Russian hackers launched a successful cyber attack on Ukraine's power grid in December 2015. They infiltrated information systems of three distribution companies, navigated through open circuit breakers and switched off 30 substations, leaving more than 225,000 people without power in deep winter.
In July, UK-based The Times reported — citing anonymous sources — that suspected Russian military hackers sent emails containing malicious software to engineers at Ireland's Electricity Supply Board. They stole passwords and drew on broad surveillance of the board's activities.
Meanwhile, the US government in June warned of malware attacks against the nuclear and energy industries, including with phishing emails after hackers breached at least a dozen power stations in the country. Targets included the business network of the Wolf Creek Nuclear Operating Corporation in Kansas, according to the Washington Post.
Fast forward to an unidentified wind project in the central US, where University of Tulsa researchers have physically broken into a single turbine by picking a lock on the tower door in less than a minute.
They opened a server closet, unplugged an Ethernet network cable and attached a small, off-the-shelf, cheap Raspberry Pi mini-computer with wifi.
They switched on the Pi, and attached another cable to an open port on the turbine's programmable automation controller.
Later, using a laptop from a vehicle hundreds of metres away, they halted the turbine. In fact, they could have stopped every turbine in the project - connected through a so-called private network - by gaining access to just one.
The project owners and operator were aware of the "penetration test". For the past 30 months, the University of Tulsa researchers have physically broken into and hacked five US wind projects with 2,000 turbines, each project supplied by a different OEM.
Their work is backed by the National Science Foundation CyberCorps Programme and overseen by Sujeet Shenoi, a computer science professor at the university.
Vulnerabilities are not news to experts, but the research has made waves because wind power has become mainstream. The intrusions were detailed in Wired magazine and presented at the Black Hat cyber-security and hacking conference in Las Vegas in August.
Wind projects have become more hi-tech and connected. And if Ukraine's grid can be hacked, so can a wind farm - if it does not have proper cyber protection. "Wind farms have become more vulnerable as criminals have become more sophisticated," says Ellen Liu, lead for renewable-energy digital cyber-security products at turbine manufacturer GE.
Compared with conventional power stations, wind projects can be physically vulnerable and may be owned and operated by smaller companies that are relatively unsophisticated about IT and cyber-security. The turbines are also distributed across a large area.
"Banks can be hard to break into, but ATMs are less so," says Shenoi, who has become a cyber cop of sorts for the wind industry. He stresses that any system in the electricity sector can be breached if it is not protected properly. Some wind projects have been found to be connected to the public internet.
Palle Clausen, senior product manager at Vestas, says: "Wind (farms) tend to be more remotely located and have fewer physical breach barriers than a comparable nuclear or hydro plant." But there are solutions to protect them, he adds.
Connectivity brings dangers
These concerns are echoed by Chen-Ching Liu, director of Washington State University's Energy Systems and Innovation Centre, who has studied wind-farm Scada systems and cyber attacks.
"With connectivity comes cyber-security issues," he says. "There is no perfect connectivity." He notes that Scada vulnerabilities in any industrial system have been well-known for years.
A Scada, or supervisory control and data acquisition, system is the nerve centre of a wind project, connecting it to the outside world.
The two other main points of vulnerability are the wind-farm network and the turbine itself, says GE's Liu. For example, ten or so wind turbines at a project can be linked in fibre rings, or daisy-chains, which may themselves be interconnected. There may not be a software firewall or a "bump in the wire" between them.
Technicians with access to a control centre could be compromised by spear phishing, which entices users to reveal sensitive information. "If I have remote control, then potentially Ican operate a wind turbine," says Chen-Ching Liu. "I can hack in and figure out how to turn (a turbine) off." Or circuit breakers in a substation could be opened. Or intruders could cause a "loss of view", so that operators cannot monitor.
Passwords may be weak and software out of date. Such a scenario would just be "poor security from the ground up", says Edward Oughton, a research associate in technology modelling at Cambridge University's Centre for Risk Studies and co-author of reports on cyber attacks on electricity distribution networks.
"It's a cliche, but you're only as strong as your weakest link." He stresses that it is the human element that is typically weakest.
A turbine vendor can be an attractive target, says Shenoi. The OEM will want remote access so it can measure turbine performance and send software updates. "If attackers spearfish a vendor, they could potentially attack that vendor around the world," he points out.
No cyber intrusions at modern wind projects have been publicised, although they have been rumoured in the western US. Project operators and owners are hardly likely to talk publicly about successful intrusions or even attempts. Malware has, however, been documented on wind-company servers.
Experts recommend that cyber protection should be established for turbines and the substation. Key measures include anomaly-detection software, also known as intrusion detection. For physical security, CCTV cameras can be installed at wind projects, or individual turbines, and alarms on tower doors. CCTV has already become standard at offshore projects. And never connect a wind farm to the internet.
The motives of hackers or cyber criminals vary. Attackers, including nation states and organised crime, might want to cause financial disruption or - if they take enough power plants offline - compromise national security.
However, Chen-Ching Liu notes that a grid has much embedded security; the so-called N-1 redundancy concept means operators can always cope with a power plant tripping.
"But if you lose two or three or more, there's no guarantee," he suggests. William Sanders, head of Illinois University's electrical and computer engineering department, who co-authored a recent report by the prestigious US National Academies of Science, Engineering and Medicine about attacks on the grid, thinks "it would take a significant outage" of wind farms to cause wider disruption. He declines to give a figure.
Perhaps a disgruntled employee seeking to cause harm to a particular company could pose a risk. A single wind turbine can be worth $2.5 million. "How much ransom would you pay for 500 towers?" asks Shenoi.
Theft of intellectual property is a prospect. But a physical "break and enter" ransomware scenario is not so likely for wind projects, says Ben Miller, director of the threat operations centre at critical-infrastructure security company Dragos and a former engineer at the North American Electric Reliability Corporation.
"There are easier ways to make a couple of bitcoins than by risking life and limb breaking into a turbine," Miller says, speaking from the sidelines of the Black Hat conference.
But in May, cyber criminals using the WannaCry ransomware remotely crippled computers in some 150 countries, with targets including the UK's National Health Service and FedEx.
Dragos, which has clients in the wind industry and was involved in analysing the Ukraine attack, makes "behavioural analytics software" that recognises unusual activity. It would have quickly detected an unfamiliar device such as a Raspberry Pi, says Miller.
He also stresses how much engineering "redundancy" is built into wind turbines. For example, they are made to weather the winds, so damage from merely stopping and starting them maliciously should be limited.
The wind industry is taking cyber-security seriously. Vestas offers measures to prevent a physical breach, such as intrusion detection and alerts, as well as mitigation and control systems that quarantine and limit a malicious cyber impact to the plant and the grid or other wind plants, says Clausen.
At the American Wind Energy Association Windpower 2017 conference in California, GE Renewable Energy announced it would provide cyber security for ten years for wind turbines owned by Invenergy, as well as for the utility's future projects, a contract worth an estimated $13 million when announced.
The agreement includes upgrading Invenergy's legacy controls, and upgrading and protecting its network security with GE's proprietary Opshield, which GE says protects industrial controls and critical infrastructure networks. GE will also provide software maintenance, updates and patches.
Opshield is designed to include: an operational technology firewall; recognition of industrial system protocols; whiteor blacklisting of traffic; network zoning or segmentation; deep inspection; and it can contain a problem, such as hacking, to one turbine. It also recognises traffic patterns and can block anything abnormal. One device is placed in every fibre loop. GE offers encryption protection for Scada systems too.
The scale of cyber-security the wind industry needs is vast, and the US is the largest market in his segment. At the end of July, Invenergy and GE announced the 2GW Wind Catcher project, already under construction in Oklahoma.
It will use Opshield.
DEFENSIVE STRATEGIES — THE 12-POINT GUIDE TO PROTECTING POWER ASSETS AGAINST CYBER ATTACKS
Security… Limit physical and remote access to wind turbines to guard against intrusions (pic: Nikki Seal)
Protecting wind turbines from cyber and other digital attacks is vital. Sujeet Shenoi, a computer-science professor at the University of Tulsa, suggests that project operators should:
- Set a communication plan to inform on progress and provide a mechanism for concerns to be raised
- Limit physical access to the turbines and the rest of the wind farm. If there is a breach, be prepared to deploy security personnel very rapidly, even if the project is remote
- Make it hard to connect devices to the equipment in the turbine so they can do damage. For example, secure the computer ports by requiring user authentication so that an intruder's unauthorised device cannot function if attached to a turbine
- Construct a software firewall between each turbine
- Use anomaly-detection or behavioural-analytics software
- Install VPN tunnels, or encrypted links, between turbines and the wind project's control centre
- If the inside of a turbine looks too busy or untidy, it could be easier to miss an unauthorised device or an intrusion, so keep it tidy and take photographs as a record for conducting periodic checks
- Follow recommended international standards, such as IEC-61400-25, which provides for the uniform exchange of information for monitoring and controlling wind-power plants
- Require all remote management of the wind project to be from a designated location or "online office" that can be properly protected - never from a hotel or a home. This includes all monitoring by an OEM
- Never allow any "outside" device to be plugged into company assets, including a USB flash drive or mobile phone charger
- Ensure your own employees pass a background check or security clearance periodically, not just when they are hired
- Require the proper and periodic background checks or security clearance for personnel accessing all wind farms, including outside contractors. In the US this would include NERC-CIP (North American Electric Reliability Corporation critical infrastructure protection) clearance