DERs Facing Risk: As Geopolitical Tensions Escalate so do Cyber Threats

Every time geopolitical tensions spike, cybersecurity professionals begin scanning their dashboards. They know what history has shown repeatedly: conflict in the physical world almost always generates a corresponding surge of digital activity, and critical infrastructure sits at the top of the target list. 

Today, that infrastructure increasingly means renewable energy, and the sector's distributed, vendor-dependent architecture creates an attack surface that is both expanding and, in many cases, underprotected. Disruption doesn't have to mean shutting down a system. It can also be manipulating data or creating false alarms to produce operational impact.

A shifting attack surface

Unlike traditional centralized generation, renewable assets are geographically distributed, remotely operated, and heavily reliant on third-party vendors. That combination has shifted the primary exposure points away from hardened prime systems toward softer targets, such as trusted vendor identities, remote access pathways, credential stores, and the data relationships between EMS (energy management systems) controllers, inverters, and operators.

Sophisticated adversaries rarely seek simple destruction. The more common objective is infiltration establishing persistent access, harvesting credentials, and mapping network topology while waiting for the right moment. Dwell times that once measured weeks have compressed dramatically. What used to take 15 to 25 days to execute can now unfold in hours.

The commissioning blind spot

Among the sector's most overlooked vulnerabilities is one that exists at the moment of greatest operational investment: the commissioning phase. Sites making the transition to commercial operation date (COD) present a window of exposure the industry has been slow to close. Firewalls are often deliberately loosened during commissioning so contractors and vendors can complete their work. Substations are being integrated, SCADA systems configured, and everyone is racing to a schedule. Security gets treated as something to address once the site goes live.

That assumption is wrong. A site sitting open during commissioning, with interconnections established but security posture not yet hardened, is not a future risk, it is a present one. 

“Threat actors do not wait for ribbon-cutting ceremonies,” said Adib Abdulzai, VP of Operational Technology & Security at Radian Generation. “Some of the most concerning sites right now are not those under operations, they are the sites going through commissioning.”

The geopolitical trigger

The March 2025 escalation between Iran and Israel is the most recent reminder of how quickly the threat environment can shift. Confirmed cyberattacks tied to that conflict have already been reported. While no incidents on North American energy infrastructure have yet been attributed to the current tensions, the threat to the impact of grid stability cannot be ignored.  

The 2003 Northeast blackout is a reminder of this. Although it was a purely technical failure, no malicious cause, it demonstrated how consequential even a temporary grid outage can be for human life and the broader economy. That event eventually drove the creation of NERC CIP standards.  

Where the exposure lives

Vendor remote access remains the single largest attack vector in operational technology environments. Every third-party connection is a potential entry point, and the vendor ecosystem in a typical renewable project is extensive. Identity compromise is the second major risk category. Some root causes include credential reuse, password spraying, and multifactor authentication fatigue. These attacks have all been used successfully against energy sector targets. 

Supply chain dependencies, where monitoring platforms introduce upstream risks outside the operator's direct control, complete the primary exposure picture. The thread connecting all of these is trust: renewable infrastructure operates on data relationships that are assumed to be reliable. When that trust is compromised, the operational impact extends far beyond the digital domain.

Act before the incident

Effective mitigations are well understood. The challenge is execution under the competing pressures of day-to-day operations. Controls around vendor access get deferred. Identity hardening waits for the next planning cycle. Monitoring gaps persist because the immediate workload is relentless.

The current environment does not afford that luxury. For operators who have not yet implemented structured controls around third-party remote access, that work needs to move to the front of the queue. Sites in commissioning need explicit security gates built into project timelines and should not be treated as post-COD afterthoughts. And the sector needs to resist treating cybersecurity as a compliance exercise. 

“NERC CIP standards represent a floor, not a ceiling,” said Abdulzai. “Nation-state actors are not constrained by the assumptions those standards were written to address."

The renewable energy industry has built something remarkable: a distributed, resilient infrastructure that is increasingly central to how modern economies function. The geopolitical environment is not getting simpler, and the attack surface is not shrinking. If you don’t have the in-house expertise, there are third-party firms, that can help secure your project through its entire lifecycle. One of the benefits of this approach is you have the collective expertise of daily threat activity in the industry, and the skill to find ways to protect yourself against exposure. It’s crucial for all industry players to addresses these vulnerabilities now and not wait for an incident to erode renewables contribution to grid reliability.