Renewable energy growth leads FBI to warn hackers will hit new power
An aerial view of homes in a housing development on September 08, 2023 in Santa Clarita, California.
Mario Tama | Getty Images News | Getty Images
As renewable energy generation expands across the U.S., the federal government is becoming more concerned about vulnerabilities in new systems being a target for cyberattacks.
The FBI recently warned the private sector and individual owners of renewable power of the potential for hacks, saying that reductions in the cost of implementing energy infrastructure and increased clean energy incentives will not only attract investors but also the attention of cybercriminals.
Government incentives, including the Inflation Reduction Act, have encouraged individuals and private ownership groups to invest in clean energy systems. Renewable energy sources, including both wind and solar, generated about 21% of all U.S. electricity consumption in 2023, according to the U.S. Energy Information Administration.
The FBI did not issue the warning in response to a particular cyberattack, but it did note that as far back as 2019, a private operator of renewable energy systems “lost visibility” into approximately 500 megawatts of wind and solar sites across California, Utah, and Wyoming.
The FBI also said that while hacks against residential solar power have been “rare historically,” microgrids — which local communities operate independent of a traditional utility — could also be vulnerable to attack. The EIA estimates that 73.62 billion kilowatts of electricity generation in 2023 came from small solar systems (mostly rooftop) where the power is consumed locally. By comparison, in 2023, about 4,178 billion kilowatthours of electricity were generated at utility-scale electricity generation facilities in the United States.
The pace of renewable energy growth is expected to pick up, with the FBI citing examples near the federal government, including the Metropolitan Washington Council of Governments’ goal to install 250,000 solar rooftops by 2030, as well as Virginia’s aim of 5,500 megawatts of wind and solar energy by 2030, and completely carbon-free energy sources for the state’s electricity by 2050. The agency noted that federal agencies, such as the Department of Defense, which is the largest consumer of energy in the U.S. government, rely on local electric grids.
The renewable energy industry’s rapid expansion in the U.S. in some cases is occurring without traditional utility protocols and regulations.
“It’s on the edge of the grid,” said Jim Hempstead, Moody’s Ratings managing director. “It’s not a utility company that usually owns, operates, generates and builds these things. It is usually a non-regulated utility, and so they’re not regulated by the state utility commission the way (traditional) utility is. And, we know that regulation is a big benefit from a credit perspective because it provides that level of oversight.”
Solar Energy Industries Association, the major trade group for solar power in the U.S., said it has been focused on cybersecurity efforts in recent years, including a 2021 virtual summit it co-hosted with the Department of Energy Solar Energy Technologies Office to advise solar companies on best practices. In March 2023, SEIA hired Bheshaj Krishnappa, who previously worked as an information risk consultant for Freddie Mac, Constellation Energy and Reliability First Corporation, as director of cybersecurity policy and reliability.
Moody’s noted in its 2023 Global Cyber Security Report that only eight percent of the infrastructure industry’s budgets on average were allocated towards cybersecurity. The firm had warned of electrical grid modernization cyber risks starting in 2019, especially as electric, gas, and water utility companies increasingly use connected capabilities that allow for remote access and cloud computing.
The boom in renewable energy has also led manufacturers of products and services to ramp up their offerings.
“The entire industry is trying to rapidly go after potential funding sources that will help them bring their goods and or services to market quickly,” said EY Americas Cybersecurity Leader Jim Guinn, II. “The unfortunate part of that is oftentimes product manufacturers in their exuberance to get something to market quickly don’t always test for vulnerabilities in the most effective way – meaning software development, lifecycle testing, code scanning, vulnerability or penetration testing, embedded system testing – because those are additive costs.”
The FBI notice pointed to the risk in the solar power operational technology software and hardware, with hackers able to gain control over solar panels through equipment called an inverter, which converts direct current (DC) energy into alternating current (AC) electricity that can be…
Read More: Renewable energy growth leads FBI to warn hackers will hit new power