8 tips: improving the cyber resilience of your renewable energy business

As of the 17th of this month (October 2024) the NIS2 Directive has been transposed in the national laws of EU member states. This EU-wide legislation affects “all entities that provide essential or important services to the European economy.”

One of those entities is the renewable energy sector, of which solar energy, wind energy and BESS are important subsets. Any disruption of such an installation can lead to a disruption of the energy grid, as well as cause economic damage and even physical damage to the installation itself.

The NIS2 Directive has a big impact on the energy sector. Its main goal is to improve the security and resilience of energy systems against cyberattacks and other risks. Below, we’ll give you 8 tips on how you can improve the cyber resilience of your renewable energy business. 

What renewable energy companies are doing wrong when it comes to cybersecurity right now

The state of cybersecurity in the renewable energy sector isn’t where it should be, just yet. Too often, still, we find that some of the most basic cyber resilience practices are not in place. 

Some examples of things renewable energy companies get wrong: using default passwords provided  by the OEM of inverters (e.g. “Huawei01”). Or they use similar default passwords for their cloud-based systems. You might imagine this to be common knowledge, but you’d be surprised as to how often we still encounter this. 

Additionally, they might not have isolated their Modbus network, they use FTP instead of SFTP. Or they don’t maintain updates on their investors, loggers and other control systems. All these things leave renewable energy businesses vulnerable to cyberattacks. 

Cybersecurity legislation for renewable energy companies in the EU

Just to recap: the NIS2 Directive requires energy companies to implement technical and organizational measures to prevent, detect, and manage incidents affecting energy security and supply. This includes safeguarding critical infrastructure, data privacy, and ensuring service availability.

Additionally, energy companies must take steps to protect the personal data they handle and report any incidents that might affect the security of that data. Consumers have the right to be informed and can request their personal data to be deleted.

These are much needed changes in our regulatory landscape. According to Shepherd and Wedderbrun, 90% of the world’s largest energy companies suffered breaches in 2023. That’s a shockingly high percentage of companies.

Time for change. The biggest question, however, now that these things are becoming legal requirements instead of just best practices and recommendations, is this: who’s going to implement all these changes and ensure better cyber resilience amongst renewable energy companies?

Upcoming NIS2 challenges: severe lack of cybersecurity experts

In May of 2024, the utilities sector reported a rise from 36% to 54% in regards to the shortage of cybersecurity specialists in the Netherlands alone. Needless to say, the NIS2 Directive coming into effect soon will only make this lack of experts worse.

Demand for professionals skilled in improving the cyber resilience of renewable energy companies is on the rise. Meaning that businesses in the renewable energy industry are going to need all the help they can get to boost their installations’ cybersecurity. 

One way to prepare for the upcoming NIS2 Directive, in the face of this severe lack of cybersecurity experts, is to use a platform like Helin to ensure their data, interfaces and applications are safe, secure and encrypted. But there are other ways to boost the cybersecurity of your renewable energy business.

8 Tips to boost your cyber resilience as a renewable energy company

While these tips won’t guarantee NIS2 compliance, they’re a strong foundation for improving your renewable energy business’s cyber resilience. Protecting your systems from cyber threats is essential to safeguard your operations, customer data, and the overall grid safety. The latter is of course the most important part of it all.

As we are increasing our installed capacity, renewable assets are increasing its effects on the stability of our electricity grids, and our society as a whole.

1. Avoid generic, easy, or default passwords 

Weak passwords are a common entry point for hackers. It might seem obvious, but you’d be surprised how often we encounter systems still using default or easily guessable passwords. 

Make sure all devices, especially your loggers, are protected with strong, unique passwords. This simple step can significantly reduce the risk of unauthorized access. As a matter of fact, 81% of company data breaches are caused by poor passwords. 

2. Secure your cloud-based logger portal

A compromised cloud portal can lead to a wide range of attacks. Just as you would with on-site devices, make sure your cloud-based logger portal is protected with robust, unique passwords.

Multi-factor authentication blocks 99.9% of all attacks, according to research by Microsoft. Ensure your logger portal is protected with multi-factor authentication (MFA) and encrypted connections to shield sensitive data. 

3. Isolate your Modbus network

In many renewable energy installations, the Modbus network is used to facilitate communication between critical devices such as inverters, meters, and monitoring systems. Unfortunately, this makes it an attractive target for cyberattacks. 

Your renewable energy Modbus network should be treated with the same caution as any Operational Technology (OT) network in an industrial control environment. Isolate it from any internet-facing networks to prevent potential threats from gaining access.

This isolation helps to protect critical operational data and maintain the integrity of your control systems.

4. Upgrade FTP to SFTP

The File Transfer Protocol (FTP) is widely known for being outdated and insecure, as it transmits data in plain text, making it vulnerable to interception by cybercriminals. Sadly, some renewable energy installations still haven’t upgraded to Secure File Transfer Protocol (SFTP) yet.

By upgrading to SFTP, you ensure that all data exchanges between your renewable energy sites and external servers are encrypted. This prevents unauthorized parties from getting access to sensitive communications, such as system configuration files, performance logs, or even customer data.

5. Apply the principle of least privilege

Giving certain parties, like PPA contractors, only partial access to certain data and control options. For instance: at Helin, we integrate the entire portfolio of Sunrock, and are subsequently able to give one of their partners sub-access to a specific site/ sites. From here on we set up privilege rights: what actions, exactly, is this vendor allowed to take?

6. Use network segmentation on renewable energy sites

Network segmentation prevents attackers from moving freely across your systems. Segment your network to limit the spread of threats and contain potential breaches. At Helin, we use network segmentation in renewable energy sites to separate our network from the logger network, for instance.

7. Implement intelligent automation technology

Automated security solutions, such as AI-powered monitoring systems, can detect threats in real-time and respond instantly, helping to stop attacks before they cause significant damage.

Again, using our own product as an example, at Helin, we deploy monitoring agents on the edge as well as in the cloud portal. These real-time agents continuously monitor potential threats or attacks, and log all activity. 

Should a threat be spotted, it will automatically give an alert. This minimizes any risks, and subsequently helps you meet the NIS2 standards for reporting threats.

8. Regularly update and patch your systems

One of the easiest ways for cybercriminals to exploit vulnerabilities in your infrastructure is through outdated software. System updates and patches are released regularly to address newly discovered security flaws and ensure that any weaknesses are corrected. 

For renewable energy companies, which often rely on a wide range of software and hardware components, from SCADA systems to IoT devices, it’s vital to stay on top of these updates.

It’s best to establish a routine maintenance schedule to make sure all components of, for instance, your solar park's infrastructure are up to date with the latest security updates.

Use Helin’s edge intelligence platform to improve your renewable energy business’s cybersecurity 

When you implement an industrial edge intelligence platform for renewable energy like Helin, your solar farms, wind farms and battery energy storage systems immediately become a lot more resilient to cyberattacks. 

As we mentioned before, the NIS2 Directive is active, already. And cybersecurity talent is extremely scarce because of it. Another reminder: 62% of utilities businesses either do not know or do not believe they have the skills and tools in their organizations to protect against cyber threats.

If you’re one of those businesses, and you’re trying to prepare for NIS2 compliance, make sure to get in touch with one of our experts to discuss what Helin could mean for your business.