- Success Story -
Solar PV
Understand the cyber security posture in more depth for two operating solar projects in Spain
The Challenge
Understanding their cyber risk posture in more depth for two operating solar projects in Spain.
For the Renewable Energy sector, the Operational Technology (OT) cyber landscape is undergoing radical change, putting operators of critical infrastructure in constant financial uncertainty about their risk of cyber loss.
IBM reported a staggering 2000% increase in cybersecurity incidents against OT and predicted a 30% increase year over year.
One of these critical infrastructures that is directly affected by the increase in cyber risk is the Renewable Energy sector. Our customer owns and operates solar PV generation facilities, and deployed DeRISK in two of them located in Spain, to better understand its exposure to cyber risks.
The Solution
Provide a detailed risk assessment explaining their top cyber security risks
DeRISK’s cyber risk platform was able to provide the client a detailed risk assessment explaining their top cyber security risks for their solar facilities, broken down by source initial access vector and consequence type.
The Results
DeRISK was able to provide the client a detailed risk assessment explaining their overall cyber exposure and top risk components, finding that these solar sites have a higher risk exposure compared to other power-sector peers of similar generation capacity.
DeRISK helped prove that the top source of probable loss is web facing apps and external remote services, and thus the area where further protection measures should be prioritized.
Results show that there are inexpensive and cost-effective measures to reduce this risk, such as implementing policies that enforce all passwords are hardened and unique, and that all default passwords are changed. Furthermore, measures that greatly reduce the risk but that require a higher initial investment, such as deploying an application-layer filtering proxy server to ensure that all network traffic to or from the Internet is authorized.
With these results from DeRISK, the client is aware of their cyber security posture and is able to prioritize their risk mitigation based on ROI, Risk Reduction, Upfront Cost, Yearly Cost, Payback Period, or NPV.
Expected Loss Costs
Initial Access Vector and Expected Loss by Type
$0
Web Facing App
$0
Phishing
$0
Downtime
$0
Equipment Damage
Expected Losses
1.8x
Industry average compared to customer
Because of the nature of the customer’s operations as a renewable energy producer, an overwhelming majority of total risk comes from these top two cyber event types: (1) equipment damage and (2) business disruption / downtime makes up 93.7%. After leveraging DeRISK, the customer was able to outperform the industry average exposure to cyber risk.