Amid a brutal war in Eastern Europe, there’s a lot of focus on energy security. Countries with a higher proportion of renewable sources may feel better placed to withstand volatile fuel supply chains and continue to power industry, commerce and public services.
Indeed, many countries have pledged to accelerate their transition to renewable energy. Germany — which is highly dependent on Russian gas — has announced plans to give up coal entirely by 2030, 8 years ahead of its original target. It now aims to get 80 percent of its electricity from renewable sources by 2030. France and Austria are going in a similar direction, while Poland, one of Europe’s heaviest coal consumers, is making significant investments in wind power.1
Such ambitions align with the UN Strategic Development Goals and resonate with citizens, governments and investors.
Such ambitions align with the UN Strategic Development Goals and resonate with citizens, governments and investors. But, with the world becoming ever more dependent upon electricity, renewables must pass the trust test and demonstrate that they can offer the 24/7 reliability that users expect. Failure to do so could severely undermine the decarbonization revolution.
Complexity brings additional cyber threats
One US study suggests that a decentralized grid could alleviate stress on the main power generators and meet 20 percent of peak load by 2030.
Renewables bring greater energy independence, as the power is generated closer to those who need it, from sources within national boundaries. Microgrids take this concept one step further, enabling smaller providers and individual consumers to produce, store and distribute clean power.
One US study suggests that a decentralized grid could alleviate stress on the main power generators and meet 20 percent of peak load by 2030.3 This includes solar-powered batteries, delivering a highly reliable backup for business and government facilities.
However, distributed grids are also more complex and interconnected, with thousands and possibly millions of new energy providers, including private homes, fitted with smart meters connected to personal mobile devices. Add to this the increasing digitization of power station operational technology (OT), including numerous IoT to track performance and carbon capture. The result is a broader range of attack points. In increasingly interconnected systems, nation-states and criminals have multiple opportunities to hack into the primary grid via individuals or organizations who may have weaker cyber security.
Traditional OT systems are sometimes too old to receive security updates yet are linked to other internet-facing areas of the network and the broader software supply chain. A further threat comes from connected battery management systems that monitor safety and reliability. And software-defined electricity, which increases the efficiency of electricity generated by any renewable source, also contains code vulnerable to hackers.
In a recent survey by risk manager DV, less than half (47 percent) of energy professionals believe their OT security is as robust as their IT security. Six out of 10 say their organization is more vulnerable to an attack now than ever.4
Then there are home car chargers and, ultimately, ubiquitous connectivity for electric vehicles, which could bring transport to a standstill and cause accidents. And our increasing reliance on renewable electricity can strain grids, especially if storage batteries go down for any reason. An outage can take out drinking water systems, wastewater facilities and the communications infrastructure — impacting every aspect of daily life. Furthermore, battery storage can be considered a greater fire risk.
There have been several alleged cyberattacks on European wind-energy companies — either directly or through their suppliers — since the Russian invasion of Ukraine. In one incident, German company Enercon suffered disruption to more than 5000 wind turbines following an attack on its satellite broadband provider Viasat. A notorious ransomware gang reportedly claimed responsibility for at least one hack and says it will share internal chats and source code with Russia.5
These various and rising threats could hold back the adoption of renewable energy by governments and P&U companies. If consumers feel that green power providers could suffer more outages, they will be less likely to use their services. Enthusiasm for decarbonization may wane if people can’t use their electric cars, wash their clothes or cook the evening meal.
Building and maintaining trust in decarbonization
Robust cyber security and reporting assure stakeholders that P&U companies have secure, resilient operations that prevent and recover from cyber and physical attacks and climate threats like wildfires, floods, winds, and extreme hot and cold temperatures.
Given the increasing cyber risk from Russia and other nation-states and criminal groups, robust cyber security culture and protocol can improve defenses and responsiveness. The priority is the critical assets determining whether customers receive power, water or other vital utilities.
Strict data security rules and processes can make employees cyber aware and avoid breaches. Renewable assets are increasingly classed as critical infrastructure, which obliges operators to comply with the rising volume of cybersecurity regulations.
Strict data security rules and processes can make employees cyber aware and avoid breaches. Renewable assets are increasingly classed as critical infrastructure, which obliges operators to comply with the rising volume of cybersecurity regulations. Regulatory fines can provide a nasty wake-up call — and damage trust — but a cyber-aware organization should not act primarily on fear but on a desire to do the right thing and maintain customer service.
All P&U companies need a standard framework for measuring cyber risk and transparent procedures for restoring service following an attack. Across the grid network, IoT sensors and other data gathering tools can help detect potential problems from cyber and physical aggression (as well as storms, fires and other natural phenomena).
There is a lack of global consistency for cyber security standards and practices and an urgent need to converge and share information to make the entire renewables industry more resilient, which can help ensure trust and hopefully speed up adoption. Given the unique role of P&U infrastructure in a nation’s existence and the interconnected nature of energy, governments are likely to get more involved and collaborate with private players across the supply chain.
As P&U providers become ever more digital, their ESG and cyber strategies should align with data at the center. Data drives every ESG decision, whether evaluating suppliers’ sustainability, tracking carbon footprint, measuring workforce diversity, spotting data leaks, and, most importantly, reporting ESG progress to meet growing demands for transparency.
Directors should stay abreast of evolving industry reporting standards and ensure that their organizations provide the required information and insights. Presenting robust corporate cyber, compliance, and risk policies are vital to winning the trust and managing the transition to ESG. Equally, the perceived poor performance of renewable assets can damage confidence in ESG and hold back governments’ sustainable agendas.
ESG can bring benefits to the P&U sector as well as significant risks. By committing fully to the ethos of purposeful, sustainable business and building strong governance, P&U companies can play an essential part in helping societies become greener, more secure, and more resilient.
Appoint a senior executive responsible for cyber security risk and agree on the appropriate frequency of cyber risk reporting.
Keep on top of all assets that may need cyber protection.
Understand any vulnerabilities and update such knowledge as threats evolve.
Continually monitor systems and assets.
Keep abreast of evolving industry standards and regulations for practice and disclosure.
Ensure that all employees receive comprehensive cyber security training, with senior cyber security professionals participating in industry knowledge-sharing forums.
Track and report on the effectiveness of cyber security defenses and the source, volume and severity of incidents.
How KPMG can help
Taking a practice approach to your cyber security reporting can promote digital trust in your organization. KPMG firms can help deliver a range of services and change to approaches to enable your organization to create a trusted digital word, including:
- Cyber Maturity Assessments (CMAs) to examine posture of their current threat and risk landscape as well as current compliance with present industry regulations
- Target Operating Model (TOM) and Change Management development for governing your cyber program
- Partner with leading IoT / OT discovery platforms to assist you with discovering your operational assets and sustaining your visibility
- Managed service support for monitoring operational technology IDS / IPS alerting
- Vulnerability management programs to assist with ensuring your systems remain operational and protected
- Cyber Training and Awareness programs crafted for OT environments and personnel
- Advanced data analytics to assess the ongoing posture of your security program
1 National Geographic, How the Ukraine war is accelerating Germany's renewable energy transition, May 2022.
2 IEA, Global changes in electricity generation, 2015-2024, Jan 2022.
3 The Brattle Group, Cost-Effective Load Flexibility Can Reduce Costs by More Than $15 Billion Annually, June 2019.
4 reNEWS, Energy industry must act ‘swiftly’ against cyber-attacks, May 2022.
5 PC Magazine, Hackers Reportedly Target Wind-Energy Companies, April 2022.