Energy enters a perilous era of supply chain risks

By Christian Vasquez | 07/07/2022 07:25 AM EDT

As the energy sector becomes more connected, cyber risks that cut across the global supply chain are becoming a greater threat.

Wind and energy cyber collage

Claudine Hellmuth/E&E News(illustration);Internet Archive Book Images/Flickr(drafting sketch); MaxPixel(turbines and transmission lines); Freepik (cyber)

Hackers targeting Ukraine hit a network of satellite modems and shut down the country’s internet service — hours before Russian troops crossed the border.

At around the same time, the remote operator of 5,800 wind turbines across central Europe also lost communications.

The jolt to both internet and electricity services in late February — affecting critical infrastructure hundreds of miles apart and tossing tens of thousands of people off the internet — sent an unmistakable signal to European leaders: They’re entering a perilous new era of cyber risks.


The Feb. 24 cyberattack wasn’t aimed at disrupting European sources of renewable energy, according to investigators. Yet the blitz against Viasat Inc., a California-based provider of high-speed satellite broadband, did just that. Today, it’s held up as an unsettling example of just how difficult it is to secure the interconnected digital networks that run modern-day power grids.

The North American grid has long been described as one of the most complex machines on Earth. And as the energy sector becomes more connected, cyber risks that cut across the global supply chain are becoming a greater threat.

“If anything, our grids have gotten more complex over the last couple of decades,” said Lesley Carhart, principal industrial incident responder at industrial cybersecurity firm Dragos Inc. “You have your three grids and you got this hodgepodge of interconnected transmission and distribution providers, getting generation from a multitude of sources.”

The electric grid is a patchwork of power generators, transmission lines and distribution centers. Interconnection points help ensure an outage in Texas doesn’t spread all the way to California. But while the nodes serving different regions are not physically connected, the use of common digital technology across the larger grid has propped open the door to digital sabotage.

“Now, an operator or an equipment vendor may have generation assets in the Eastern Interconnection, Western Interconnection, Texas, Quebec, all over the place,” said Tim Conway, technical director at the SANS Institute, a cyber educational and training nonprofit.

The hack targeting Viasat, the satellite broadband company, triggered a cascading loss of communications. The hack reminded utilities that it’s no longer enough to secure a control room.

“Your threats are also inherited by your customers and suppliers,” said Ben Miller, vice president of professional services and research at Dragos. “So you have to take those into consideration.”

Security by design

The satellite modem hack didn’t lead to a loss of wind power generation in Germany, Europe’s largest economy.

But the loss of communications to thousands of wind turbines operated by the German engineering firm Enercon is “probably one of the worst nightmares that any operation may have,” said Samuel Linares, managing director of Accenture Security’s renewable energy business.

There are haves and have-nots when it comes to securing wind farms and major solar projects, Linares said. “In the end, most of them are all utilities,” he said. “They have been dealing with cybersecurity for a number of years.”

New wind farms are being built with security by design, he said. That means embedding security systems across the entire system, from start to finish. But for legacy technology, cybersecurity is a bigger challenge, Linares said.

The concern is the inability for technicians and cybersecurity experts to see inside legacy technology and stamp out an attack.

In 2019, for example, a Utah renewable energy developer lost visibility briefly following a distributed denial of service attack that targeted Cisco firewalls (Energywire, Oct. 31, 2019). While the loss of visibility was a series of five-minute blips over 12 hours and didn’t affect generation or reliability, it was the first-of-its-kind attack that interrupted system operations.

Since then, amid a continuing scourge of ransomware attacks by criminal hackers, several other wind companies have been hit by cyberattacks.

In early April, German company Deutsche Windtechnik, a service provider for offshore wind, had to shut down all connections to external systems after hackers attacked their systems. Nordex SE, one of the world’s largest wind turbine manufacturers, was also hit with a cyberattack in April, forcing the company to rely on alternative communications methods.

In November, Vestas was hit by a cyberattack and had to shut down IT systems for “multiple business units and locations.”

Pace of change

As early as 2018, the Department of Homeland Security had warned that Russian hackers were actively targeting “peripheral organizations such as third-party suppliers with less secure networks.”

Hackers have entered systems through routine software updates from trusted software vendors. The SolarWinds cyber espionage campaign of 2020 is perhaps the best example. Hackers tied to Russia penetrated the Texas-based software provider and that opened doors into corporate and government systems across the country, including the Department of Energy.

Other computer management software, Kaseya Limited and Apache’s Log4j, were also breached, spreading malicious code across other industries.

“Supply chain risks for digital components including software, virtual platforms and services, and data have grown in recent years as increasingly sophisticated cyber adversaries have targeted exploiting vulnerabilities in these digital assets,” DOE said in a recent report.

The electric grid is turning into a decentralized mesh with “millions of endpoints,” DOE analysts said. Solar panels, advanced batteries, wind farms, smart meters and microgrids are doing some of the work of the 20th century’s centralized power plants.

“We’re seeing microgrids becoming incredibly popular. That’s a big change,” Dragos’ Carhart said. “You got to think in terms of generation, transmission, and distribution and those are often different providers and they have different footprints across the United States.”

In its report, DOE urged grid security experts to examine devices, their manufacturers, and third parties that integrate those devices into the electric grid. China and other countries that are economic and political adversaries are also manufacturers of grid technology.

There’s also the speed at which things change.

Technology companies change frequently through acquisitions and rebranding. Foreign ownership and control are “difficult to determine, much less track, and adversary nations often actively seek to obfuscate foreign ownership and control,” DOE said.

In addition, systems can operate for decades. Workforce shortages are making it harder to maintain aging systems.

There are regulations that help deal with supply chain threats. But things are becoming more interconnected, which means there is no single approach to fending off risks. Critical infrastructure like telecommunications, transportation systems and information technology are all vital for the energy sector and they all rely on electricity to operate.

“Multiple security standards regimes and guidelines apply to digital supply chains, and gaps and overlaps exist,” said the DOE report. “There is no holistic approach to prioritizing risks, investments, or trade-offs.”

‘Constant upgrades’

President Joe Biden issued an executive order on supply chains in February 2021 that called for a software bill of materials (SBOM) for federal contractors — a recipe book of sorts detailing components in software. The order also called on the National Institute of Standards and Technology to develop guidelines for a SBOM, which published the guide earlier this month.

In the electricity sector, the North American Electricity Reliability Corp. has a cybersecurity standard that requires some utilities to prepare a plan to deal with supply chain issues through a contract with vendors.

The Federal Energy Regulatory Commission doesn’t have authority to regulate vendors themselves. But utilities can require a contract that meets their security needs.

Software changes and changes to computer code regularly occur either through new utility vendors or regular maintenance. Wind power is a great example, SANS Institute’s Conway says.

“Looking at the life cycle of wind specifically: You have a planning and development stage, an asset construction, a commissioning stage, operate and maintain, then they go through constant upgrades,” Conway said.

“Looking at that life cycle of just how the asset is used, and then trying to layer in all the controls, and all the software, and all the vendors involved,” Conway noted. “It’s complex.”