New, vulnerable power supply targets of hackers due to rapid renewable energy growth, warns FBI.

• The renewable energy sector is at risk of cyberattacks, according to a warning from the FBI.
• The Inflation Reduction Act is driving the rapid expansion of private ownership of renewable power systems in the U.S.
• Cybercriminals are increasingly targeting infrastructure, and new alternatives to the grid may lack traditional utility protocols and regulations.

With the growth of renewable energy generation in the U.S., the federal government is increasingly worried about cyberattacks targeting new systems.

The FBI has cautioned the private sector and individual owners of renewable energy systems about the potential for cyber attacks, stating that the decreasing cost of implementing energy infrastructure and the increasing availability of clean energy incentives will attract both investors and cybercriminals.

The Inflation Reduction Act and other government incentives have motivated individuals and private ownership groups to invest in clean energy systems. In 2023, renewable energy sources, including wind and solar, accounted for approximately 21% of all U.S. electricity consumption, according to the U.S. Energy Information Administration.

The FBI did not issue a warning in response to a specific cyberattack, but it did mention that a private operator of renewable energy systems had lost visibility into approximately 500 megawatts of wind and solar sites across California, Utah, and Wyoming as far back as 2019.

The FBI stated that while attacks on residential solar power are rare, microgrids, which are operated independently of a traditional utility, could also be vulnerable to attack. The EIA estimates that in 2023, 73.62 billion kilowatts of electricity generation will come from small solar systems, where the power is consumed locally, while about 4,178 billion kilowatthours of electricity will be generated at utility-scale electricity generation facilities in the US.

The growth of renewable energy is expected to accelerate, as evidenced by the FBI's citation of examples such as the Metropolitan Washington Council of Governments' goal to install 250,000 solar rooftops by 2030, Virginia's aim of 5,500 megawatts of wind and solar energy by 2030, and the state's objective of completely carbon-free energy sources for its electricity by 2050. The FBI noted that federal agencies, including the Department of Defense, which is the largest consumer of energy in the U.S. government, rely on local electric grids.

In some cases, the expansion of the renewable energy industry in the U.S. is taking place without adherence to traditional utility procedures and guidelines.

"Jim Hempstead, Moody's Ratings managing director, stated, "The project is located on the edge of the grid. Unlike traditional utility companies that usually own, operate, generate, and build these things, it is typically a non-regulated utility. As a result, they are not subject to state utility commission regulation. However, we understand that regulation can be beneficial from a credit perspective because it provides oversight.""

The Solar Energy Industries Association (SEIA), a major trade group for solar power in the U.S., has recently focused on cybersecurity efforts, including a 2021 virtual summit with the Department of Energy Solar Energy Technologies Office to advise solar companies on best practices. In March 2023, SEIA hired Bheshaj Krishnappa, a former information risk consultant for Freddie Mac, Constellation Energy, and Reliability First Corporation, as director of cybersecurity policy and reliability.

According to Moody's 2023 Global Cyber Security Report, only 8% of the infrastructure industry's average budgets were allocated towards cybersecurity. The firm had previously warned of the cyber risks associated with electrical grid modernization, particularly as electric, gas, and water utility companies increasingly use connected capabilities that enable remote access and cloud computing.

As a result of the growth in renewable energy, companies that produce goods and services have increased their offerings.

"Rapidly seeking funding sources is a priority for the entire industry, as stated by EY Americas Cybersecurity Leader Jim Guinn, II. However, this eagerness to bring products to market quickly often leads manufacturers to overlook effective vulnerability testing methods, such as software development, lifecycle testing, code scanning, vulnerability or penetration testing, and embedded system testing, which can result in additional costs."

The FBI has identified a potential risk in solar power operational technology software and hardware, as hackers can gain control over solar panels through inverters, which convert DC energy into AC electricity. Inverters connected to the internet could be controlled by hackers to reduce output or overheat home energy systems.

Law enforcement agencies urged businesses to regularly monitor their networks for suspicious behavior and to report any unauthorized access or unusual site visits to the authorities.

GE Vernova, a prominent developer of renewable energy solutions, declined to provide a comment. Similarly, other significant players in the U.S. utilities and renewable energy industry, including Next Era Energy, Constellation, Enphase Energy, First Solar, and Sunrun, did not respond to requests for comment.

The widespread use of components sourced from China in the U.S. power grids could give foreign nations access to U.S. power grids due to China's heavy subsidization of its clean energy industry and the presence of many equipment manufacturers based there.

The FBI has issued a warning as global rivals such as China, Russia, and Iran have targeted critical U.S. infrastructure in cyberattacks, including local water systems and key U.S. ports, and research shows that hackers can physically damage or destroy infrastructure through software.

Hempstead stated that since you are highly connected, it presents a large attack surface for hackers to target you compared to traditional forms of energy generation, which can also be disrupted but may not have as much of a connection.

Renewable energy sources, although promising, lack the same level of resiliency as traditional power sources due to their relatively new technology and limited testing history, Guinn stated.

"The time required for testing versus the time needed to bring a prototype to market are at opposite ends of the spectrum," he stated. "This is where the challenge lies."

As the adoption of interconnected systems increases, there is a growing concern that the lack of adequate testing and the age and tenure of these systems could lead to vulnerabilities that could be exploited by threat actors or nation-state affiliates to cause harm.