In traditional IT security, we know that we cannot control the security of what’s on the internet. The security of sites and devices range from what equates to nihilistic chaos, also known as Black Friday shopping at Walmart, to structured processes with high levels of governance and validated protection. When it comes to your enterprise infrastructure, you can only control what happens with the data, apps, users, and devices that are within your scope of management; thus, you have to build a cybersecurity architecture to account for systems and processes that you cannot change. Organizations have deployed firewalls, IDS/IPS, MFA, EPP/EDR/XDR, and NDR to deal with the myriads of internet cyberthreats. But wait, there’s more.

Last year, we published a report looking at the security of connected vehicles to provide insight into the security (or lack thereof) within the modern vehicles that roam the world’s highways and how it may impact your business. Last month, we looked at the growing vulnerabilities and risks within EV charging infrastructure and what you can do about it when you can’t change the security of these IoT and OT devices. In the EV report, we called out how a compromise of the chargers could lead to a disruption in the electrical grid because that charging device maintains a computer connection, not just electrical, to not only the operator who controls the device but also to the local power utility. With the accessible nature of these public chargers, enhanced security cannot be an afterthought, because if someone can just walk up to it and hack it, a compromise could impact a whole municipality if not a larger group. But what about the security and integrity of the power grid infrastructure itself? It gets worse.

Power generation at scale is no longer relegated to large sites such as coal/gas furnaces, hydroelectric dams, or nuclear plants. The proliferation of large wind farms or massive solar farms has expanded the overall attack surface that needs defense. Discovered security flaws from multiple solar power vendors compound the concerns of more IoT and OT devices being connected to the internet for communications to a management “cloud,” which is just a fancy word for another person’s data center. The challenges of securing centralized power generation sites that need internet connectivity are significant, but the challenges grow exponentially with wind farms that are, on low average, 20 acres per megawatt generated or solar farms that scale at roughly 10 acres per megawatt. Maintaining physical access control for locations that large is very difficult (unless you can afford to establish the type of security you see at highly restrictive military bases), never mind electronic access over internet connections. So how do we brighten it up?

Starting with the greatest amount of control: If you have solar arrays installed as part of your facilities, such as on the roof of the building or over parking spaces, treat them like any other IoT or OT deployments and institute the proper policies and solutions to not just protect the devices but, if you can, the whole of your infrastructure from threats that may come from those devices. As your levels of control fade, increase the security on the IT side of your business that interacts with these other IoT and OT networks: Restrict access to internal resources that are not required for operating with these devices, increase anomaly detection alerts that originate from communications with these devices, and institute corporate policies and training that instruct your employees on how to safely interact with these infrastructures. When it comes to power delivery, there’s a reason why backup generators exist.

Bringing these risks to you is not meant to be Dr. Doom and demand that everyone be Luddites. But while you’re attempting to do your day job and protect your business’s infrastructure, I want to make you aware of items that may not have fallen onto your horizon yet so that your security plans can take those into account. Forrester clients who want to discuss the impact of third-party IoT and OT devices interacting with their infrastructure should schedule an inquiry or guidance session where we can dive deeper into this topic.