Companies operating in the renewable energy space face a mix of familiar and new cybersecurity risks that management and boards must be aware of – and, where needed, take steps to mitigate. The relative newness of some operations in the sector, combined with the high-growth cycle they may be part of, serves up a mix of risks that organizations need to understand.

Data protection risk

Many operators in areas such as community solar and residential rooftop solar are stewards of a tremendous amount of private customer data known as “personally identifiable information (PII),” such as banking information. This concentration of data makes these operators targets of cyber threat actors who will steal and sell this PII on the dark web. Information security is all about protecting the “CIA” of PII: confidentiality (making sure that data is protected), integrity (that data is accurate and not tampered with), and availability (that data can be readily accessed). Protecting PII takes investment in data protection, intrusion detection, incident response, and operational and data recovery capabilities, as part of a mature cybersecurity operation.

Operational risk

While renewable energy operators tend to consider their core electrical operations safe, or safely distanced from at-risk networks, their connection to the power grid makes it more likely that they will become cyber targets. Nation-states and “hacktivist” group threat actors using sophisticated tradecraft increasingly are looking for vulnerabilities in the operational technology (OT) of organizations that may not be part of the bulk electric system (BES), but connect to it. Attackers focus on “weak links in the chain” that may not have invested adequately in the security of their OT environment. Unlike threats to PII, which is stored and processed by the information technology (IT) environment, the risk of attacks on OT systems creates operational risk, process reliability risk, and public safety risk because attacks on industrial control systems (ICS) can cause physical damage to core processes.

Cybersecurity leadership risk

New or growing companies in the renewables sector may not have a chief information security officer (CISO), or that role may report to the CIO or another company officer. But cybersecurity risk is so pervasive and attacks so often successful that renewable energy companies should have a competent security officer with enough autonomy to implement policies, practices, and controls necessary to protecting not only the IT and OT environments, but also the operational continuity, financial stability, and reputation of the company. Because of the sustained shortage of experienced cybersecurity candidates, it can be expensive to identify, hire, and retain CISOs, so outsourcing this capability is an alternative.

Director and officer governance risk

Board members and company officers assume a fiduciary duty of care to supervise or oversee how the company discloses its cyber risks to investors; if its incident disclosures meet regulatory requirements; and how it manages its cybersecurity program commensurate with its risk. If boards don’t have sufficient cybersecurity experience and knowledge among their membership, their capacity (or incapacity) to discharge this duty of care can become a cause of action in shareholder lawsuits. Good governance around this most ubiquitous and potentially most damaging of risks suggests that the board should seek training and independent advice so it can stay adequately informed and up to the task.

How CohnReznick can help

Our Cybersecurity, Technology Risk, and Privacy team works closely with our Renewable Energy industry team to provide our clients with services that can mitigate cyber-related risks and vulnerabilities.

Board cybersecurity workshops

Our senior practitioners facilitate virtual and on-site workshops for officers, boards, board members, and committees to provide an understanding of how to discharge their fiduciary responsibilities for the cybersecurity program.

Office of the CISO services

We offer fractional CISO and security operations services, available as used, via retainer, or as a short/medium-term engagement. We give you expertise and experience when you need it, and help you replace our temporary staff with the right full-time team member(s) for your needs.

Privacy program reviews

Because we approach privacy through a shared prism of cybersecurity and technology risk, we are able to assess your overall privacy status, help you operationalize how your privacy program interacts with business operations, and provide insights into using privacy technology effectively – working with your internal audit, compliance, and your privacy, risk, and security officers.

IT and OT risk assessments

Our team provides independent assessments of the cyber posture and maturity of your IT environment and OT systems, giving you an independent third-party perspective of your vulnerabilities based on our years of cross-industry experience.

Cybersecurity strategy and roadmaps

We will help you understand where your organization is on its cybersecurity journey and how to get to the posture you aspire to within the Renewables sector. Our work is designed for our clients’ individual, unique circumstances, so we “right-size” our effort to fit your risk appetite, regulatory or partner obligations, culture, and financial capacity.

Contact our team to learn more and get started on assessing and optimizing your cyber protections.