Texas is the nation’s leader in wind energy, but new turbines still regularly pop up across the state. One wind project in particular has caught the eye of Sen. John Cornyn.
In July, Cornyn sent a letter to the Department of Defense, asking the agency to deny or suspend the environmental permit for a wind farm in Val Verde County, a rural area on the southern border.
The project in question is backed by a Chinese billionaire named Sun Guangxin, who has close ties to the country’s Communist Party. It’s also not far from Laughlin Air Force Base, which Cornyn claims makes the energy development a serious threat to national security.
For details on the specific cybersecurity threats presented by renewable energy, the Texas Standard spoke to Megan Culler, a power engineer and researcher based in El Paso for the Idaho National Laboratory. Listen to the interview above or read the transcript below.
This transcript has been edited lightly for clarity:
Texas Standard: I think most folks are familiar with digital threats, like getting your credit card information stolen or falling for a phishing scam. How are threats to the grid and other infrastructure different?
Megan Culler: I would say that they’re similar in the sense that we’re still talking about digital technologies. But there’s a lot of digital technologies that are now applied across the energy space, in particular for renewable energy.
There’s geographic considerations around where that energy can be produced – often in rural or remote areas. And there’s kind of a need to have more remote connectivity to those devices.
On top of that, we can also talk about the increased digitization of the grid, where we’re getting more processing power to make the grid more efficient, so more and more devices are being digitized. And that is what we might call a “smart grid.”
All of that is potential, then, for a cyber adversary to try to take advantage of that.
I was going to ask how important a factor a physical proximity is when it comes to security. For example, is a wind farm that’s 20 miles away from a military base or a hospital more of a threat than one that’s 200 miles away?
I would say that the geographic proximity of the resource to the load is probably not a big factor. I imagine that where we’re kind of getting at here is if that wind farm is being used to serve a nearby critical load, then there’s the potential consequence to consider there if that generation asset were to go offline or be misused in some way.
Maybe from that subsequent perspective you could make an argument for that. But I wouldn’t say that because of the proximity it’s any more likely to be attacked or anything like that.
Now, Texas is in a bit of a unique place here. Our energy grid is mostly independent from the rest of the country. Does that affect how vulnerable or not vulnerable it is to a cyber?
In general, I like to break up cybersecurity or cyber risk into the categories of adversary or threat, consequence and vulnerability. So when you’re saying vulnerability, no, I don’t think it makes it more vulnerable.
We could consider if it makes the consequences different because there’s not the support of a larger grid and kind of that backing where you could be able to pull from regional assets if needed. But I don’t know that it makes it more vulnerable just because it’s smaller.
So Texas has, as we said, become a leader in wind energy – a growing solar industry. As we add these other private operators to feeding into the grid, are there things that they should be considering to protect themselves from these sorts of attacks we’ve been talking about?
In general, I would say that a lot of good cyber hygiene practices are really the most basic things that we’re looking for, and those things tend to go a long way in terms of protecting against bad actors.
So, for example, we want to make sure that none of the assets are exposed to the public internet, that they’re behind firewalls and using VPNs for their remote sections. When we think about what should wind operators do or what should solar operators do in particular, there may be some specific considerations where we might prioritize different things.
For example, since wind turbines are geographically spread out and spread out even from one another, we might consider that the physical protection of those assets is actually just important from the cyber perspective, because unlike a traditional bulk generation asset that’s going to be gated and guarded, it’s a lot easier to access some of those turbines and go up and potentially put a lock and, plug a device in.
And so maybe we want to have better remote device-monitoring policies in place to detect that sort of thing, knowing that physical access to these assets is maybe a little bit easier than it would be to a traditional gas generator or coal generator.
Do you think that we’ve taken steps that have made our grid infrastructure safer, or does the, as you said earlier, sort of reliance on the digital aspects of connectivity these days impose a greater risk than we have been in recent years?
I think we’re definitely making steps in that direction.
While some of this may be new – the remote connectivity, the integration of more third parties, the disintegration of assets – there’s a lot of things that aren’t new in this space, too, in terms of mitigating the consequences, in terms of having protection built into the grid. And then there are also cybersecurity solutions that have been developed in response to the emerging real and perceived vulnerabilities.