The FBI warned utilities this week that operators of inverter-based resources will likely see their risk of malicious cyber activity grow along with their increased presence on the grid and issued a set of recommendations to improve their security posture.

The FBI’s private industry notification (PIN), issued July 1, focused on renewable energy resources, particularly residential and grid-connected solar panels. It warned that malicious actors may target these facilities “to disrupt power-generating operations, steal intellectual property or ransom information critical for normal functionality to advance geopolitical motives or financial gain.”

NERC has warned about the potential cyber vulnerability of IBRs before. At FERC’s annual Reliability Technical Conference last year, NERC CEO Jim Robb said that solar and wind plants are “incredibly exciting technologies” that nonetheless come “with real issues.” (See FERC Conference Highlights Challenges of Evolving Grid.) Among these issues is their reliance on digital communications for remote control, broadening the attack surface for threatening entities.

This week’s PIN took these warnings further, noting the FBI’s concern that cyber threats against IBRs are likely to increase because “with federal and local [legislatures] advocating for renewable energies, the [power] industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors.” Examples of government advocacy cited in the report include the Inflation Reduction Act’s incentives for renewable energy and state targets for solar power capacity.

Residential and commercial solar projects are both vulnerable to attacks targeting their inverters, the FBI said, particularly if those inverters use internet-connected monitoring systems. Attackers that gain control of a residential unit’s inverter could use their access to reduce the system’s power output or damage the home’s battery system, if one is present. In addition, cyber criminals or nation-states could target microgrids used to maintain power during an electrical outage.

The notification cited only one actual cyberattack against IBRs in the U.S. This 2019 incident involved “a private company which operates [wind and] solar assets” in California, Utah and Wyoming with a total capacity of about 500 MW into which the company lost visibility after an attacker launched a denial-of-service attack exploiting an unpatched firewall.

“While it was unclear if this specific incident was a deliberate cyberattack targeting this specific company, the incident highlighted the risks posed by a security posture that relies on outdated software,” the document said.

Recommendations provided in the report include establishing and maintaining strong relationships with local FBI field offices, and proactively addressing cyber espionage and interference by:

• • monitoring network activity for suspicious traffic;
  • updating company networks, firewalls and antivirus software to patch security vulnerabilities; and
  • reporting unexpected visits to company facilities or suspicious solicitations of employees.

The FBI also urged utilities to assume they will be the victim of a cyber incident and prepare accordingly. Suggested preparations include maintaining offline, encrypted data backups; reviewing the security posture of third-party vendors; documenting and monitoring external remote connections; and implementing a plan for recovering sensitive or proprietary data.

Identity and access management are also important preparedness steps and can be addressed by implementing strict password controls (such as requiring long passwords, using industry-recognized password managers and locking out accounts after multiple failed logins) and requiring multifactor authentication. Entity cybersecurity staff may also regularly review servers, workstations and active directories for new and/or unrecognized accounts, and segment networks to prevent the spread of ransomware.