The rapid expansion of renewable energy infrastructure creates unprecedented cybersecurity challenges that most organizations are unprepared to address. Discover how financial risk quantification transforms the way asset owners protect their wind, solar, and battery storage investments from invisible digital threats.
The renewable energy sector faces a critical cybersecurity gap. As wind farms, solar installations, and battery energy storage systems proliferate across the globe, they create a decentralized network of digitally controlled assets that remain largely unprotected. Rafael Narezzi, Co-Founder and CEO of Cyber Energia, brings more than two decades of technology leadership experience to address this growing vulnerability in critical infrastructure.
Cyber Energia takes a fundamentally different approach to OT security. While most cybersecurity companies stop at identifying risks through CVE scores and vulnerability assessments, Cyber Energia starts from the risk and translates it into financial terms that executives can act upon. The platform connects technical findings to compliance frameworks including NIS 2.0, IEC 62443, and NERC CIP, providing asset owners with a clear maturity landscape and actionable intelligence.
Rafael Narezzi explains that asset owners in the renewable sector operate differently than traditional IT environments. Financial companies often acquire energy assets as investments without maintaining technical staff on-site. When compliance regulations now hold these owners personally liable for cybersecurity failures, they need tools that speak their language: dollars, risk, and return on investment. Cyber Energia prices its services per megawatt, demonstrating its commitment to speaking the language of energy.
The decentralization of energy generation presents unique challenges. Rafael Narezzi points to recent cyber attacks on Poland's distributed grid as evidence that threat actors understand how to manipulate multiple remote locations simultaneously to destabilize power networks. Battery energy storage systems present particular risks, as compromised dispatch commands could create grid imbalances similar to the fictional scenario depicted in Ocean's 11. Yet many sites lack even basic cyber hygiene protections.
Cyber Energia helps customers understand the financial impact of potential attacks. A 98-megawatt wind turbine site, for example, could lose 1.9 million dollars from just one week of downtime. This quantification enables executives to make informed decisions about relatively modest security investments that significantly reduce their risk exposure. The platform provides a single-view dashboard for organizations managing hundreds of sites across different regions, technologies, and regulatory environments.
Rafael Narezzi observes that a CEO before a cyber attack is fundamentally different from a CEO after one. Organizations often underestimate digital risks compared to physical ones, despite living in an increasingly connected world. Regulations like NIS 2.0 now impose personal liability on directors and can revoke operating licenses, removing any excuse for neglecting cybersecurity. The awareness is changing, but Cyber Energia continues working to close the gap between compliance requirements and actual security posture across the renewable energy sector.
This is a Brand Story. A Brand Story is a ~35-40 minute in-depth conversation designed to tell the complete story of the guest, their company, and their vision. Learn more: https://www.studioc60.com/creation#full
GUEST
Rafael Narezzi, Co-Founder and CEO of Cyber Energia
https://www.linkedin.com/in/narezzi/
RESOURCES
Cyber Energia
https://cyberenergia.com/
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Rafael Narezzi, Cyber Energia, Sean Martin, brand story, brand marketing, marketing podcast, brand story, OT cybersecurity, renewable energy security, critical infrastructure protection, NIS 2.0 compliance, IEC 62443, wind farm cybersecurity, solar energy security, battery energy storage systems, BESS security, decentralized energy grid, cyber risk quantification, energy sector compliance, NERC CIP, operational technology security
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new brand story with Cyber Energia. I'm joined today by Rafael Narezzi. He's the co-founder of Cyber Energia and has a long history in looking at cybersecurity in the OT space. And, Rafael, it's a pleasure to have you on.
Rafael Narezzi: No, thank you. Thank you for the invitation and the opportunity to expand on the OT and the critical infrastructure needs today.
[00:01:00] Sean Martin: And security clearly has gained attention globally. And there's no question that critical infrastructure has gotten a lot more attention recently as well. And yeah, I mean, society and humanity relies on critical infrastructure to live. And so no better place than to invest than in that space. And I'm curious, Raf, can you maybe a few words about yourself, kind of look back in time to give us a view of who you are and what you've been up to. And then we're gonna get into all the good things you're doing with the company.
Rafael Narezzi: Amazing. You know, I come from the background of cyber. I used to be CTO in banks. Then I move into renewables where I got exposed into what critical infrastructure is and also what is needed. At that time, perhaps in 2016, renewables, I think at my beginning phase was just starting
[00:02:00] to take shape, at least in Europe. With the growth, and what I see was a fantastic opportunity to get my hands dirty, as with the technical expertise that I have. And then I saw a potential for us to build a product based on what is the renewable is needed. When you talk about renewables as well, it's important to mention the decentralization of the energy, right? So it's not necessarily only renewables, but when you decentralize the energy is also one field that we are looking. So even either decentralized energy or renewables, which is the same, but I think it is important to highlight that. I think also from my background perspective, I used to lecture on the University of West London for masters and undergraduate on the cybersecurity aspect, also helps me to be kind of always my path to the
[00:03:00] academia. And try to kind of always helping to build more professionals for the field. But yeah, my background comes from the technical background, CTO. So that's why I was able to build a tech company to provide the expertise from a software perspective, with a decision point for the asset owners that has to manage those big renewables.
Sean Martin: I love it. And this might be a slight small tangent, but I'm gonna go here anyway. Just the your world in education and the work you're doing there, given your experience as a CTO and then in cyber and teaching the next generation of cyber professionals, what are the one or two things that you kind of really hone in on for the students that will set them up to be successful in the role in cyber?
[00:04:00] Rafael Narezzi: I think as everyone works in that field, I think the main key word is be resilient. I think on the cyber, it's not just the technology. Technology is the method or is the way for you to spot something. It's actually the resilience to continue learning, to continue improving, to continue when there is incident to handle the incident. So I think for me it's just not the technical skills that you need to learn, which is part of your package, but also the soft skills to be able to coordinate better process and talking, translating to the buzzword that we have on the cyber to normal people that does not belong into our field. I think this is also one criteria that I keep saying we need to kind of sometimes go down into a way to explain very well, educating our society for the cybersecurity. Even that it doesn't look kind of appealing. Sometimes cybersecurity is the top priority
[00:05:00] for agenda for every single CEO globally.
Sean Martin: So I'm gonna use that as a bridge to talk about the founding of Cyber Energia. I've been in this space for a long time. I've seen a lot of enterprise security companies try to, I'll say, shove their wares into the OT space and it's a different world there. So tell me about what was the catalyst to create Cyber Energia? Obviously your background has a lot to do with that, but as you look at the space, why is a purpose built organization like yours necessary?
[00:06:00] Rafael Narezzi: Totally. First I think the key factor that makes us quite unique into the field that we act is the fact that most of the companies works to get into the risk. We not only get the risk, but we start from the risk. So we, from the risk perspective, from the OT owners, they don't understand what means CVS, they don't understand what means the exploitation or how is the EPSS level. They don't understand none of the kind of technical familiarities words that people use to actually explain how critical or not critical certain asset might be. Right. And I think we do that very well as well. So we try to give for the technical audience the information they needed, providing exactly what the other, you know, maybe competitors does. So that is not our main key ingredient that kind of defers us from competition. But what we do with that is where we go beyond.
[00:07:00] So we connect those risks very well to the compliance framework from the critical infrastructure in US, New York, Europe. IEC 62443, which is one in Europe. NIS 2.0. So what we do very well is actually getting what they have as a risk, translating and matching the framework of the compliance and giving them the report and kind of maturity landscape of the compliance perspective kind of straight away. And from that perspective, we conduct kind of a financial quantification of the risk. So that means if you manage 300 sites globally, how could you manage different compliance, different risks, different financial aspects or penalties in one single view? And it doesn't matter what technology you have under your site, we are very agnostic on that.
[00:08:00] So even though you have Nozomi, Claroty or Dragos, we also can piggyback on that. But sometimes because the way that we translate ourselves to our clients and the word is very clear. We speak renewables and we speak energy. That's, I think, is the main component here. And even our price is per megawatt basis. So the subscription level works per megawatt. So it's completely, we speak energy, we speak electrons, we protect electrons, and we give the kind of a risk quantification for the asset owner. So in that way, they can have a better understanding, mitigate with the right investment to the right assets that they need to do it. And then with that condition as well, decreasing the pressure that they might have from the compliance perspective. So that's what I would say most of company provides the risk, the red alerts, we do that as well, but I think we start from there. And then I think the extra information that comes on top provides a high value for the executive on the top to take decisions.
[00:09:00] That's what we see and what we have built on the product. So that's, I think is the where we see the gap from the industry perspective.
Sean Martin: Yeah. Super important. And can you give a few examples of conversations you have. So you talk about the asset owner. There are people who probably, who run multiple sites and have multiple teams of asset owners. And then of course there's the business part of it, which is the risk folks and the IT OT broader view folks and then the executive team. So how do you have that conversation up and down that stack?
[00:10:00] Rafael Narezzi: And that's a very good point. That's where we also differ from the industry perspective. Because the whole industry on the OT works is slightly different. So for example, if I am an IT company, you gonna have your team around, you can send or buy equipments and install yourself or your team will do it. Your team probably will manage or you get outsourced to do it, or managed service provider. So it's very different from the industry of renewables. So let me give you the aspect. Normally the asset owners who acquires, they normally, they don't want to manage, they don't want to have control, they buy as an investment. So they are financial companies acquiring assets to be as an investor tool.
[00:11:00] However, they pass the management to an asset management or even to the O&M to take care and they kind of say, well, I bought it, I don't manage, I just kind of wants to have my yields or my returns for my investment. However, compliance came and say, okay, fantastic model, but you are now responsible for your asset and you cannot transfer the responsibility to different parties. So therefore, now they are saying, okay, which tool can help me to take a better decision to actually give me a better indication? Figure dollar sign in the front of the risk. That actually helped me to take decision and that's where we come forward. And the other aspect is who does install? Sometimes, you know, if I try to get a managed service provider to do the installation, I'm sure that there are certain experts in the field they will try.
[00:12:00] But the difference matter is the manufacturer or the O&M that who creates maybe a turbine or the batteries. They don't want to give you the control that you might need to install your box. So it's a very high complex environment, different than when you have your own team, you do everything. So to answer your question is in a normal industry where we have control and you have everyone in place, yes, that will work. And probably we can go from the top management. Normally we sell to the top management, which makes a decision to go down, down the road. So the cyber folks sometimes get a surprise, say, Hey, we need to feed this device there, and let's work together with us. Sometimes the cyber folks took us, so it doesn't matter. In that kind of sequence, but I think most of the time that we see are actually the asset owner coming to us to buy, and then we have to kind of provide all the assurance and the installation for the box for them because they don't have sometimes even an IT person there.
[00:13:00] And this is very normal in the renewables industry. Or sometimes we use a kind of transforming the O&M to become the new managed service provider. Why? Because they have the better expertise that any managed service provider, including ourselves or any vendor to actually install the box. However, there's a limitation of maybe maturity in the market at the moment because they want the control. However, the control is no longer only one person. You have to fulfill the compliance. So there's a lot of parts moving at the moment, but I think in that's why I think Cyber Energia has been created and fulfilling this gap very well, speaking renewables and knows how to kind of fulfilling the needs of the asset owners, which what they do, what they want at the moment is like a business outcome driven by financial risk.
Sean Martin: Yep. I love it. And I think you're touching on the decentralization a bit here, but I presume it's also a bigger picture of decentralization. So clearly the layers you just described could lead to complexity, which could lead to exposure and a lack of oversight and ownership, I guess. But what about the rest of the decentralization picture and the impact that has on those same things?
[00:14:00] Rafael Narezzi: I think, think about that and I'm gonna give quite good examples. But two days ago we noticed about the cyber attack in Poland, which was conducted into the decentralization grid, which is now is probably exposed. So when you talk about renewables, and I like to give this example, when I started in 1995, playing with the BBS, not even the internet at the time. It was very unlikely that someone will try to attack a generator, whatever form and shape might be, for the energy perspective, it's gonna be only physical or through the war.
[00:15:00] Right? However, moving in, speeding forward to 2026. As we are, everything that today in certain assets are controlled remote. And is digital, so for me, the way that I see it doesn't matter which type of technology you pick for generating energy. If it's a hydro, if it's a wind, if it's a battery, if it's a solar. My view is it's a software, how is generating then it's a different aspect of technology option. But the end of the day is a software that is controlling, right. However, and we know OT is 20 years behind of IT, so nothing new here. Right. And the problem is in the proportion of a scale. We need energy, and we need more. As before, however, we speed up building technologies right across the whole country. We felt not really control matter, I would say more from the cybersecurity point of view. So we just build, turn on, we manage remotely and off you go. And I'm generating energy. Compliance actually in governments and policy makers wasn't actually looking so much into the attention or details into that kind of aspect, which could come back to you later.
[00:16:00] And what we see today, we have a scattered, decentralized field with multiple generators across everywhere, generating and feeding the grid, which is, by the way, the grid that we have is not being created for that perspective in mind. And then in the end of the day, attack today, including what happened in Poland is a very critical and very good example, how you can manipulate multiple locations at the same time to actually create what the balancing of the network or the grid to go down or upwards. And then in that situation, you cause an outage. So, and there are different risks from different technologies, but one good example that I can illustrate from the batteries, which is a significant growth in US due to the fact of data center that probably we're gonna talk about that how the decentralization is so important for that aspect.
[00:17:00] But let's talk about the example of BESS. So when you have a BESS, and probably remember the Ocean's 11 movie where the guy goes into the top and he press a button, which is a pinch device. Hey. And that pinch device actually, you know, charge a lot of energy into the grid, which and then creates a balancing situation and then flat out Las Vegas because the grid wasn't expecting that amount of energy coming in in that sense. Right? So, okay, let me now go back to our scenario here. If I have multiple batteries or depending on the size of the batteries that I'm kind of compromised and I start to play with multiple batteries and dispatch the battery into the wrong time. So we're gonna have exactly the same scenario that I just described to you.
[00:18:00] Then my point is, how are we protecting those batteries? What level of protection or visibility do you have? And I can tell you for many sites and clients that we have, we can tell you that today is quite jarring, it's very open. There is no kind of cyber hygiene. And by the way, I'm not expecting you to have all the kind of whistles and bells for the cybersecurity perspective. Even the basic is not quite there, right? So that expose not only the client, expose economies, expose ourselves, the end of the day energy is the vital essential product that we need to have. But today we are in risk.
Sean Martin: Yeah. And I think maybe you can touch on this because when I talk to folks in the OT space in general, we're talking about environments that are complex technically, and bring with it a lot of risk to safety. So safety usually tops the mark, resilience tops the mark in terms of uptime, but not necessarily in terms of weakness to be compromised and taken down that way. And so I'm wondering you talk about protections, but looking for signals.
[00:19:00] When you're starting interacting with your clients, are there signals that you surface for them that say you have these things there. These are some activities taking place that are suspicious, nefarious, things that they may not be looking for but are sitting there for them to see. How do you help them and what are those things?
Rafael Narezzi: Well, we come across with certain incidents that I think is quite important to highlight in. I think before regulations, incidents wasn't something that you could, you could easily sweep under the carpet, which is still, sometimes today companies are still doing that. Right. I think what they are worrying more is the operational availability. In the end of the day. It's not so much the cyber security aspect of the actually the equation that we're considering here and when I mentioned that we give the availability operational aspect in terms of impact on the cyber perspective, that's what I think they are more keen to understand.
[00:20:00] If it's gonna be to do with a criticality maybe of a CVE or a cyber hygiene that you don't have or certain needs from active monitoring into the network, then is a different matter. But today, I think what they are worry more is one, reputation damage because they are big institutions and they don't want to be kind of in the news. That's one. Second, am I complying? The regulations is slightly different in Europe versus US. US is more on the money driven, fine per day. Europe, for example, directors is gonna be personally liable as the company can lose the license. So it's a big responsibility on your shoulder now not to look on the cyber.
[00:21:00] So there's no more excuses for you not to, with the fine as well. So I think this is what changed pretty much on the NIS 2.0, it's kind of the the finance is not just money wise, it's also personal. And also the aspect of losing the license of you to operate across your portfolio. And I think then comes the financial argument of impact. If I got compromised for, doesn't matter what type of cyber attack might occur into my network or my supply chain, that could be also another example, how much exposed I am for the kind of financial point. So I'm gonna give a typical example that we use quite often, and this is what we do very well, each type of technology that represent a different risk and different also revenue stream.
[00:22:00] But I'm gonna give you just a quick understanding. So a wind turbine which is producing 98 megawatt in terms of production, if a hacker, let's imagine that for my system, you can, I present to you the likelihood, the threats, the exposure, the vulnerabilities. In the sum of how likely is that easy to attack their site? Right? And from that perspective, I will give you the calculation that, for example, the site that I mentioned one week off is 1.9 million. So how easy is for you now to take a decision to invest maybe 5K, 10K to buy maybe something a little bit better, to just, you don't need to, as I said, you don't need to do too much.
[00:23:00] You don't need to go too beyond of what is expected, but reduce your risk on to be high critical and likelihood so high. That will cost you 1.9 to kind of go down to median, right? That's what we do very well with our tool, and that's actually when you combine, as I mentioned, asset owners, they don't have a specific type of asset. They have multiple assets across different regions, different places. How do I have a one single view, easy for me to take decision, but as I say, on the financial dollar aspect. Where it's easy for me to decide and then give the orientation to the team and what is the budget that I'm associated to that for mitigating the risk that I can mitigate. Because we know in OT space, there are risks that we are not gonna be able to mitigate. You might gonna find different ways, but you're not gonna be able to do, for example, patch management, right? You, there are certain systems that is out of life. People not gonna patch, people not gonna change.
[00:24:00] But, and then I think having the right understanding and as I said, most of companies stop on the risk and we start from the risk is where we extract the value for the kind of the outcome for the business to take better financial decision.
Sean Martin: Yeah, and I wanna, I'm gonna close with this, Rafael. Because as humans, we make those kinds of decisions every day in our personal lives. We probably do it in our own, in our work lives as well. And it's typically driven by information we've gathered over the years, information we get from our peers when it's in the workplace. But if you're not aware, you're not gonna have that in your mind to make the right decision, let alone the right one or a good one. And it's certainly not gonna be second nature. So what does, with that in mind, what does success look like for you and Cyber Energia at customers and maybe an example of where you helped an organization and an executive team come to grips with, okay, I'm aware now this is the impact it could have. Here's the outcome I got working with you and the Cyber Energia team.
[00:25:00] Rafael Narezzi: Well, I have a quote, which is important from that. A CEO before the attack is a different CEO after the attack. So that means is there is still, you know, the argument that cyber is not needed in certain, you know, ways, which is sometimes could be too much noise, which is, I disagree. However, the society is still getting to a better maturity from the cyber perspective because as I said to you, we know that we are connected in every single shape and form. But people don't, they see more physical risk sometimes, rather than actually the digital risk and should be the other way around.
[00:26:00] And you're definitely right. I think the awareness of the companies are changing. They are investing more, they need more, but also the regulations helping us to kind of do this push force. Because sometimes companies tend to, there's no regulation, I'm not gonna do it. And even if you don't have a regulation, you should do it because the cost implication that you're gonna have from a cyber aspect, as I keep saying the CEO before the attack and after the attack are different people, because they learn so much how hard is that to come back to business after the attack. And even in terms of the cyber awareness that you touched base there, I think is so important. And it is not just an exercise from a particular team, I think comes from the entire company to be involved into the same aspect. And I have a different way to think as well. We grew up on the technology.
[00:27:00] We went to schools, but we never been kind of educated from the digital economy that we live. Therefore, I know there are risks, but as I said to you, we spend more time maybe buying CCTVs, which is extremely necessary, but I think the risks are coming maybe invisible to your eye due to the fact that is everything's connected from the network perspective.
Sean Martin: Yeah. Yeah. Fantastic points, Rafael, and I think, yeah, I mean, a well managed risk program is good business and I think more organizations are recognizing that includes cyber and whether it's driven by regulation or driven by the almighty currency. It's good business to run a safe and secure organization that masters your risk tolerance. It's different for every organization. And I presume that's what you and the Cyber Energia team help determine and help make those good decisions. So Rafael, I appreciate your time today and joining us for this brand story to discuss the Cyber Energia solution and the customers that you serve.
[00:28:00] And certainly an area that I'm interested in because why? Because I use power to do these things and to keep my food cooled and to heat my house and all kinds of stuff. So, I thank you for what you're doing and appreciate you sharing this story. Look forward to many more with you.
Rafael Narezzi: No, thank you. Thank you for the opportunity. Thank you to be able to talk a little bit of the renewable or decentralization of the energy with you guys there. Looking forward to see you on the DistribuTECH in San Diego and looking forward to explain more and take you to the demo there as well.
Sean Martin: Perfect. And tell us when and where that is. DistribuTECH
Rafael Narezzi: is on the second and third in San Diego if I'm not mistaken.
Sean Martin: Perfect. And I'll include a link in the notes for that so folks can find you there and connect with you there. And, Rafael, again, thank you so much.
Rafael Narezzi: Thank you.
[00:29:00]