2020 deloitte renewable energy seminar renewables for a ......2020 deloitte renewable energy seminar...

2020 Deloitte Renewable Energy SeminarRenewables for a sustainable future September 24, 2020

Sharon Chand, Principal, Deloitte & Touche LLPSam Icasiano, Senior Manager, Deloitte & Touche LLP

Cybersecurity for renewables: Keeping up with the rapid pace of

innovation

2020 Deloitte Renewable Energy SeminarCopyright © 2020 Deloitte Development LLC. All rights reserved. 3

Cyber threat landscape for renewable energy developers, owners and operators 5

Drivers which can lead to the need for cybersecurity services 6

Supply Chain attacks are on the rise 8

Cybersecurity for Distributed Energy Management/Storage Management 10

Manufacturing and R&D 12

Identifying the right balance between security and agility 13

New Technologies with Solar Energy 15

Agenda


Threats are relentless and increasing as systems become more interconnected and accessible

• Operational technologies like Supervisory Control and Data Acquisition (SCADA) need a different approach for security than traditional IT controls

• Malware may be leveraged against multiple sites simultaneously

• Physical security has often not been sufficiently covered in the security design; inherent risks for renewables given large geographic landscape required for facilities

• Third-party remote access raises additional risks

• Multiple communication links to renewable sites given number of parties involved (e.g., owner/operator, OEM, market participants)

• Many components are sourced from overseas and may not be secure or could conflict with pending regulatory requirements

• Competition continues to grow in intensity – Cyber attacks can be impactful across many facets of operations

Of the sixteen Department of Homeland Defense identified critical infrastructure sectors, energy is atypical as it provides an enabling function across sectors

• 3,300 utilities delivering power through 200,000 miles of high-voltage transmission lines, 55,000 substations, and 5.5 million miles of distribution lines1

• Incapacitation or destruction could significantly impact the nation's security, economic stability, public health and/or safety

Cyber Threat Landscape for Renewable Energy developers, owners and operators

1Source: https://www.scientificamerican.com/article/what-is-the-smart-grid/2Source: https://www.eenews.net/stories/10602547513Source: https://www.fireeye.com/current-threats/threat-intelligence-reports.html4Source: https://www.powermag.com/wp-content/uploads/2018/03/dragos_2017-industrial-control-system-threats.pdf


What’s driving the need for better cybersecurity?

New cyber regulations became enforceable on January 1, 2020 (NERC CIP “Low Impact”) 1All generation resources operating over 100kv must comply. Penalties for non-compliance can be significant ($1M per day, per violation)

Expansion of resources operated by a single entityIf an entity crosses a 1500MW threshold of aggregate generation at a single control center, they reach the next tier of requirements in NERC CIP. This threshold adds 100+ cyber requirements in scope

Recent events driving a response to threats10/2019 – Renewable developer hit with cyber attack due to firewall vulnerability2

04/2020 – Utility/Renewable entity in Europe targeted by Ransomware attack3

New technologies focused on speed to value - less secureSolar+, Internet of Things (IoT), battery management systems, etc. – Use less secure “lightweight” communication protocols, cloud-based web / database servers

1Source: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx2Source: https://www.eenews.net/stories/1061421301 3Source: https://www.hydroreview.com/2020/04/17/portugals-edp-hit-with-costly-ransomware-attack/#gref


In addition to other supply chain risk areas, organizations are exposed to a wide variety of cyber and physical security risks when working with external vendors. Such as:

• Low visibility into supply chain security vulnerabilities

• Limited availability of data and analytics for better, timely decision-making

• Reliance on third parties to maintain security practices & procedures, including verification of fourth-party security controls

• Inability to keep up with emerging supply chain regulations

• Foreign adversaries and other bad actors embedding malware into a supply chain components

Supply chain as a potential threat vector is under scrutiny

Executive order on securing the US bulk power system

• An Executive Order was signed on May 1, 2020, halting the installation of bulk-power system (BPS) equipment “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”1

• The executive order aims to protect weaknesses in the utility sector supply chain.

The 4 Main Components of the Executive Order

1. Prohibits any acquisition, importation, transfer, or installation of bulk-power system electric equipment which has a nexus with any foreign adversary and poses an undue risk to national security, the economy, or the safety and security of United States persons.

2. Authorizes the Secretary of Energy to establish criteria for recognizing particular equipment and vendors as "pre-qualified“.

3. Calls for identifying any now-prohibited BPS equipment already in use, allowing the government to develop strategies and to work with asset owners to identify, isolate, monitor, and replace this equipment as appropriate; and

4. Establishes a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security, which will focus on the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices.

1Source: https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/


How the Executive Order could impact across renewable energy organizationsTechnology enablement to illuminate your environments, understand your vendor ecosystem, and provide better data for making business decisions in accordance with regulatory requirements

Maintain vendor profile and ecosystem mapping

Fourth- and fifth-party identification

Identification of foreign-suppliers

Sub-components library

Integration with rating agencies

Pro-active alerting and notification

IT/OT procurement planning

Facility design

Supplier selection

Alternatives and Risk Mitigation

Workforce Impacts

Downstream business impactsAsset discovery technologies

Discovery and inventory

Ongoing monitoring

IT/OT asset dataVendor, hardware, firmware,

and other device-level attributes

Environment Illumination

Third-party risk management

Users of vendor information

Security risk assessments

Approved vendor lists

Independent Assessors | SOC2


IoT and cloud computing technologies are expected to advance distributed energy and battery management systemsCybersecurity for Distributed Energy Management/Storage Management Systems

Potential Threats from Cybersecurity Vulnerabilities

• Unauthorized Software Updates/Changing

• Source Codes at IoT devices

• Unauthorized Access to Data Storage in IoT Devices

• Insecure IoT Network Protocols

• SQL Injection Attack to Cloud Database

• Unauthorized Cloud Access from Unauthorized IoT Devices/Botnets

Cyber Attack Defense Strategies for IoT and Cloud

• Strategies for Securing IoT software

−Design the secure coding of the IoT devices

− Format source codes as libraries, executables and obfuscation codes

• Strategy for Network Security

− Authentication key-enabled IoT protocol for IoT network

− TLS/SSL Security for the TCP/IP protocol

− Key-based authentication for SSH security

• Strategies for SQLI Mitigation Methods

− Constrain and sanitize input data

−Use type-safe SQL parameters for data access

Blockchain for Trustworthy IoT network and data security

• Blockchain is a distributed chronological ledger that maintains a continuously growing list of data records secured from tampering and revision.

• Blockchain is hosted, updated, validated by individual peer nodes rather than by a single centralized authority, the block chain improves the trust, security, and transparency of transaction.


Cybersecurity risks in the manufacturing and R&D landscape

Intrusion into the company’s network that leads to

exfiltration of intellectual property or disruption of

manufacturing by a competitor to gain a business advantage

Cyber Espionage

Inability to update or patch manufacturing machines based

on incompatibility with older machines or a need for high

availability (e.g., unable to have extended downtime)

Patching & CVEs

Compromise of a trusted third-party partner or vendor that

leads to an intrusion within the company’s network

Third-Party Vendors

Infiltration of a company’s network that leads to a data

breach of customer data, company confidential or other

sensitive information.

Data Breach

Potential Impacts:

- Network compromise- Privileged account abuse- Direct access to third-party tools on

company’s network

Potential Impacts:

- GDPR or other applicable fines - Reputational impact - Customer loss- Leaked IP or Trade secrets

Potential Impacts:

- Increased likelihood of device compromise

- Persistent vulnerabilities- Incompatibility of security software for

monitoring

Potential Impacts:

- Physical machine disruption- Blocked business expansion- Supply chain compromise- IP and R&D theft


Culture: The organization needs to stop seeing security as an obstacle and instead see security as an integral part of the application itself.

Tools: Architects do not have the time or resources to be devoted specifically to security. It has to fit in with the goal of speed. The right scanning tools have to be implemented to help facilitate this. The tools provide feedback on vulnerabilities as code is written and deployed.

Education: Developers do not need to be security specialists, but they do need the skills to write secure code from the start and help make security better understood.

Responsibility: Architects should be measured not just on speed and quality, but on security as well. Implementing security KPIs for the entire company and metrics for developers can make sure everyone is doing their part and making security the priority it needs to be.

In the highly competitive renewable market, agility is key to success. Security and Agility, sometimes seen as two opposing priorities, can co-exist.

Priorities between agility vs. security


Parting thoughts: Working to Future-proof the industryCarbon reduction goals, corporate sustainability practices, and environmental factors all point to the continuing growth of the renewables industry. Renewable energy operators, and the suppliers to those entities, will continue being the target of cyber attacks. Innovation without security embedded into the process can create opportunities for attackers.

What can be done?

• Look at planned expansion activities and consider when NERC CIP thresholds for control centers may be reached – Plan ahead!

• For developers and manufacturers, evaluate supply chain risk, particularly reviewing key suppliers and their security practices, as more scrutiny and regulation is on the horizon

• Conduct security risk assessments against commonly accepted frameworks to determine where gaps, risks, and opportunity areas may exist

• Force security into the design of new technology projects and embed security workstreams as a must-have!

Physical Security Monitoring and

Integration

Industrial Internet of Things (“IIoT”)

design and implementation

NERC CIP & NIST benchmarking and

implementation

Cyber Risk Quantification &

Cyber Board Reporting

Security architecture

review and design

Cybersecurity M&A due

diligence reviews

Secure supply chain strategy,

implementation and operation

Security Solution System Integration / Implementation

Services

Cyber is everywhere


Connect with us

Sharon Chand PrincipalCyber Risk Services – Strategy & GovernanceDeloitte & Touche LLP+1 312 486 [email protected]

Sam Icasiano Senior Manager Cyber Risk Services – Strategy & GovernanceDeloitte & Touche LLP+1 973 602 [email protected]

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

© 2020. For information, contact Deloitte Global.

http://www.deloitte.com/about

2020 deloitte renewable energy seminar renewables for a ......2020 deloitte renewable energy seminar...

Documents