Stepping up cyber security in wind farms and other renewables
Get the Operational Technology (OT) Security You Need. Reduce the Risk You Don’t.
Both domestically and globally, offshore wind production has grown exponentially over the past decade. With this record-breaking growth comes an increasing level of reliance on wind farms as critical infrastructure for keeping the lights on. This reliance is making offshore wind an even more attractive target for cyber-attacks and hackers, whether politically or criminally motivated.
If a cyber-attack were to hit an offshore wind farm, it could result in financial, energy output and reputational losses. For example, an unchecked cyber-attack could halt production of a wind farm altogether, resulting in no input to the grid and therefore no power and no income. Estimates equate one day of downtime for a 500MW wind farm to a loss of approximately £360,000.
Additionally, some attacks could even cause physical damage to the turbines due to the unnecessary wear-and-tear experienced. Not only could these cyber-attacks affect individual wind farms, hackers shutting down offshore wind production could potentially result in our electricity supply being interrupted or completely stopped.
It is this potential for national disruption that is bringing cybersecurity to the forefront of the offshore wind sector’s priorities. Cybersecurity must be considered integral at all stages of development and operations – it is not something that should be retrofitted years later. Turbine manufacturers need to build cybersecurity into the design of the turbine. Wind farm owner/operators should create secure digital ecosystems and ensure cyber best practice at their sites. The supply chain must provide their products and solutions are robust and secure. It will be a collaborative effort to protect our offshore wind sector from cyber-attacks best.
The vulnerability of wind farms
There are several reasons why wind parks, in general, are vulnerable to hackers.
- The approach for cyber security was focussed on IT mainly, without having in mind a different approach for operations technology (OT)
- There are old wind parks, including communication systems, never designed with the “security by design” mindset like the IEC/ISO 62443 standard
- Operational technologies like SCADA and their substations for offshore wind parks do need a different approach for security compared to IT security
- Physical security has often not been sufficiently covered in the design, resulting in a poor quality of locks, e.g. applied at wind farm cabinets.
- Vendor’s remote access is not always managed properly (segregation of duties)
- More than one provider can realize communication links to the windfarms without notice
- Use of outdated communication protocols without security enhancements
The operational technology/industrial control systems (OT/ICS) of wind farms are most of the time decentralised. Mutual interactions to fulfil the total functionality are required for the optimization of the processes. With information technology (IT), different elements are delivering their own functionalities and do not require other systems.
OT and IT: Make a cyber difference
It is necessary to understand the differences between IT and OT for cyber security. For IT, confidentiality is most important, for OT: availability. One of the examples is that IT deals with transactional processes and OT with real-time processes. While availability is the most important aspect and focus, it was often not part of the design and implementation.
Besides these many interconnections are existing and will be extended. Do we have time, knowledge and experience to really check the full system integrity every day or even every hour? Our priority should be maintaining the system’s integrity in real-time before availability. Monitoring systems to detect changes will support engineers to maintain and check the integrity of the control systems in real-time.
Hacking offshore wind farms/industrial control systems require expert domain knowledge of the specific system, physical processes and organization
- state-sponsored attacks take a long time of preparation
- they only attack when they are sure to succeed
- they have all the time of the world
- during an attack, you are always behind.
Insider threat is a big threat too, because of the fact he/she has already expert domain knowledge.
Conclusion
Cybersecurity is a new concern for the wind energy industry. It represents another risk factor for which there is a limited experience. Fortunately, the wind industry hasn’t yet experienced a significant incident (at least one that has been disclosed), but it is likely only a matter of time before one does. It is best to be proactive in limiting your cyber risks, which means establishing a sensible and comprehensive security regime. Although costs and effort are involved, the consequences of not taking appropriate action in advance can be much higher.
To learn more about cybersecurity for windfarms and see how Wizard Cyber can assist, please visit this link for more details or get in touch to discuss.