Wind Firms Cannot Afford to Ignore Increasing Cyber Security Threats – DNV
The following article is a guest post by Alexander Hansen Bakken, Cyber Security Consultant, DNV.
DNV’s 2022 Energy Transition Outlook, an independent model of the world’s energy systems, forecasts that wind energy will grow 10-fold by 2050, boosted by cheaper turbines and improvements in operation and maintenance.
This transformation is deeply dependent on energy infrastructure becoming more digitally connected. Yet rising geopolitical tensions are shining a light on just how vulnerable energy infrastructure is the more connected that it becomes.
Already in 2022, there have been three high-profile cyber-attacks on wind farms across Europe, with OT – the computer systems that manage, monitor, automate, and control industrial systems – at risk of being exploited and compromised.
In February, a German wind turbine maker, Enercon, lost remote connection to 5,800 turbines following a large-scale disruption of Viasat satellite links which coincided with Russia’s invasion of Ukraine. While the turbines were unaffected and ran in auto mode, the cyber-attack led to a satellite link fault halting remote monitoring/control of wind turbines and solar PV plants. Thousands of satellite ground-terminal units needed replacing. Some wind farms and solar PV plants didn’t utilize a satellite link but instead a radio link and therefore were unaffected. There was speculation that the attack aimed to cripple Ukrainian command and control, with cascading effects impacting European countries, notably Germany. Since then, Germany has issued a plan to prevent a repeat.1
In March, Nordex, another German wind turbine maker, suffered a ransomware cyber-attack on its IT systems, effectively locking down their systems as cyber criminals demanded ransom to open it up again. Once again, the wind turbines were not affected, but Nordex deliberately shut down the remote connections through the wind farms to protect customers’ assets and to prevent spreading to OT.
Understanding the Risks
One of the most urgent tasks facing companies in the energy sector is to identify where their projects and operations are exposed to threats before threat actors can find them. Companies need a clear, complete and up to date overview of their information and control systems – including the connected supplier and third-party systems.
Ensuring the security of technology platforms can be undermined if there are vulnerabilities elsewhere in the supply chain and cyber security has not been factored adequately into contracts with suppliers and subcontractors. This far-reaching oversight allows organizations to prioritize the vulnerabilities and non-conformities they must address to stay cyber secure, and put the right people, processes, and technologies in place to build effective protection from threats.
It is not enough for companies to go through the process of discovering where they are vulnerable sporadically. It has to be done iteratively to ensure that they are resilient to new and emerging attack vectors.
There are, at least, three different attack vectors when it comes to wind farms. They include physically breaking into the turbine and connecting to the internal cabinet if they are able to take advantage of lax on-site security. Another is by compromising and remote controlling an engineering mobile or laptop to access and take advantage of a missing endpoint connection or through a Virtual Private Network (VPN), or by hacking into internet facing endpoints such as closed-circuit television (CCTV) located at the substation.
Ultimately, all vectors allow access to the supervisory control and data acquisition (SCADA) industrial control system architecture. Once in there, cyber criminals can take control of the entire windfarm.
Vulnerabilities Observed from the Field
The wind sector is experiencing an increasing number of attacks and cyber security came under greater scrutiny after researchers from the University of Tulsa in Oklahoma demonstrated how easy it can be to hack a wind farm. This included lock-picking an unsupervised turbine door in less than one minute and gaining direct access to the unsecured server behind it.
More elaborate criminals could create grid instability by altering the power and frequency regulation towards the grid transmission in a method of attack that is called falsa data injection. The worst-case scenario is loss of life, which could stem from a hacker increasing the voltage within the turbine while an engineer is working on the structure. An increase in voltage could also see the turbine catch fire, potentially fuelled by the highly flammable oil that is used for lubrication and cooling. DNV’s recent Cyber Priority report, a study of 940 industry professionals, found that 57% of respondents were worried about loss of life from a cyber-attack.
Mitigating Against the Risks
While the consequences of an attack could be catastrophic, it is not yet too late for operators to begin putting mitigations in place, such as placing firewalls between turbines to create segregation and prevent the cyber criminal from taking control of an entire wind farm from one turbine.
Operators must also take care to secure endpoints such as laptops and phones. Segregation between the IT office and OT is important as wind farm operators are often afraid of hackers reaching their OT and so immediately shut down their remote connections.
Undiscovered vulnerabilities along the supply chain can completely undermine a company’s in-house cyber security effort. Companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but this doesn’t matter if there are undiscovered vulnerabilities in their supply chain. One issue can escalate or domino into many others.
Despite concerns over the security of their supply chain, comprehensive audits are rarely conducted, cyber security requirements are often not included in procurement contracts, and few organizations conduct due diligence when purchasing equipment, systems and software.
Companies with industrial operations must pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement and throughout the lifecycle of a project. This is especially important since remote access to OT systems is a significant cyber security threat. Supply chain audits and vendor cyber-
security requirements must be implemented during procurement, installation and operation of equipment, systems, and software.
According to research conducted in 2021 by Applied Risk, a DNV company, most OT security professionals say their organizations are at risk because of their inability to ascertain the security practices of relevant third parties and to mitigate cyber risks across the OT external supply chain.
Only 33% of OT professionals say their organizations conduct regular audits of their own main suppliers, and only 27% conduct due diligence prior to contracting with new suppliers.
Just half (49%) of OT security professionals say their contracts with suppliers include cyber security requirements. In figures from DNV’s Cyber Priority report, just 28% of energy professionals working with OT say their company is making the cyber security of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.
Development of Industry Regulations and Best Practice
Wind operators are facing potentially huge losses as a result of a cyber-attack, but regulatory developments could act as a safeguard. A cyber security paper by industry body, Wind Europe, published at the beginning of this year, said the total costs involved for an asset owner in mitigating the impacts of a cyber-attack, including revenue losses and dealing with investigation and containment, can run into millions, or even billions, of Euros.
The paper, A Cybersecurity Framework Fit for Wind Energy, considers regulatory developments that are underway, namely: the Network Information Security (NIS) Directive, which is currently under revision, and The Network Code for Cybersecurity (NCCS).
The NCCS, which was announced by the European Network of Transmission System Operators for Electricity (ENTSO-E) in December 2022 is the first network code that will be developed according to the new rules established by the European Union on the internal market for electricity and is expected to enter into force by January 2024.
Aimed at setting a European standard for the cybersecurity of cross-border electricity flows, the NCCS focuses on improving cyber security resilience through the enhancement of threat decision and incident reporting. It also proposes various measures to improve cyber security resilience that are essential to preserving the continuity of the services.
Wind Europe’s paper, which considers specific cybersecurity needs that should help shape the regulations for wind farm owners and operators as well as for wind turbine and component manufacturers, also makes recommendations for best practice including the suggestion that international standards should be considered in the design of such requirements.
Among cyber security needs that the paper states are specific to Distributed Renewable Energy (DER) assets are:
· The need for secure remote operation of several geographically separated assets
· The need for universal definitions and data standards that asset operators can use as a common vocabulary to build universal risk management processes
· The need to use common international security standards given the current diversity of options
A key point also put forward by Wind Europe is that the NCCS should: “consider this crucial aspect: cybersecurity rules for electricity assets must focus on the domain of vulnerabilities of the Operational Technology (OT). We highlight this need because it does not apply for many other sectors… for which the vulnerability of the Information Technology (IT) remains the main concern.”
The point underlines how securing OT is becoming an increasingly urgent challenge as it becomes more networked and connected to IT environments, particularly because of ongoing advances in digitalization as well as work to develop a super grid which would ultimately interconnect various European countries and the regions around Europe’s borders.
Applying Lessons Learnt from Other Sectors
A sector that the wind farm industry could learn collectively from is maritime, in which DNV’s cyber secure class notation is derived from the ISA/IEC 62443 series of security standards for industrial control systems that has successfully set out the benchmark for cyber security and is applicable to renewables.
Within the maritime sector, DNV provides attestation of this regulation through a three-step process which begins with a zones and conduit advisory, an assessment and analysis of current network architecture. That is followed up by a gap assessment and then an attestation of compliance through physical testing of each requirement stated in the standard.
The ISA/IEC 62443 series could be further reinforced by the new NCCS regulation once it is published and comes into force.
What Does the Future Look Like?
Security by design is the future. An advancement in the maritime sector is that the International Maritime Organisation has already taken steps by implementing Resolution MSC.428(98), which requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system. For this, DNV encourages a straightforward four-step guide:
· Identify vessel cyber security objectives
· Make an inventory of systems and softwares
· Execute cyber risk assessment
· Establish cyber security policy and procedures
· Define responsibilities and tasks
· Execute cyber security training
· Report cyber events and incidents
· Evaluate effectiveness of reaching objectives
· Analyse cyber incident and event reports
· Execute internal audits of cyber security
· Execute corrective and preventive actions
· Strive for continuous improvement
With the International Association of Classification Societies (IACS) recently publishing new Unified Requirements for cyber security – E26 and E27 – these will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024.
The new IACS Unified Requirements (URs) are based on recognized international standards for the cyber security of industrial automation and control systems, such as IEC 62443. In brief, the new IACS URs cover the following main topics:
· Scope of applicability, including OT systems for important vessel functions
· Identification and protection against cyber threats
· Detection of incidents
· Means to respond and recover
· Hardening and security capabilities of systems and components
According to IACS: ”E26 aims to ensure the secure integration of both OT and IT equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for cyber resilience of onboard systems and equipment and provides additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.”
With offshore wind farms continuing to be built around the world, it is vital that operators consider cyber security in their designs. Similar regulations to what are now implemented in the maritime sector would be welcome in the offshore wind industry.
Follow offshoreWIND.biz on: