At the end of June another key risk was highlighted when the US Department of Justice (DoJ) charged Chinese turbine manufacturer Sinovel and two of its employees with stealing trade secrets from US manufacturer AMSC, causing it an alleged loss of more than $800 million. A former employee of an AMSC subsidiary was also charged.
The AMSC-Sinovel case has been running for several years, largely in China's civil courts, but the entry of the US government raises the case to the level of international diplomacy. It came just weeks after US president Barack Obama used his meeting in California with Chinese premier Xi Jinping to raise concerns that Chinese computer hackers were stealing corporate secrets from US firms.
As well as upping the ante and turning the case into a major diplomatic incident, the DoJ's case revealed a huge amount of previously unseen detail about how Sinovel allegedly stole AMSC's intellectual property, offering insight for other manufacturers into the risk to their intellectual property.
The defendants are charged with stealing the source code for AMSC's PM3000 software, a part of its wind turbine electrical control system. The indictment alleges that Sinovel recruited Dejan Karabasevic, a former employee of AMSC's Austrian subsidiary AMSC Windtec, to join Sinovel, and secretly to copy intellectual property from the AMSC computer system.
As part of its indictment the DoJ revealed the levels of security in place by AMSC to protect its software. These included restricting access to its workstations and unique usernames and passwords to access the AMSC IT system. All employees were also required to sign a code of business conduct and ethics prohibiting disclosure of confidential business confirmation.
Despite this, Karabasevic is alleged to have copied the PM3000 software and sent it to Sinovel during a period in 2011 when he maintained regular email and Skype chat contact with Zhao Haichun and Su Liying, respectively Sinovel's technology manager and research department deputy director. The Chinese turbine manufacturer allegedly rewrote the software to operate in its own turbines as part of its low-voltage ride-through (LVRT) systems. A US Federal Bureau of Investigation team subsequently found evidence that AMSC's PM3000 software code had been used in four of Sinovel's 1.5MW turbines that had been installed in three projects across Massachusetts.
Karabasevic, who has pleaded guilty to charges of industrial espionage in an Austrian court, gave notice of his intention to leave AMSC Windtec in March 2011, yet still had access to the company's systems until his departure three months later. AMSC declined to respond to Windpower Monthly's request about any subsequent changes in what was clearly a weak element of the company's security measures.
The combined risk of insider intellectual property theft and corporate hackers means all companies should make sure they know which data are their most valuable, and apply security procedures accordingly, says IT security expert Raj Samani.
"The foundation for protecting information is to establish the type of data an organisation has, and its value," says Samani, EMEA vice-president and chief technology officer for internet security firm McAfee.
"This sounds easier said than done, with reports suggesting that 80% of data within enterprises is unstructured. If you identify what is most important, apply appropriate security controls and limit access to the smallest number of people — the 'need to know principle' — then this is a good start. Simply using username and password for information that's the secret sauce for the company may not be appropriate."
Samani adds that creating rules around certain levels of data may mean that data classified as top secret cannot be sent outside the company. Instead of relying on employees to abide by conduct rules, specific blocks must be put on certain types of data to prevent their removal. And if those data are on a portable device, companies should ensure it is encrypted.
This of course means first identifying what is most important to you as a company — your "secret sauce".
"If you don't know what's important then these types of incidents will occur because it becomes all too easy for people to access it," adds Samani.
Protection of intellectual property is one of the most important tasks facing his company, Henrik Stiesdal, chief technology officer at Siemens Wind Power, told Windpower Monthly. While central functions can be reached by all employees, restrictions are put in place on the most valuable information within each business unit.
"All information access must only be given on a need-to-know basis, monitored by the information owner. If the information is critical, two-factor authentication is enforced," says Stiesdal.
This two-factor authentication means the use of a combination of security measures such as a Siemens-wide public key infrastructure (PKI) key pair, which consists of a chip in employees' ID cards and a eight-digit PIN, plus an additional individual password.
Samani says that using employee-specific data access rights is essential to creating an audit trail that can help quickly clamp down data leaks. That applies to the supply chain too.
"Whatever good practice you do for yourself, you need to ensure your suppliers do, and make sure they tackle security as seriously as you because, as the saying goes, security is only as strong as the weakest link," he says. "For example, if you demand staff are vetted to access certain types of data, then this should naturally apply to suppliers/contractors that access the same data."
In addition to IP theft, another security risk for both turbine manufacturers and operators is the potential hacking of machines' supervisory control and data acquisition (Scada) systems.
According to recent work done by security researchers in Norway and Denmark, hackers are aggressively scanning Scada systems in order to find those still operating with default usernames and passwords. While Stiesdal points out that there is clearly valuable IP held within Scada systems, such as information on the performance of turbines, incidents in other industries indicate that it is more likely that attacks on turbine control systems would be made by terrorist organisations wishing to shut down the electricity supply for a facility, city, region or country.
As wind power's role in electricity generation increases, so does the risk posed by potential hacking incidents to national security. In the US, protection against hacking events is already required from turbines before they are permitted to access the grid, with all turbines meeting critical infrastructure protection standards issued by the Federal Energy Regulatory Commission, which covers issues such as security controls, sabotage reporting and recovery plans.
Samani says that while the risks are potentially huge, Scada systems are in theory much easier to protect than a company's general computer network or enterprise system, because they are required only for one task — to feed back performance data.
"There is no need for Scada systems to change as much as enterprise systems, so using host and network whitelisting is a real opportunity," says Samani, who has co-authored a book on the hacking risk to electrical systems called Applied Cyber Security and the Smart Grid
"Whitelisting creates a baseline of network traffic and reports or prevents any anomalies thereafter. If you know what traffic to expect, you can see any anomalies."
With the only recorded incident of a wind turbine Scada system being hacked, in 2011 in Florida, having been revealed as a hoax, it is clear that the risk to wind turbine control systems is minimal at present. If turbine companies are going to focus their security efforts anywhere, the area currently worthy of most effort is their precious intellectual property.
SECURITY STEPS - PROTECT YOUR DATA
- Identify your most valuable data
- Give access to key data on 'need-to-know' basis
- Vet all staff for security clearance
- Apply same rules to supply chain workers
- Employ more than one method of authentication, ie username and password, PKI, encryption
- Encrypt all laptops that store valuable data
Turbine control systems
- Create baseline of network traffic
- Monitor traffic for unusual activity