Summary:

• Virtual power plants are becoming increasingly necessary as renewable energy adoption rises, with the market expected to reach $2.85 to $5.9 billion by 2027.

• However, virtual power plants are especially vulnerable to cyberattacks due to three key factors inherent to the technology: Internet-of-things (IoT), cloud computing, and the accessibility of the physical location of the hardware.

• CEOs feel ill-prepared; only 58% of CEOs for power and utility companies feel confident in mitigating cybersecurity risks associated with IoT use.

• The alarming rise in cyberattacks will lead to an estimated US $10.5 trillion in annual costs globally by 2025. Much of these costs will come from attacks on critical public infrastructure.

• Public infrastructure like power plants are a prime target for the new age of hackers, with the 2021 Colonial Pipeline and 2017 Saudi Aramco cyberattacks being just some of the highest profile examples.

• The top motivators for cyberattacks on public infrastructure are: geopolitics, sabotage, and financial reasons.

• Cybersecurity best practices, software, and talent will be critical to fight against this growing global cyber-war.

The Multi-Trillion Dollar “Subscription”

Many of us complain about paying over $100 for Netflix every year. But how much would we be complaining if there was something else that cost us $10.5 trillion annually?

That’s how much experts are estimating losses from cybersecurity attacks would cost us globally by 2025 – US $10.5 trillion every year.

Now that Netflix subscription fee isn’t looking so bad anymore…

If you or your loved ones follow the news with any regularity, you would be familiar with some sort of cyber crime popping up in the news cycle every month or even every week. Most recently, hackers who obtained a password of an employee at fuel company Colonial Pipeline were able to enter the company’s systems and threatened executives with a ransom, leading to the 5-day shutdown of one of the largest fuel pipelines in the United States.

In 2020, a breach of systems by IT solutions provider SolarWinds exposed several organizations within the United States to spying activity, including some of its largest companies and multiple branches of the government, the Department of Homeland Security being among them (a cause of both great worry and irony).

In 2017, after a prolific string of cyber attacks on Saudi Arabia’s petrochemical companies, all office computers shut down at Sadara Chemical Company, a joint venture between the oil and chemical companies Saudi Aramco and Dow Chemical. According to energy experts and cybersecurity specialists, the attack was political in nature with the intent to sabotage its operations and blow up the entire industrial plant – the only thing that prevented the explosion from happening was a mistake in the attacker’s code. All computer data had been wiped, and recovery from the attack took months.

These are not isolated incidents, and are expected to grow in frequency, leading to governments, businesses, and the general public worrying increasingly about the lack of security in place at some of society’s most essential pieces of public infrastructure. And as sectors like the energy industry become even more digitalized, these issues could start to compound further.

The Dilemma of the Virtual Power Plant

All over the world, renewable energy such as solar and wind are climbing in adoption, supplying people and businesses with electricity when the sun is shining and the wind is blowing.

But what happens when the sun sets and the wind stops? If your system is able to generate more electricity than what is being used, where does it go?

The possible solution has been floated around for decades, but has only become more relevant in recent years as more countries have started to utilize renewable energy sources, and that would be virtual power plants.

Virtual power plants are typically medium-sized energy systems that use technologies including Internet-connected sensors, cloud servers, energy-managing software, and large rechargeable batteries. These systems monitor, store, and redistribute power throughout the day, efficiently and instantaneously managing a given location’s energy requirements. It is also a rapidly expanding sector, with estimates on the global virtual power plant market sitting between US $870 million to US $1.3 billion in 2019, and is expected to reach between $2.85 to $5.9 billion by 2027.

California is an example of how governments and energy providers are starting to deploy virtual power plants. In the day, excess power generated from solar and wind is stored in batteries, with the energy being redistributed to other areas that need it when the sun goes down.

The usefulness of these systems should be obvious, but as with anything virtual, cybersecurity is a major risk. Three aspects of the implementation of virtual power plants are major risk factors for cyber vulnerabilities: Internet-of-things (IoT) technology, cloud computing, and the physical location of virtual power plants.

Risk #1: Internet-of-Things (IoT)

- Internet-connected sensors and inverters, like the ones seen in virtual power plants, are forms of IoT.

- Security experts have warned for years that IoT devices can be easily intercepted and taken over by bad actors if manufacturers do not build security into their devices’ functionality.

- Unsurprisingly, given the lack of legal requirements or industry standards, IoT manufactures often prioritize speed of production over security.

- This has led to millions of Internet-connected devices lacking any security, from cars, to toasters, and the IoT modules on virtual power plants.

- Only 58% of CEOs of power and utility companies feel confident in mitigating the cybersecurity risks associated with the use of IoT technologies, according to a report from KPMG.

Risk #2: Cloud Computing

- As illustrated with the above mentioned cyber attacks, online computing systems are always vulnerable to cyber attacks.

- Enterprise cloud systems can be penetrated through an infinite number of methods, including brute-force systems penetration attacks, fishing scams, intercepting API calls, and even impersonations.

- Many factors can make it even easier for bad actors to penetrate cloud systems, including employee behaviour, poor compliance with cybersecurity best practices, and the ability for remote hacking.

- The distributed nature of cloud systems running virtual power plants, where there are many individual systems spread out over a large location, makes it much more difficult to monitor online as opposed to the typically single location of traditional power plants (i.e. monitoring 100 systems versus monitoring 1 system).

Risk #3: Physical Locations

- While traditional power plants are usually single locations that are heavily guarded, virtual power plants are almost always unguarded, usually found in backyards or home rooftops.

- This means hackers can physically access a virtual power plant system, allowing for tampering of the devices or even plugging in an Ethernet cable to access the network.

- This is particularly dangerous since access to one location’s virtual power plant could open up access to the entire network of other Internet-connected virtual power plants in different locations.

With these risks outlined, important questions need to be asked. What if hackers are able to shut down an entire city’s worth of virtual power plants? Or shut off your home’s Internet access at will? Or threaten to blow up yet another industrial plant?

These are questions that are worth asking, and it is clear one key solution is needed.

Our Cyber Heroes Fighting for Power!

These trends show us the simple truth that digitally-skilled talent, particularly in the realm of cybersecurity, will become more critical than ever to protect the integrity of our essential public infrastructure like energy grids and virtual power plants.

Cybersecurity specialists are the heroes that we will need to design and implement secure hardware and software, introduce best practices into organizational operations, and advise on new government regulations for minimum standards for cybersecurity within the energy sector and beyond.

This explains the year-on-year rise in salaries for cybersecurity roles, with the average salary in the United States for a cybersecurity engineer currently pegged at over US $100,500 according to Glassdoor. The growth in job openings for cybersecurity roles has already increased by 350% from 2013 to 2021, and there will be 3.5 million unfilled jobs in the sector this year due to the global crunch for cybersecurity talent.

So if you are a soldier in the cybersecurity army, or are planning to conscript, know that you are a special ops trooper fighting an important war for your people.

And for many of you who will be deployed at the likes of Colonial Pipeline, Saudi Aramco, and other companies providing critical energy infrastructure, this is a war for power – the kind that runs our cars, MacBooks, and the rest of our daily lives today.

About REANGLE

Our mission is to bridge the gap between deserving talent and opportunities, particularly for digital and green businesses in the Asia-Pacific region. Contact REANGLE for digital talent development, business development and transformation, or consulting for green companies at info@reangle.co.