Enhancing Cyber Resilience in the Renewables Sector

Enhancing Cyber Resilience in the Renewables Sector
July 2, 2024 14 mins

Enhancing Cyber Resilience in the Renewables Sector

Enhancing Cyber Resilience in the Renewables Sector

Renewable energy is critical to meet net-zero targets, but as the industry grows, so do cyber attack surfaces. Learn how to prepare for emerging threats and support long-term ambitions.

Key Takeaways
  1. Renewables organizations must contend with increasing cyber attacks on critical infrastructure due to geopolitical, human capital and technological risks.
  2. Insurers are working to address protection gaps for this industry, highlighting the importance of working with a broker that can advise on exclusions and gaps in coverage.
  3. Holistic risk management strategies backed by data and analytics will be crucial to prevent and mitigate fallout from cyber events.

As the renewables sector expands, its organizations are seeing more sophisticated and frequent cyber attacks targeting energy infrastructure. At the same time, companies are also navigating the efficiencies and challenges that artificial intelligence (AI) technologies introduce. In this environment, renewables organizations can lean on risk management strategies and risk transfer solutions that match the sector’s growth aspirations and protect against evolving cyber risks. 

The State of Cyber Risk Facing Renewables 

At the COP28 climate change conference in Dubai, more than 130 national governments agreed to work together to triple the world’s installed renewable energy capacity to at least 11,000 GW by 2030. In this global move toward energy security, renewable energy is set to overtake coal as the largest source of electricity generation.1

As the asset base of energy infrastructure grows, renewables organizations are likewise experiencing a rise in the number of cyber attacks. The International Energy Agency (IEA) reports that cyber attacks on utilities have been growing rapidly since 2018, reaching alarmingly high levels in 2022 following Russia’s invasion of Ukraine.

Key risk management concerns for renewables organizations in this landscape include: 

  • Loss of connectivity to monitoring systems leading to unplanned downtime
  • Hacking of assets resulting in damage and/or revenue loss
  • Denial of access to planning data causing business disruption
  • Manipulation of control or safety systems causing injury or damage
  • Attacks on suppliers and sub-suppliers and resultant dependent business interruption2

The Cyber Vulnerabilities of Wind Energy 

In 2022, large wind energy companies were impacted by cyber attacks as wind turbine vendors and maintenance companies experienced ransomware attacks on their networks.3 One incident resulted in the malfunction of nearly 6,000 wind turbines in Germany and disrupted thousands of organizations across Europe.

Legacy technology is an important factor when it comes to wind farm risks. The first wave of wind farms installed in the 2000s are now reaching retirement age and do not necessarily have cyber security that reflects the current state of cyber threats. The lifespans of some of these installations are also being extended by three to five years, making them even more vulnerable if they are not properly maintained and updated.


Cyber attack or data breach is the fifth top current risk for the natural resources sector.

Source: Aon’s 2023 Global Risk Management Survey

Quote icon

As we move toward a wind-oriented economy, the asset base is growing and therefore, the number of attacks on those installations is likely to increase, too.

Oliver Jeffs
Director, Cyber Solutions, UK

Cyber Risks on the Horizon

While cyber attacks on the natural resources sector have previously focused on disabling systems to extort ransom payments, the convergence of IT and operational technology (OT) systems has introduced new risks. Attacks today target OT, such as industrial control systems or supervisory control and data acquisition devices used in the renewables industry, to enable remote and on-site gathering of data from equipment in far-off industrial sites, including wind farms. In H2 2022, 74 percent of the 688 published vulnerabilities in cyber-physical systems affected OT devices. This indicates that backdoors into OT systems are there and could potentially face future exploitation.4

Moreover, as renewables companies digitalize their operations and adopt new and emerging technologies to manage renewable energy supply chains, materials processing and infrastructure, their exposure to cyber threats is likely to rise. Unlike traditional gas and nuclear power plants, smaller renewable installations in Europe run on third-party systems that are digitally connected to the power grid and below the power-generation monitoring threshold set by safety authorities.5

Talent shortages compound the industry’s cyber risk. As cyber risk rises, companies across industries need employees with specialized IT and cyber security skillsets that can help to specifically address exposures in OT systems — and the renewable energy sector is no different. 

The people perspective also comes into play when considering how to build good cyber hygiene and alleviate weaknesses in cyber defenses. Third-party vendors may periodically conduct maintenance and service on remotely controlled assets. This can increase exposure, as renewables organizations may not be able to ensure cyber security training standards for these individuals. Therefore, the risk of an infected USB on-site or the hacking of a personal email that contains important access information becomes that much greater. 

Quote icon

Organizations must construct and control their potential exposure across an entire chain of people that could potentially be working on a project or asset, which can be quite difficult to manage.

Mark Potter
Power and Renewables Industry Practice Leader, EMEA

AI in the Renewables Sector: Opportunities and Trade-Offs

The renewables sector is already applying AI in a variety of ways:

  • Forecasting Energy Capture, Storage and Distribution

    AI technology is being used to forecast energy capture from sources like wind and solar. AI algorithms analyze weather forecasts, historical generation data and real-time conditions, enabling energy providers to predict how much renewable energy will be available. This better balances supply and demand. 

    AI also helps optimize the storage and distribution of energy from renewable sources. By considering various factors, such as demand, supply, price and grid conditions, AI algorithms determine the best times to store energy, when to release it and how much to distribute.6

  • Material Development

    The pace of material development has been accelerated by AI. An offshore wind farm, for instance, is subject to a harsh and corrosive environment. Innovation is necessary to create more durable materials that can be quickly deployed. “It took Thomas Edison substantially more time to determine the best electrical materials to use when inventing the light bulb 145 years ago,” says Charles Philpott, Global Natural Resources Leader in the Enterprise Client Group at Aon.

    The Autonomous Discovery Accelerator for Materials Innovation in Canada is an example of AI in the energy space. The project aims to create an open-source modular robotic discovery platform capable of making new materials for energy applications and testing their properties.

  • Consumer Energy

    There are consumer applications of AI in the energy sector as well. Smart home heating, air conditioning and lighting systems help consumers use energy in the most efficient way, reducing money spent on utilities. As AI further reduces costs for providers, these savings could then be passed to consumers.7

 AI Application Challenges

While beneficial in many ways, AI technology can also open the door to cyber risk. Risk, legal and security leaders are concerned that AI-powered technologies used by threat actors may increase the impact, scale or resource-efficiency of cyber attacks, while also facilitating more targeted spear phishing and whaling attacks. 

Leaders are likewise paying attention to the expansion of cyber risks across enterprise systems and networks, such as the data poisoning of AI models by threat actors to destroy system functionality and data. Within the renewables sector specifically, AI provides new tools for cyber threat actors trying to disrupt power supply or extract data from critical infrastructure.8

Another important consideration is the power demand of generative AI. The additional computational power needed for the rapid growth of AI models and their applications could cause electricity demand to soar. Electricity is not just needed to power additional equipment like servers, but also to cool systems after intense heat build-up from data processing.9

The total increase in data center power consumption from AI is estimated to be around 200 terawatt-hours per year between 2023 and 2030. By 2028, AI is forecasted to represent about 19 percent of data center power demand. As interest in clean energy continues to rise, the use of AI models could in turn heighten competition for an already in-demand resource.10

Building Cyber Resilience Through Risk Transfer Solutions

Insurance in the renewables space has yet to fully meet its potential, in part due to uncertainties over catastrophe exposures and models. Aon’s Strategy and Technology Group has been working with insurers to assess market opportunities and attract much-needed capacity. But there is still much more that could be done collectively to bring more insurers into this space and address a growing protection gap.

“We regularly negotiate the inclusion of cover for instances of failure of third parties emanating from cyber events, such failures of course can have huge effects on our direct insureds. Broad form dependent business interruption coverage is vital to ensure robust protection against exposure that sits outside your own technology environment,” says Alexander Curtis, Executive Director, Cyber & Commercial E&O at Aon. “Blanket non-IT dependent business interruption cover is available to those clients who have been able to appropriately articulate the security posture of its supply chain.”

Cyber property damage is also top-of-mind for the renewables sector. The property market has excluded cyber as a trigger on policies, while traditional cyber policies exclude property damage. As a result, interest in a risk transfer solution to address that gap has grown. One option is a gap policy that sits in between traditional cyber and all-risk property policies, which can be beneficial for organizations in heavy industry sectors that have a large property exposure. 

Eight Steps to Prepare for the Future of Cyber Risk in Renewables

To mitigate threats posed by the evolving cyber risk landscape, renewables organizations can:

  1. Build cyber resilience through carefully planned strategy to mitigate ransomware risk within the organization. With ransomware growing, special focus should be placed on endpoint system security. In Q1 2023, 57 percent of companies lacked segregation of end-of-life software, amplifying vulnerabilities that provide an entry door to threat actors.
  2. Ensure that the incident response playbook and business continuity plan/disaster recovery have been assessed, reviewed and updated. Test them through simulated practice to help improve resilience.
  3. Use cyber scenarios to identify worst-case outcomes from cyber attacks and existing vulnerabilities that can be addressed through risk management or transferred to an insurer. This is key for assets like those used in offshore wind, which rely on remote access systems to control wind farms that are a preferred target for threat actors.
  4. Assess core IT and OT environments and establish a security baseline or benchmark before extending to newly acquired assets and targeting control gaps.
  5. Confirm that newly acquired assets have the same standard for cyber security as assets already in the portfolio. Aon has seen a sharp spike in loss activity following M&A activity in this industry due to insureds onboarding new assets without taking the appropriate measures to confirm cyber security measures are met.
  6. Monitor and adapt to new and evolving cyber security regulations, such as the upcoming Network and Information Systems Directive (NIS2), a legislation focused on improving cyber security and senior accountability across  infrastructure and industries that are critical to the economy.
  7. Work with a risk manager that can quantify potential property damage from a cyber attack and business interruption stemming from a critical asset in a portfolio, and overlay exposures with the insurance program to ensure it aligns with the materiality and complexity of the risk.
  8. Partner with a broker that can thoroughly review the exclusions within policies and address gaps in coverage.

Learn more about how renewable energy companies can navigate an evolving cyber risk landscape and benefit from more mature risk management strategies.

Aon’s Thought Leaders
  • Alexander Curtis
    Executive Director, Cyber & Commercial E&O, UK
  • Oliver Jeffs
    Director, Cyber Solutions, UK
  • Charles Philpott
    Global Natural Resources Leader, Enterprise Client Group
  • Mark Potter
    Power and Renewables Industry Practice Leader, EMEA

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner