This piece was authored and published by the UC Berkeley Center for Long-Term Cybersecurity. The original article can be found on their website.
October 22, 2024 – Whether the United States and other countries will meet clean energy and climate goals will depend partly on how well we can design a secure new, distributed renewable energy infrastructure and train a workforce to manage it — and on how well the climate and clean energy and cybersecurity communities can work together.
On September 27, 2024, the Center for Long-Term Cybersecurity (CLTC) and the Institute for Security and Technology (IST) presented a panel discussion entitled “Cybersecurity and the Clean Energy Transition” focused on the important role that cybersecurity will play in successfully evolving the U.S. electric grid toward renewable energy. The event was co-sponsored by CITRIS and the Banatao Institute and the Center for Security and Politics at the Goldman School of Public Policy, and was part of CLTC’s Secure Clean Energy Initiative, which is focused in part on bridging the knowledge gap between cybersecurity professionals and the clean energy sector.
Steve Kelly, Chief Trust Officer for IST, kicked off the event. “Our goal for today is to try to come out of this with some ideas for some tangible work plans,” Kelly said. “We want to amplify the great work that’s been happening in this space over the course of the past few years, and to carry that forward into the future.” (Last spring, Kelly — along with Sarah Powazek, Program Manager for Public Interest Cybersecurity at CLTC — co-authored “The Future of Clean Energy Hinges on Cybersecurity,” an op-ed published in The Hill.)
Ann Cleaveland, Executive Director of CLTC, explained in her introductory remarks that the issue of cybersecurity for the clean energy transition has been in the works within government agencies. The issue was “turbocharged by the passage of the Inflation Reduction Act, but there has been a lot of great work happening at the Department of Energy, at the national labs, at the White House, and other places,” she said. “We really wanted to bring that conversation to the West Coast to Berkeley” by convening a “public, multi-stakeholder conversation on this topic.”
A Need for Education, Diversity, and Cross-Functional Collaboration
The event began with a conversation between Cleaveland and Mara Winn, Deputy Director at the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Winn leads the division in supporting energy-sector security and resilience through coordination and communication with the Department of Energy‘s (DOE) government and industry partners.
Speaking via teleconference, Winn explained that new clean energy technologies, such as solar panels, wind turbines, batteries, and heat pumps, are transforming the energy industry, but also introducing new risks. “This is a really revolutionary time in our energy infrastructure in the U.S., and with that comes a lot of responsibility,” she said. “With this transition to these cleaner energies… there is an obligation to think about cybersecurity, because it is much more distributed. It is much more dispersed. And that means that as we add more to the grid with different owners and operators, we need to take a different approach to cybersecurity.”
Winn noted that the Cybersecurity and Infrastructure Security Agency (CISA) last year hosted a webinar about cybersecurity and distributed energy resources that began with a threat briefing. She stressed the importance of ensuring that new entrants in the clean energy marketplace are aware that security should be top of mind. “We know our nation-state adversaries have an interest in being able to control and disrupt our grid,” she said.
“We need to start with education,” Winn added. “Risk is threat, vulnerability, and consequence…. We need to talk in a way that people are understanding the risk and making sure that cybersecurity is part of that conversation. It’s bad for business if your systems are at risk of not being trusted. It’s bad for business if you’re not going to be producing the energy that you had planned on, and that means that you need to make sure your system is locked up tight.“
Winn also talked about the importance of integrating safety and security into the design of clean energy systems, including by “thinking like an adversary” and being “your own best red team” to think through potential vulnerabilities. She emphasized the need for a new generation of leaders who “don’t think about things in silos” and can think across fields and disciplines.
She stressed the importance of growing diversity in the energy and cybersecurity fields, including diversity in background, culture, experience, and training. “You need to be learning about attributes that are outside of your space so that you can integrate them, even if it’s not your area of expertise,” she said. “Make sure that you’re thinking critically about your space and be able to work cross-functionally. Those are the ways that we are going to solve the problems of tomorrow, because no one person is going to know it all.”
Toward a Foundation for Security Across the Energy Ecosystem
The next panel featured representatives from both the energy and cybersecurity fields, and from the public and private sectors. The panel included Phoebe Benich, Senior Advisor for Strategy and Research at the Office of the National Cyber Director; Vinod D’Souza, Head of Manufacturing and Industry in the Office of the CISO at Google Cloud; and Eric Gimon, Senior Fellow at Energy Innovation Policy and Technology, LLC. The panel was moderated by Ann Cleaveland.
In their discussion, the panelists weighed how the increasingly distributed energy grid — including decentralized batteries, inverters, electric vehicles, and other components — will expand the potential attack surface for cyber threats. “Our journey to decarbonization is inherently digitization,” Benich said. “Our accelerating national transition… to modern, distributed generation and storage systems — underpinned by third-party internet connected devices and platforms — is bringing online this new generation of hardware and software systems that have the potential to provide enhanced security, resiliency, and efficiency…. With that renewable energy transition, we have introduced unique vulnerabilities, due to the fact that these systems are more decentralized, they’re more connected to the internet, and they’re increasingly connected to the electric grid.”
Benich offered a reminder of the immense stakes involved in securing the grid, as a major outage would disrupt critical infrastructure, including hospitals and other emergency services. “Continuing to rely on the constant vigilance of every individual who interacts with our digital ecosystem is simply an unacceptable way to architect that system, which is why it’s so important that we bake cybersecurity into the foundation of the infrastructure, even as the infrastructure gets more complex,” she said.
Google Cloud’s D’Souza pointed to the importance of cloud computing and AI as emerging opportunities to secure a largely decentralized grid. “Cloud is going to play an important role,” D’Souza said, as it can provide “scalability and compute power.“
“I interact with a lot of manufacturing and industry CISOs, and one of the things I constantly hear is, ‘We want to transform, we have a lot of legacy systems, and I feel that for modern threats, we need modern technology’,” D’Souza said. “Cloud can give you that power and resilience, where the energy producers don’t have to worry about the infrastructure needed for computing and analytics.”
The Importance of Process and Practice
Gimon, a technical expert, research scholar, and policy adviser, emphaized the importance of “process and practice” in maintaining strong security. “You just can’t think of everything that could happen, and so you need to create practices that have better hygiene. And then you need processes to understand information that’s coming to you about threats and new things on the horizon,” he said.
Gimon noted that, in his work on climate and energy issues, he rarely hears mention of security. “I talk to entrepreneurs and policy people, and I can safely say I never hear cybersecurity come up,” he said. “The utility industry is a very risk-focused, risk-averse group, and you’d be surprised at how sophisticated they are at thinking about risk from the point of view of the electrical system. It doesn’t seem like that mindset really floats into the cyber side.“
D’Souza stressed the importance of thinking through scenarios and establishing back-up systems for power, data storage, and other critical needs. “We need to think about all the risk,” D’Souza said. “What if there is power outage, or a cyber attack?”
He stressed the need for “secure and resilient data centers” as well as backup generator systems. “How do we make sure that we keep copies of the information in distributed, local sites that can be accessed [during power outages or cyberattacks]?” he said. “We need to think about risks, and we also need to kind of think about how to design these systems of the future, keeping these risks in mind. What that means is continuous assessment, more testing, and understanding different use cases.”
Benich noted that she and her colleagues in the U.S. government are focused on bringing together new stakeholders in clean energy with traditional utilities, which “may not have access to some of the cutting-edge solutions that these new entrants are bringing to the table,” Benich said. “We’re really trying to… develop a shared sense of what ‘right‘ looks like for reliability and security, just to ensure that every time we have new new entrants, they’re not having to reinvent the wheel.”
She explained that the DOE’s Energy Threat Analysis Center (ETAC), which was launched to “enhance public-private operational collaboration in cybersecurity for energy systems,” has expanded to support new entrants so that “renewable energy vendors and infrastructure owners and operators are involved in the… collaborative cyber threat analysis that ETAC was stood up to do.”
Benich also noted that the Biden-Harris National Cybersecurity Strategy includes a goal to “realign incentives to favor long-term investments in things like preparing the digital ecosystem to deliver on the U.S. government’s decarbonization goals.” She said that she has been working with partners in the White House Climate Policy Office as part of an interagency effort to ensure that the digital ecosystem is positioned to deliver a secure clean energy transition. As part of this effort, in August, they released a fact sheet summarizing priorities for securing technologies inherent to clean energy.
Developing a Pipeline of Talent for a Secure Clean Energy Future
The panelists reflected on what will be needed in the workforce to ensure there is a robust cybersecurity underpinning to a clean energy future.
D’Souza stressed the importance of integrating cybersecurity into the design of products and services across a wide range of industries. “Cybersecurity is no longer just an IT issue,” he said, but rather it applies to all the products and equipment used in clean energy, so we must address it “from an ecosystem perspective…. We can’t forget the supplier ecosystem…. There are lot of opportunities to think outside the box.”
Gimon spoke about training a future workforce in cybersecurity and sustainable energy that can bring “critical thinking skills, the ability to communicate, the ability to work with other people, and a certain level of humility about what you don’t know and how you can find out more.” He noted that filling the pipeline for professionals in cybersecurity — as well as fields related to sustainable energy, like electricians — should be a priority. “If we think about it from a policy point of view, are we going to have the people we need to drive this transformation? There’s a big question mark.”
Benich talked about measures the Biden-Harris Administration has taken to expand the labor and talent supply, including the National Cyber Workforce and Education Strategy, which “lays out a plan to increase the cyber workforce to meet that national demand,” she explained. Similarly, programs like the Service for America Initiative are helping develop a new generation of talent. “We don’t want to let degrees be the barrier to matching talent with the need for folks to fill those roles,” Benich said.
In the long run, cybersecurity and energy professionals will have to work arm-in-arm, as their goals are mutually dependent. “[Cybersecurity professionals] are not trying to be wet blankets on clean energy innovation,” Benich says. “It’s just that we recognize that we’re at this once-in-a-generation moment for the clean energy transition, and we want to ensure that we’re ambitious about making the digital economy built atop a foundation of secure and resilient technology so we can achieve more ambitious goals going forward.”
Looking Ahead
CLTC and IST intend to advance the Secure Clean Energy initiative, building on the insights and momentum from the panel with future research collaborations, capacity-building efforts and multi-stakeholder dialogues. In the meantime, we invite you to subscribe to the Secure Clean Energy Substack, where Nick Merrill, Director of the Daylight Lab at CLTC, will be writing monthly about how to create a secure clean energy future—one that’s not only zero-carbon, but abundant: inexpensive, decentralized, and reliable.