News of pro-Russia hackers allegedly gaining access to Canada’s gas infrastructure brought cybersecurity concerns to the fore last month. To protect our power grid, industry insiders say Canada needs to step up regulations safeguarding energy systems that are vulnerable to attack.
Energy infrastructure all over the world is regularly targeted by both cybercriminals looking to extort companies and state-sponsored actors trying to get a leg up on other nations. Oil infrastructure was the target of nearly a third of the 45 cybersecurity incidents against global commodity industries like shipping, agriculture and petrochemicals between 2017 and 2022, according to data from S&P Global. This includes high-profile incidents like the 2021 ransomware attack on the U.S.’s Colonial Pipeline, which resulted in a shutdown and hefty ransom payment, and the 2022 attack that disrupted shipments from major European oil refining hubs. Power generation and electricity networks were other popular targets, according to S&P Global.
Not all attacks are so impactful. The alleged breach of Canada’s gas infrastructure last month hasn’t resulted in any disruption, and Hydro-Québec’s website fell victim to a run-of-the-mill attack where the server was overwhelmed with traffic, causing it to crash. The crash did not impact production, transmission or distribution of electricity, according to Hydro-Québec.
Now, as Canada scales up its renewable energy, experts say cleantech operators will face the same cybersecurity threats as their fossil fuel counterparts and should seize the opportunity to build strong defences into their infrastructure.
In a cyberattack, which energy system is most at risk?
There is no simple answer to which types of energy systems are most vulnerable to cyberattacks, Tarun Singh and Rich Hodgkinson at Ammolite Technology said in a detailed statement to Canada’s National Observer. Ammolite Technology is an IT service provider whose services include security solutions for small and medium-sized businesses, charities and non-profits.
Oil and gas infrastructure is a prime target for actors aiming to disrupt Canadian life because fossil fuels represented about 64 per cent of Canada’s primary energy consumption in 2021, they pointed out.
At this time, renewable energy infrastructure — like large wind and solar farms — makes up a smaller share of the country’s overall energy mix, and so is likely a less valuable target, said Singh and Hodgkinson. But that proportion could increase in coming years as Canada ramps up renewable power in its bid to achieve a net-zero power grid by 2035.
Canada’s cyber and foreign signals intelligence agency, the Communications Security Establishment (CSE), told Canada’s National Observer in an emailed statement that all critical infrastructure is increasingly at risk from cybersecurity threats, though it does not “have any information specific to renewable energy projects.”
Some key factors that could put energy infrastructure at risk include how valuable and vulnerable a target is and who is looking to attack.
There are many bad actors out there who would like to do harm, with varying motivations, said Ian L. Paterson, CEO of Plurilock, a Canadian cybersecurity company. Criminal organizations are often looking to make a buck by eliciting ransom payments from companies and organizations (as was the case with the 2021 Colonial Pipeline attack) or stealing data.
“It’s often cited that the single greatest transfer of wealth globally was from the United States to China as a result of the intellectual property theft campaigns that took place,” Paterson told Canada’s National Observer in a phone interview. Aside from the financial motivations shared with criminals, hostile nation-states or state-sponsored organizations also stand to benefit from attacks that steal sensitive information or seek to disrupt a country’s critical infrastructure, he added.
If the country’s share of renewable energy grows and its infrastructure is accessible to the same degree as oil and gas infrastructure, it could become “an equally attractive target,” said Singh and Hodgkinson. For any and all infrastructure, the trouble is having a single point of failure — a.k.a., one fault that can be exploited and cause a whole system to stop operating.
Singh and Hodgkinson say they are “cautiously optimistic” because renewable energy infrastructure is inherently less centralized than fossil fuel infrastructure. It is also typically designed with batteries and energy storage to deal with downtime caused by nightfall or weather patterns, which offer resilience against disruptions caused by outages, unlike fossil fuel systems, they added.
But this is not to say all renewable energy systems do not currently or will not eventually have big vulnerabilities hackers can use to incapacitate the system, Singh and Hodgkinson said.
There are countless factors at play. For example, if the renewable energy sector is eventually monopolized or dominated by a handful of companies, it is reasonable to assume that a cybersecurity incident could collapse the entire system for the affected energy provider, according to Singh and Hodgkinson.
Better secure and harden the grid
To Paterson, CEO of Plurilock, the nascence of Canada’s renewable energy infrastructure presents an opportunity to raise the bar for cybersecurity.
In a lot of cases, cleantech is built from the ground up, and as a general rule, it’s a lot easier to have a secure system if you build it with security standards in mind from the outset, Paterson told Canada’s National Observer.
“It's very hard to bolt on security after the fact. So from my perspective, cleantech and renewables present, actually, an opportunity to better secure and harden the grid,” he said. “Whereas trying to secure the legacy grid, it's actually a much, much harder problem.”
Concerns have also been raised about vulnerabilities with solar power.
Research from 2016 said flaws in a company’s solar panels could make the electricity grid vulnerable to hacking, namely through the panels’ internet-connected inverters. Inverters take electricity generated by the panels and convert it so it can be used on the power grid. At the time, a different researcher told the BBC he thought the risk to power grid stability was present, though less extreme than the study outlined. Only some inverter models had vulnerabilities, according to the company.
Reflecting on this research seven years later, Singh and Hodgkinson said they “wouldn’t single out solar as being any more vulnerable than other types of renewable or fossil fuel infrastructure,” primarily because the bar for cybersecurity is fairly low for all types of energy infrastructure.
To deter attackers, upcoming renewable energy infrastructure must be subject to “vigorous regulatory enforcement,” they maintain.
There are a few different, commonly used standards to guide cybersecurity measures and best practices: namely, an international standard and a U.S. standard. Canada has a national standard, but the country does not require Canadian companies and organizations to meet any of those standards.
One possible tool to step up Canada’s cybersecurity is Bill C-26, which would attempt to put a clear cybersecurity framework in place that, among other things, requires operators of important cyber systems in sectors like finance, energy, transportation and more to establish a cybersecurity program to protect their systems, manage possible risks, detect incidents and deal with any impacts. There is a requirement for designated operators to “immediately report” any and all cybersecurity incidents to the CSE and comply with any measures issued by the governor-in-council to protect critical cyber systems.
Under the bill’s proposed Critical Cyber Systems Protection Act, operators would also have an ongoing obligation to “take reasonable steps” to address risks arising from their supply chain or use of third-party products. Bill C-26 is set to be reviewed by the Standing Committee on Public Safety and National Security. It does not require operators to adopt a specific cybersecurity standard. Along with Canada’s baseline guidance for IT security risk management, the U.S. has its own similar framework, and there is also a well-recognized international cybersecurity standard.
Most organizations “follow a flavour that is pretty similar to those standards,” said Paterson. He says it’s challenging for larger organizations to comply with multiple standards across different markets, so simplifying and aligning on just a few existing standards would be beneficial.
But on the flip side, smaller companies with fewer resources may be harder pressed to align with these standards, Hodgkinson pointed out in a Zoom interview.
Another industry insider says strong regulations for cybersecurity are key, regardless of which sector.
“It’s all about money” and finding a balance of managing risks without spending too much, said Alex Dow, chief innovation officer at cybersecurity firm Mirai Security.
Corporations legally have to make decisions that are best for the business, not necessarily for the country, the people and the environment, so governments have to bring in regulations and force corporations to take measures in the public interest, said Dow.
Incentive through insurance
The Canadian Centre for Cyber Security, part of CSE, works with partners and industry associations in the energy sector to “share cyber threat information and strengthen overall cybersecurity and cyber resilience,” Robyn Hawco of CSE media relations said in a statement.
When asked about energy-related examples, CSE cited two “ongoing collaborations” that hinge on information sharing. The cybersecurity centre and the Canadian Gas Association are working together on the Blue Flame Program, which aims to strengthen the security of gas delivery systems across Canada. The other partnership, with Ontario’s Independent Electricity System Operator, looks to reduce cybersecurity risks and provide insights and analysis into the Canadian energy sector.
“I think where we're gonna get change is with cybersecurity insurance,” said Hodgkinson in a Zoom interview.
“If I'm an insurance organization, and I … want to underwrite a large oil and gas or … renewable energy organization, I want to make sure that they're doing as much as they can to strengthen their cybersecurity,” he said.
South of the border, the U.S. is pursuing research into solar cybersecurity and in 2020 released a multi-year plan to improve cybersecurity in renewable energy systems and other areas. The Wind Energy Office also has a specific roadmap for wind energy cybersecurity.
More often than not, Singh and Hodgkinson say Ammolite Technology looks to the U.S. to keep up to date on the latest regulatory and technical developments in cybersecurity, noting there is a “lack of reliable and consistent reporting sources” for Canadian cybersecurity developments.
— With files from The Canadian Press