When you glance at your smart meter to see how much electricity you’ve used that day, a cyberattack is likely not front of mind. And yet, Internet of Things (IoT) devices such as these can be an easy access point for cybercriminals.

There was a 200% increase in attacks on utilities in 2023 and the average cost of data breaches in the energy sector is over $4 million. Europe alone saw a doubling of cyberattacks in the power sector between 2020 and 2022, while in the US, there was an almost 70% hike in cyberattacks on utilities during 2024, compared to the previous year.

So it’s a huge issue, and one that utility companies — and governments — are keen to address.

And within this landscape, the renewables sector has become a prime target. To keep up with the rapidly unfolding energy transition, digital technology to help integrate and manage renewables is being adopted at pace, which is creating more potential attack surfaces. For example, integrating more renewables projects and battery energy storage systems requires software that allows the technologies to interact and work together – introducing cybersecurity risk across the system. Alongside, as renewables develop and scale, the number of stakeholders involved is increasing and includes businesses from a variety of sectors alongside power companies. This too could increase the likelihood of cyber threats.

The growing cyber threat to renewable energy

Global renewable power capacity increased by 473 gigawatts (GW) in 2023, up 14% on the previous year, according to the International Renewable Energy Agency (IRENA), while the International Energy Agency (IEA) anticipates 5,500 GW to become operational by 2030.

This is all good news for the environment and global targets to reduce greenhouse gas emissions. But it also presents an opportunity for cybercriminals to exploit vulnerabilities in dispersed and relatively new systems.

Digital technologies such as IoT, artificial intelligence (AI) and middleware, the software that joins all the dots, are now vital additions to utility companies scrambling to keep up with demand.

These technologies enhance efficiency, enable better integration of renewable energy sources, improve demand forecasting and optimize grid performance in real time. In short, they are an indispensable factor in the energy transition. But not an uncomplicated one.

Solar energy alone, which accounted for three-quarters of the world’s renewable capacity additions in 2023, is susceptible to six different types of cyberattack; wind farms can be disrupted because the remote control mechanism can be hacked; battery energy storage systems and electric vehicle charging stations can be similarly compromised.

Last year, the Federal Bureau of Investigation issued a warning to the US renewable energy industry that “malicious cyber actors may seek to disrupt power generating operations, steal intellectual property, or ransom information critical for normal functionality to advance geopolitical motives or financial gain”. It cited a 2019 example of a private solar company that suffered a denial-of-service attack, resulting in the “lost visibility” of 500MW of wind and solar sites in California, Utah and Wyoming.

In the UK, renewables companies experienced around 1,000 attempted cyberattacks every day last year, according to cybersecurity analysis. These attempts are not hitting the headlines, however — unlike the renewable energy disruption of 2022, when a cyberattack on a satellite communications network brought 5,800 wind turbines in Germany to a standstill. 

Protecting the energy transition

Alongside the growing risk of cyberattacks, the shortage of experts in energy cybersecurity is further exacerbating the situation. While almost three-quarters of the energy and utilities industry is currently utilizing generative AI for its cybersecurity operations, there is a 42% shortfall in cybersecurity personnel in the sector, according to a Boston Consulting Group survey.

The new US administration has just taken steps to address the wider cybersecurity skills gap; its proposed Cyber PIVOTT Act would introduce scholarship programs in exchange for government service. Meanwhile, Europe introduced the Cybersecurity Skills Academy in 2023 to tackle the issue.

The EU has also been focusing on legislation, with its Network and Information Security Directive that aims to harmonize cybersecurity regulations across member states, particularly around critical infrastructure such as energy, coming into effect last year.

One thing experts are clear about is that energy companies need to take charge of the situation themselves — and fast. At a basic level, cybersecurity training across organizations is essential. Implementing monitoring systems can help protect critical infrastructure from cyberattacks. This is the idea behind InteRSePT, a Mitsubishi Heavy Industries (MHI) Group cybersecurity solution that can be trained to detect anomalous or suspicious behavior across the control network of power plants and manufacturing facilities.

As the energy transition progresses, the industry must balance the benefits of digitalization with the need for robust cybersecurity measures. As grids become more digital and decentralized, the risk of cyberattacks increases, potentially disrupting energy supply and undermining progress toward a more sustainable power system.

To stay ahead of these threats, utilities, governments and technology providers must work together to strengthen cybersecurity defenses, implement robust regulatory frameworks and invest in next-generation security solutions.