Are there potential cyber security challenges around selling energy back to the grid?
By Simeon Tassev, MD and QSA at Galix
Utility providers are traditionally an attractive target for cyber criminals, evident by the number of high-profile attacks, both globally and locally, in recent years. In fact, the ransomware supply chain attack on the Colonial Pipeline in 2021 became the largest attack in US history, with the payment of a $4.4 million ransom. With President Ramaphosa’s recent plans to expedite the ability for households and businesses to sell surplus electricity from rooftop solar panels into the national grid, the cyber security question must be raised. We need to understand the potential threats and vulnerabilities of so many more connected endpoints and take steps to address them to minimise the risk of attack.
Digital means connected
South Africa’s power needs have grown out of line with the utility providers’ ability to supply, and many homes and businesses have turned to rooftop solar to address their own requirements. The infrastructure obviously needs to be adapted to allow for this and there has been a lot of thought given to the billing processes and how electricity will be charged for and rebated in this new system.
However, due consideration must also be given to the cyber security requirements of this. In order to sell excess energy back to the grid, these private systems will need to be connected, creating a giant web of distributed devices, all digital, all with varying means and levels of intelligence and connectivity, and all a potentially vulnerable access point for those with malicious intent.
Without considering the cyber security element, we risk creating thousands of additional vulnerabilities in an already attractive cyber crime target. In addition, there is a risk that these endpoints could be used to target businesses and individuals if they are compromised.
Understanding is key
Connecting individual producers will be key in securing the country’s energy needs going forward and is a vital step that needs to be taken. It is also a significant part of the ultimate goal of creating smart cities and smart energy grids and solutions. However, any device that is connected, in essence a device that forms part of the internet of things (IOT), could potentially be an entry point.
When it comes to electricity, many of these devices were not designed for connected purposes or to be accessed externally; this alone makes them inherently vulnerable when they are connected. Risk assessments and due diligence must be performed around this because the more systems are opened, the more they need to be secured.
The moment any system is opened to the internet, there are potential new threats that need to be understood, evaluated and minimised, and measures need to be put into place to prevent attack and compromise. With multiple different systems configured in various ways, this can become quite a complex task. In addition, external and remote monitoring tools need to be considered in the complexities, as they too could be a point of entry.
The bottom line is that these risks need to be assessed and understood, because if there is a back door, an opening or a vulnerability, eventually a bad actor will find a way to exploit it. Securing South Africa’s energy future needs to involve significant conversations not just around sustainability, but cyber security as well.