Clean energy infrastructure is vulnerable to cyberattack — the Biden administration has a plan to protect it

The Biden administration released new priorities today for safeguarding clean energy infrastructure from possible cyberattacks.

Smart grids and EVs can have big benefits when it comes to saving energy and cutting down pollution. But as more pieces of our lives become electric and digital, new cybersecurity challenges arise. That’s why the Biden administration is releasing guidance today on how to keep new parts of our energy infrastructure safe from harm.

“We have a once in a generation opportunity to refresh our infrastructure — to get a bit of a mulligan on some parts of our infrastructure that were never designed for the level of digital / physical convergence that our world is hurtling towards,” Harry Krejsa, assistant national cyber director, says.

In a fact sheet shared exclusively with The Verge before being released publicly, the Biden administration homes in on five technologies it deems critical to the near-term success of a clean energy transition and that deserve extra attention when it comes to cybersecurity.

At the top of the list are batteries needed to store renewable energy and make sure it’s available even when sunshine fades and winds die down. Electric vehicles and charging equipment are also a priority, along with the batteries that power them. Then there are energy management systems for buildings — think smart thermostats, rooftop solar systems, and even smart lighting systems. So-called distributed control systems are another related priority. That encompasses controls for community microgrids and virtual power plants that harness the collective energy storage of fleets of EV or solar batteries. Inverters and power conversion equipment round out the list.

“Digitization cuts both ways,” Krejsa says. On the one hand, it gives home and business owners and grid operators more control. It’s easier to adjust EV charging to specific times when renewable energy is more abundant or to turn up thermostats to save energy and avoid power outages during heatwaves. But those tools can become weak points to exploit without robust protections in place.

President Joe Biden has already had to cope with criminal hackers targeting energy infrastructure during his term in office. A cyberattack in 2021 shut down the Colonial Pipeline, the largest pipeline system for refined oil products in the US. The ransomware attack took the pipeline offline for five days, leading to gasoline shortages, higher prices at the pump, and gridlocked traffic outside of gas stations.

The Biden administration is also worried about state-backed threats. The Department of Homeland Security named cyber threats posed by the People’s Republic of China (PRC) a top priority for protecting critical infrastructure through 2025 in a guidance document it published in June. PRC-sponsored cyber group Volt Typhoon has “compromised the IT environments of multiple critical infrastructure organizations” including energy and transportation systems, according to a Department of Homeland Security advisory issued in February.

Protective measures can be as simple as keeping up good digital hygiene. Hackers reportedly used a compromised password to get into Colonial’s network in 2021. But there also need to be more systemic safeguards.

The way energy systems operate today dumps too much responsibility “onto individuals, small businesses, local governments, frontline users who don’t have the resources to mount an adequate defense against the world’s most well-resourced and well-trained, malicious actors,” Krejsa says. “It’s just not a sustainable way to architect that ecosystem.”

The fact sheet released today points to the need for “secure by design principles” that “prioritize the security of customers as a core business requirement.” The Biden administration also emphasizes the need to bring different branches of government together, along with businesses, researchers and even hackers, to design and implement better protections. The Department of Energy launched the Energy Threat Analysis Center (ETAC) as a pilot public-private partnership in 2023, for example. And Krejsa spoke to The Verge on a call from Las Vegas, where he’s attending the Def Con hacking convention and “issuing a call to action and asking the hacker community for help to say, ‘look at these priority technologies.’”

With everyone on board, the Biden administration’s cybersecurity roadmap includes crafting technical standards and implementation guidance for new energy technologies. It also places a priority on research and development and training a workforce for cybersecurity.

With the nation’s aging energy infrastructure already overdue for an overhaul to accommodate growing electricity demand and new sources of renewable energy, it’s also a good time to tack on a security update.

“Where should we make critical infrastructure investments? These are decisions that are happening right now,” says Nana Menya Ayensu, special assistant to the president on climate policy, finance, and innovation. “When it comes to cybersecurity [we want] to make sure that that is a pillar of a more modern, more nimble, digitalized energy system.”