The Biden administration earlier this month announced $20 billion in awards through the Inflation Reduction Act for climate and clean energy projects nationwide that aim to reduce or avoid up to 40 million metric tons of carbon annually over the next seven years. The success of this ambitious investment hinges on a crucial, if often overlooked, factor: the cybersecurity of the clean energy technologies underlying these projects.
Critical sectors — including water, transportation, healthcare, manufacturing and communications — have long been an attractive target for threat actors who infiltrate unsecured assets directly connected to the public internet to carry out ransomware attacks or nation-state espionage. The intelligence community’s recent annual threat assessment sheds new light on this challenge, warning of the Chinese government’s pre-positioning on U.S. critical infrastructure to deter the United States from militarily intervening in a regional conflict.
On top of this risk to large critical sectors, clean energy systems are significantly more distributed than conventional energy generation approaches. The latest massive investments in our nation’s energy infrastructure, from large solar and wind farms that directly feed the bulk power grid to small home installations connected to a municipal distribution network, will increase the sector’s attack surface, making the energy sector an increasingly attractive target for digital threat actors. Implementing cybersecurity alongside these investments can make, or break, our nation’s clean energy future.
Climate modeling, public policy and innovation are driving massive and fast-moving changes in the energy grid — and they need to be complemented with cybersecurity policy.
We are living through a period of unprecedented change in the U.S. energy grid, driven in part by environmental public policy. Climate modeling, including the Net Zero by 2050 report and the REPEAT Project, bolster domestic and international commitments to meet specific climate and clean energy goals and deadlines.
The Infrastructure Investment and Jobs Act (IIJA) and the Inflation Reduction Act (IRA) together provide $30 billion in funding for these efforts, dramatically altering incentives and investments for clean energy, offsetting costs and increasing adoption by home users and commercial enterprises alike. And technology improvements, which have made solar panels increasingly affordable, accelerated the development of smart meters and enabled the use of cloud services for load balancing are enhancing interconnectivity and adoption of these technologies.
However, the White House’s recent announcement makes no mention of cybersecurity and, with notable exception of the $350 million state and local cybersecurity grant program, the IIJA and IRA have few provisions explicitly allowing a grantmaking agency to impose cybersecurity requirements on projects funded under them. Given the alarming cyber threat environment, ambitious infrastructure public policy must be accompanied by similarly ambitious cybersecurity and resilience policies.
As the energy grid evolves to accommodate clean electricity generation, transmission and distribution, the cybersecurity of these distributed technologies must evolve with it.
From a governance perspective, the electricity sector is slow to change, and oversight is spread across federal agencies and state regulators. Historic barriers to grid modernization remain; the permitting process for creating new infrastructure, from wind farms to high-voltage transmission lines, remains complex and time-consuming, and construction for large infrastructure projects is expensive.
These barriers will only increase with the introduction of renewable energy technologies; even more stakeholders are a part of the process, more assets need protecting, and infrastructure is more distributed than ever before, with energy generation coming not only from large plants but also from homes and commercial buildings, and with some mediated by consumer-grade Internet of Things (IoT) devices.
Anticipating this threat, several federal agencies are turning attention to IoT cybersecurity and distributed grid technologies. The Federal Communications Commission’s recent unanimous adoption of a rule establishing the U.S. Cyber Trust Mark will allow manufacturers of connected consumer devices, like doorbell cameras and home appliances, to demonstrate conformance to a set of security standards. Additionally, the Department of Energy (DOE) has signaled its intent to develop tailored security requirements for smart power meters and connected inverter-based systems.
These policy initiatives are aligned with an overall government shift toward focusing on cybersecurity during product development and implementation, such as the Cybersecurity and Infrastructure Security Agency (CISA)’s push for developing technology that is “Secure by Design” and a similar program at DOE called “Cyber-Informed Engineering.” Doubling down on these secure architecture programs is critical to ensure swaths of existing, and forthcoming, renewable technologies do not introduce similar levels of vulnerabilities in our nation’s energy grid.
In the long term, the energy sector needs coordinated, long-term collaboration to ensure that cybersecurity is a core tenet of clean energy.
Close and frequent collaboration between the cybersecurity and energy grid communities is needed over the next several decades to ensure cybersecurity is a core tenet of our future clean energy grid.
Traditional public-private partnerships do not yet routinely include representatives from large renewable energy and cloud companies, and cybersecurity governance and standards in particular are still spread among many federal agencies, including the Department of Energy, CISA, the White House Office of the National Cyber Director, and the National Institute of Standards and Technology. But the beginnings of the right policies exist, from aforementioned secure architecture programs at CISA and DOE to the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance program aimed at assisting small operators, utilities and co-ops to bolster their cyber defenses.
Though many challenges lie ahead, we remain hopeful for a whole-of-nation collaboration between experts in climate policy, energy and cybersecurity — only then can cybersecurity become an enabler, and not a barrier, to a clean energy future.
Sarah Powazek is program director at UC Berkeley’s Center for Long-Term Cybersecurity.
Steve Kelly is chief trust officer for the Institute for Security and Technology.