risk for scaled attacks that extend past local resources and into the bulk energy OT systems.



Sophisticated data collection increases data security and privacy challenges. Traditional grids collect primitive data from limited data points to measure major changes in the load or voltage data over a long duration.

Innovative smart grids with DERs, however, collect a vast amount of data from smart meters, sensors and elsewhere. This data is then analysed for fault detection, to determine load profile patterns and to issue personalised energy consumption reports. Data collected crossing multiple connections and networks increases the possibility of breaches and requires a huge investment in data security measures that not all companies are prepared to make.

Renewable energy cyber attacks will increase in frequency and magnitude. Although renewable energy currently comprises a small portion of the total energy sector, it is poised to suffer from a disproportionate impact in terms of the frequency and aggressiveness of cyberattacks, which will only accelerate as renewables expand their share of the energy market.

A single cyberattack on a smart grid could have the catastrophic cascading effect of shutting down the power grid since most of these connected devices are omnipresent in society. In addition, as these devices are generally homogenous, once a single device is compromised, it can quickly develop into a mass event.

Yet, according to EY’s GISS even as new digital technologies expand the cyberattack surface, during the Covid-19 pandemic, 81% of organisations sidestepped cyber processes and did not consult cybersecurity teams at the planning stage of new business initiatives.




 The green energy transition needs to begin with cybersecurity risk thinking, not end with it. As digital transformations continue to extend across the energy ecosystem, powering the green energy transition, companies need to proactively protect their assets, support infrastructure and information capital adequately, and ensure their resilience to cyber threats. A security-by-design approach can instil a cyber risk optimisation mindset and embed trust into renewable energy digital transformations from the outset.

Chief Information Security Officers (CISOs) will need to justify their demands for cyber investment by factoring in the risk associated with cyberattacks, compliance requirements and the organisation’s needs for digitisation and system expansion. Establishing cybersecurity governance will help to secure sufficient resources for the cybersecurity program.

Energy companies will want to establish a governance framework and develop an effective threat, compliance and risk management methodology, with a road map to achieve digital maturity. They will also want to establish metrics to continuously track the status of adoption of the updated procedures and control directives. At the same time, they will need to hire, upskill or reskill the workforce to achieve the right blend of knowledge, skills and competencies to operate with confidence in the new digital environment.

A lack of visibility across renewable energy operating assets puts them at risk of attack. This is especially true as operators seek to protect distributed power generation assets far from their central location such as an offshore wind project. To secure these assets, energy companies will want to undertake and maintain a comprehensive and continuous discovery and inventory of operating assets to better understand their current status and their associated vulnerabilities.

Conducting periodic assessments will allow energy companies to identify security susceptibilities holistically across the energy environment and prioritise remediation efforts across all technologies based on business impact and risk appetite—before a vulnerability becomes a liability. Energy companies will also want to consider acquiring components from certified suppliers to ensure compliance with leading standards.

Assessing cybersecurity risks when engaging or integrating with third parties and understanding the potential impacts on the power grid are critical steps in identifying and mitigating gaps before integrating them into the organisation’s ecosystem. Similarly, energy companies will want to define security measures as part of the contract terms and align them with relevant critical infrastructure regulations to ensure compliance.



Digitally driven change requires cybersecurity resilience to reach a green energy world. Embedding security-by-design principles into renewable energy digital transformations and embracing a cybersecurity resilience framework can help energy companies manage a wide range of cyber threats across the entire ecosystem. It can also inspire confidence in digital transformations designed to fast-track the transition to renewables and pave the way to global decarbonisation.

To thrive in a green energy world, renewable energy companies need to both seize the opportunities from digitally driven transformation and protect themselves from the associated risks to maintain operational resilience and the trust of their stakeholders. As the attack landscape exponentially expands, there is no time to delay. •


Do you have a thoughtful response to the opinion expressed here? Do you have an opinion regarding an aspect of the global energy transition you would like to share with other FORESIGHT readers? If so, please send a short pitch of 200 words and a sentence explaining why you are the right person to deliver this opinion to opinion@foresightdk.com.


Leave a Reply

Your email address will not be published. Required fields are marked *