Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

Acquirers and lenders, however, should not take comfort in a low impact designation. NERC’s analysis focuses on the impact to the reliable operation of the Bulk Energy System as a result of a facility’s failure.[3]  NERC’s cybersecurity reliability standards do not take into account the magnitude of a facility’s potential lost revenue and other financial losses as a result of a cybersecurity attack.  Further, multiple, low impact assets may share a common-mode vulnerability through which a number of geographically dispersed low impact assets are affected simultaneously with a large-scale impact on the grid.  A commonly cited example of such vulnerability is remotely-accessible inverters used in solar photovoltaic installations at both the residential- and utility-scale.  Finally, connections between facilities and their third party service providers may provide an avenue for hackers to infiltrate other, more critical infrastructure.  If such infiltration is determined to be caused by a project operator’s negligence, the owner or operator of such facility may incur significant contractual or tort liabilities.

As part of purchasers’ and lenders’ due diligence process, EPC, O&M and asset management contracts should be reviewed to ensure compliance with cybersecurity best practices and a clear allocation of responsibility for NERC CIP compliance and cybersecurity risk.  However, given the typical limitations on liability in such contracts, lenders and acquirers may wish to independently verify that the operator and owner have adequate cybersecurity policies in place.

For lenders, this may be as simple as conducting a security questionnaire with the owner/operator’s information technology security staff.  Assessing compliance with such policies may in the future be included as part of the independent engineer’s review of the project.  For acquirers, adequate verification may require a more thorough audit/gap analysis of the owner/operator’s security policies and procedures.  The acquired assets may already be compromised and interconnections risk spreading malware through the acquirer’s systems.  Consideration should also be given to how to integrate the assets into the acquirer’s existing security operations.

[1] Blake Sobszak, Experts Assess Damage After First Cyberattack on U.S. Grid, E&E News (May 6, 2019), https://www.eenews.net/stories/1060281821.

[2] North American Electric Reliability Corporation, CIP-002-5.1a — Cyber Security — BES Cyber System Categorization, Attachment 1 (designating generation resources with less than 1500MW at a single point of interconnection with a “low impact rating”).

[3] Federal Energy Regulatory Commission, Order No. 829 (directing the North American Electric Reliability Corporation to promulgate new Reliability Standards to “mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk-Power System.”).