Graphic by Sarah Lu
By Courtney Schneider
Edited by Julia Selby
EXECUTIVE SUMMARY
As global organizations look to the future of energy, they must consider its accompanying security risks. Government agencies are aware that cybersecurity is a pressing and escalating issue across numerous fields, including finance and intelligence. In the energy sector, however, this topic is not broadly discussed. With energy and utility companies among the most at-risk for these attacks,1 action must be taken to secure the electrical grid at every step of its reimagining. The United States Department of Energy (U.S. DOE), given its authority on national energy systems, plays a key role in this action. Through regulation and strategic financing, the department can get ahead of cybersecurity in emerging energy markets.
INTRODUCTION
A timely transition toward renewable energy sources is critical, and the DOE has recognized this in its 2021 Climate Adaptation and Resilience Plan.2 This comprehensive framework prioritizes climate vulnerability assessments and solutions, knowledge-building, and resiliency strategy, but only briefly mentions a topic of utmost importance: cybersecurity. The report notes investments in infrastructure upgrades, energy technology advancements, and AI-powered operations, all of which are key to scaling renewable solutions. However, if the same level of investment in cybersecurity does not contemporaneously occur, national and global energy security will remain at risk.
Cybersecurity and climate, though often viewed as separate issues, are inextricably linked and share similarities in both their economic and infrastructural threats. They each endanger human welfare and global systems—one by way of disasters and the other computer code—and their timing or damage cannot be well-predicted. Combating cybercrime also requires energy, as more secure methods of transactions like cryptocurrency have shown in their high levels of demand and associated emissions.3 This contributes to rising global temperature, exacerbating climate change and increasing the need for additional renewable energy sources, the deployment of which amplifies the risk of cybercrime. This creates a feedback loop that acts as a risk multiplier to the already compounding threat of climate change.
Climate Change
A warming planet endangers every system—natural or manufactured—and the likelihood of widespread, catastrophic damage is high unless rapid, mitigative action is taken. As seen in recent years, climate disasters are increasing in frequency and severity.4 With each incremental increase in global temperature, this will only worsen. Under these conditions, energy systems are either destroyed or hit with excess demand, the stress of which most are ill-equipped to handle. Outages occur as a result, raising demand further and perpetuating another feedback loop of increased emissions, temperature, disaster, and energy demand. To mitigate this, the Intergovernmental Panel on Climate Change (IPCC) urges world leaders to pass cooperative regulation that limits global temperature increase to 1.5 degrees Celsius above pre-industrial levels.5 However, even with comprehensive climate plans in place, global emissions continue to rise6 and the transition from a carbon-intensive industry continues to move slowly.
This puts the world on track to exceed 1.5 degrees Celsius within ten years7—a short amount of time to bring renewable energy technology to scale, but a comparatively lengthy period for cybercrime to advance. The DOE is thus faced with a difficult problem: to mitigate the catastrophic risks of a changing climate, the U.S. must shift to renewable energy. However, to get ahead of potential man-made threats, it must also focus heavily on the security of these new systems. This security need increases energy demand and impacts global knowledge-sharing opportunities, potentially slowing the already sluggish pace of the renewable transition.
BACKGROUND
Cybersecurity
Technological innovation is accelerating across every industry. With it, so is the quantity, complexity, and damage of security breaches. The history of such breaches had a slow start, with a 23-year gap between the advent of the internet and creation of the Department of Homeland Security’s National Cyber Security Division.8 Today, with over 14 billion internet-connected devices and counting,9 the rate of security breaches is increasing rapidly.
Between 2009 and 2018, there was an over 6500% global increase in malware infections.10 In 2021, ransomware attacks also grew dramatically with a 105% global, cross-industry increase from 2020 numbers and triple those of 2019. The U.S. was a major target of these 2021 attacks, with regional threats increasing by 227% over the previous year.11 This demonstrates that, even if renewables are implemented within the shortest possible period, cybersecurity threats could be thousands of times greater by the time these technologies have reached full-scale deployment.
Security Issues in Energy
As cybercrime evolves, so does cybersecurity. However, breaches are still possible, making both preventative and responsive safeguards necessary. As the globe shifts to renewables, there is also a shift toward smart technologies such as AI-operated grids and internet-connected home energy systems. If diligent care is not taken, this transition will throw open an already cracked door for cyberattacks. In the energy sector, these attacks can be catastrophic, leaving many without power for indeterminate periods until either the breach is controlled, or the hacker is paid. This does not just cost governments money; it also costs constituents their lives and livelihoods.
Renewable energy is not the only system at risk. In 2021, a ransomware attack on the Colonial Oil Pipeline led to a 6-day shutdown that halted gas supply across much of the eastern U.S. This resulted in a federal state of emergency, a $4.4 million payout to the hackers, and increased gas prices that lasted well after the attack had been controlled.12,13 This level of damage occurred simply because of a leaked password. As the likelihood of both cyberattacks and dramatic weather events increases, there is a threat of a similar event occurring during a time when energy is most needed. The consequences of this would extend well beyond those of the 2021 attack. To safeguard both the country’s power supply and citizens’ wellbeing, heightened security measures are critical.
RECOMMENDATIONS
In 2022, the DOE committed $12 million to six new energy cybersecurity projects across the U.S. 14 In the same year, the Inflation Reduction Act passed, which allocates additional funding to cybersecurity protections.15 However, to ensure full security of the transitioning energy grid, the timeline for third-party security solutions must hasten. The same must be done for requirements of cybersecurity consideration during the research and development phases of all scalable energy technologies.
LPO Rules
To aid in bringing clean energy solutions to scale, the DOE’s Loan Programs Office (LPO) offers $40 billion of loans and loan guarantees to innovative renewable energy and electric vehicle projects. Eligibility criteria for these loans dictate that the project must be innovative, scalable, located in the U.S., and that the organization can prove loan repayment ability. It does not, however, note anything about cybersecurity.16 To mitigate the risk of default resulting from ransomware or other cyberattack, ensure the long-term feasibility of projects, and safeguard the overall energy system, this requirement must be added.
To do this effectively, the LPO can both require cybersecurity considerations in the application process and mandate that a percentage of loan payouts be allocated to security safeguards. For companies that do not have in-house cybersecurity professionals, partnerships can be suggested that provide expertise. This will ensure security developments occur contemporaneously rather than retroactively.
DOE/SEC Partnership
The DOE has a vested interest in ensuring the security of national energy systems. As profitability of renewable energy increases, there is also an uptick in clean energy market entrants. To assess the broad-scale viability and overall security risk of these entrants, a standardized cybersecurity reporting requirement must be implemented. This can be accomplished in partnership with the Securities and Exchange Commission (SEC) under proposals like their recent emissions reporting rule. Doing so will benefit both investors and the overall economic health of the energy system.
RESPONSE TO OPPOSITION
Free-Market Infringement
Cybersecurity investment and reporting requirements may raise concerns among companies and investors who disagree with governmental infringement on the free market. While such a critique is merited, it also operates under the assumption that the free market will self-optimize, and that excess government regulation hinders this from occurring. When it comes to both climate change and cybersecurity, however, the risk is not only economic; it also involves human capital. Allowing the free market to self-correct also allows climate change to run rampant, puts people in danger, and makes security solutions retroactive rather than proactive. The DOE should be prepared to explain the necessity of their intervention from this perspective.
Security Risk and Cost
Reporting on cybersecurity investments may also raise the risk of cybersecurity threats. Market-wide expenditure reporting in this area could therefore simply act as a list of easily targeted organizations that cybercriminals can access. The result could be either major pushback from organizations or deliberate false reporting, neither of which will serve to benefit the overall goal of this regulation. To resolve this, reporting could be made private, which requires additional security measures.
These additional measures increase both expense and energy demand. This puts additional pressure on infrastructure that is already ill-equipped to support broad-scale electrification and increases the price of an already costly transition—those not in favor of renewable energy might utilize this point to argue its overall economic disadvantages. However, the long-term costs of inaction are still far greater than the short-term costs of transition. And, as investors become increasingly interested in environmental, social and governance (ESG) portfolios, organizations will benefit in investing money now in feasible, secure projects. Cybersecurity is an ESG issue; its threats span all three areas. Thus, including this in ESG definition and reporting is critical. It is also important for businesses who want to keep the interest of their investors.
Subsidies
Requiring investments in and reporting of cybersecurity efforts may broaden the gap between market entrants and their dominant competitors, increasing the risk of monopoly. To avoid this, the LPO should prioritize loans to small-scale innovators. In addition, the DOE should aid in shifting subsidies from fossil fuel companies and toward renewable energy companies. If the agency were to require cybersecurity investments without also doing this, it would run the risk of unintentionally slowing the transition through increased cost. While most organizations already budget for cybersecurity expenses, any additional requirements might impede advancement in an already difficult market and could push production overseas. To remain on the forefront of energy security, requirements must be put in place, but should also be subsidized.
CONCLUSION
In summary, the DOE must protect its interest in a secure, effective energy system by ensuring that new technologies are resilient to cyberattacks. To do so, the DOE should implement targeted LPO investments that prioritize small-scale innovators but require a percentage of the loan be spent on cybersecurity. Additionally, broad scale, private reporting on cybersecurity investments across the renewable energy sector must be standardized and implemented in partnership with the SEC.
A transition to renewable energy is vital, but will be unsuccessful without proper security. The main arguments against this are cost, energy demand, and government overreach. The main risks, however, are economic loss, infrastructural damage, and threats to human welfare. As the DOE moves forward with renewable energy, it must be vigilant in securing these systems. Action is critical to maintaining national energy security, and the DOE is in both the financial and regulatory position to undertake this.
References
1. “6 Industries Most Vulnerable to Cyber Attacks.” n.d. Western Governors University. Accessed May 21, 2022. https://www.wgu.edu/blog/6-industries-most-vulnerable-cyber-attacks2108.html.
2. “DOE Announces Agency Climate Adaptation and Resilience Plan.” n.d. Energy.Gov. Accessed May 19, 2022. https://www.energy.gov/articles/doe-announces-agency-climate-adaptation-and-resilience-plan.
3. Reuters. 2021. “Factbox: How Big Is Bitcoin’s Carbon Footprint?” Reuters, May 13, 2021, sec. Technology. https://www.reuters.com/technology/how-big-is-bitcoins-carbon-footprint-2021-05-13/.
4. “Extreme Weather and Climate Change.” n.d. Center for Climate and Energy Solutions (blog). Accessed May 21, 2022. https://www.c2es.org/content/extreme-weather-and-climate-change/.
5. IPCC. 2021. “Working Group I Contribution to the Sixth Assessment Report of the Intergovernmental Panel on Climate Change.” IPCC AR6 WGI. Intergovernmental Panel on Climate Change. https://www.ipcc.ch/report/ar6/wg1/downloads/report/IPCC_AR6_WGI_Full_Report.pdf.
6. Ritchie, Hannah, Max Roser, and Pablo Rosado. 2020. “CO₂ and Greenhouse Gas Emissions.” Our World in Data, May. https://ourworldindata.org/co2-and-other-greenhouse-gas-emissions.
7. “Analysis: When Might the World Exceed 1.5C and 2C of Global Warming?” 2020. Carbon Brief. December 4, 2020. https://www.carbonbrief.org/analysis-when-might-the-world-exceed-1-5c-and-2c-of-global-warming/.
8. “The History of Cybersecurity.” n.d. CompTIA’s Future of Tech. Accessed May 18, 2022. https://www.futureoftech.org/cybersecurity/2-history-of-cybersecurity/.
9. “Global IoT and Non-IoT Connections 2010-2025.” n.d. Statista. Accessed May 19, 2022. https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/.
10. “2021 Cyber Security Statistics Trends & Data.” 2020. PurpleSec (blog). November 8, 2020. https://purplesec.us/resources/cyber-security-statistics/.
11. “2022 SonicWall Cyber Threat Report | Threat Intelligence.” n.d. SonicWall (blog). Accessed May 19, 2022. https://www.sonicwall.com/2022-cyber-threat-report/.
12. Bloomberg.Com. 2021. “Hackers Breached Colonial Pipeline Using Compromised Password,” June 4, 2021. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password.
13. Tsvetanov, Tsvetan, and Srishti Slaria. 2021. “The Effect of the Colonial Pipeline Shutdown on Gasoline Prices.” Economics Letters 209 (December): 110122. https://doi.org/10.1016/j.econlet.2021.110122.
14. “DOE Announces $12 Million to Enhance Cybersecurity of America’s Energy Systems.” n.d. Energy.Gov. Accessed May 20, 2022. https://www.energy.gov/articles/doe-announces-12-million-enhance-cybersecurity-americas-energy-systems.
15. “Inflation Reduction Act Guidebook | Clean Energy.” n.d. The White House. Accessed March 18, 2023. https://www.whitehouse.gov/cleanenergy/inflation-reduction-act-guidebook/.
16. “PRODUCTS & SERVICES.” n.d. Energy.Gov. Accessed May 20, 2022. https://www.energy.gov/lpo/products-services.