NOVEMBER 20249awake trying to implement their nefarious plans while most of us in the U.S. are asleep. Since the control rooms in most renewable projects are not staffed, no operating personnel are present to detect any potential. These attacks can typically occur overnight when U.S. staff is offline.Ransom ­ Hackers seek to extort payment from companies in exchange for undoing their cyber-locks or other malicious code that renders the infected network non-operational. Further, thanks to the anonymity of certain crypto-currencies, once a hacked company pays any ransom, it is difficult for law enforcement agencies to investigate and apprehend the offenders. Internet Activism ­ Otherwise known as Hacktivism, hacker groups use computer-based techniques as a form of civil disobedience to bring down the power grid to make a political statement. These ideologically motivated "cyber-punks" seek to cause damage in the name of their movement and benefit from any press coverage of the cyberattack and the resulting aftermath. Why NERC Compliance Alone is Not EnoughThe North American Reliability Cooperation (NERC) is responsible for monitoring, regulating, and implementing the compliance policies of power system operators, ensuring a safe, reliable power supply. In response to major power reliability events, like the infamous power outages in the 1960s, to the recent winter event, NERC promulgates compliance policies and programs for electric utilities, independent power producers, and wholesale market participants. NERC can assess steep penalties for those firms that do not comply with its requirements. Given the complexity of the power grid, the numerous stakeholders, and the ever-growing threat of potential cyber-attacks, the agency seeks to anticipate future problems and provide appropriate countermeasures. Still, as long as people are needed to operate and maintain equipment, our networks can be compromised whether by accident or on-purpose. The programs policies and procedures are only as secure as the people who use them. Common Attack VectorsDespite the complex networks that support a power plant, a key vulnerability to reliability remains people, whether employees or contractors. We all are imperfect, and cyber-hackers seek to exploit this any chance they get. Employees: Prevalent phishing attacks by criminals send employees official looking emails requesting information that once provided can allow a bad actor to monitor email correspondence and potentially learn more about an organization, uncover passwords and other credentials. Unfortunately, the employee who has been compromised through the phishing attack is often unaware of the breach until the damage is already done. Contractors: Renewable power plants are often serviced by contractors providing routine maintenance or inspection. Often during the time on site, they will have access to both business and operational networks. Further, the makeup of the contractor's personnel who visit a site may change, so the potential risk of infection may increase with the number of unique, unsupervised visitors. Possible introduction of compromised devices to the plant network also increases.Recommendations: 3rd Party Audits and Training Given the business risks and increasingly sophisticated nature of cyber-attacks, it is recommended that firms, particularly those in the renewable power generation space, engage a 3rd party cyber-security firm to review its business practices and assess the security of both its operational and business networks. Hiring an independent firm ensures that a knowledgeable industry expert can identify vulnerabilities during an audit and then develop recommended counter measures following best practices. Similar to hiring an outside auditor is needed to validate a firm's financial health, the same is true for managing any potential cyber-security or NERC compliance risks. On-going employee training should be conducted as well. This training could include a live-fire experience in which employees are purposefully targeted with fake emails to help identify any too trusting employees and to provide them with specific training on how to deal with any subsequent phishing or spamming tactics from the real, bad guys. Despite the complex networks that support a power plant, a key vulnerability to reliability remains people, whether employees or contractors
< Page 8 | Page 10 >