Just last year, the supervisory control and data acquisition (SCADA) system for 2,000 wind turbines in Germany was hacked, forcing the wind farm owner to halt operation of the turbines and shut down its computer systems for a day.
As wind energy contribute to more of the energy mix, cyber incidents could become more disruptive.
Protecting against cyber-attacks targeting operational technology (OT) systems is a difficult challenge and involves many battlefronts. However, there are strategic steps that wind energy asset owners can take - especially in the construction and project development phase - to build cyber systems that are more resilient and which can mitigate risk for the organization.
Here are three critical strategies which asset owners can implement:
1) Security by design
Like many industrial assets, wind farms are designed first and foremost for functionality. Cybersecurity is typically only considered after IT and OT technologies have been selected. This “bolt on” approach can make securing infrastructure extremely difficult, especially if the architecture needs to be scaled in the future to accommodate new workloads and demands.
‘Security by design’ is a philosophy that prioritizes cybersecurity in the earliest phases of the new construction project lifecycle and encourages owners and suppliers to think, buy, and design for cybersecurity, as an element of functionality.
The goal is to establish security requirements which can then be used to select software and hardware that has the cybersecurity capabilities necessary to implement protective, detective, and corrective security controls to shield wind assets from cyber-attack.
Once the cybersecurity requirements have been clearly defined, they can be communicated to the relevant project stakeholders to help ensure a holistic baseline of cybersecurity controls and capabilities are in place for the asset and its associated utility systems.
Ultimately, the objective is establishing a software and hardware ecosystem where both cybersecurity and functionality coexist.
The purpose of validation is to ensure that all suppliers providing software and hardware to the asset understand the security requirements and standards that their products must achieve.
It is also to verify that the security architecture will perform as expected during operation.
Early on in this phase, a key security activity is the risk assessment of supplier systems to determine their appropriate security level.
Building a secure ecosystem costs money, so without understanding the criticality and capabilities of each sub-system and component, it is much more difficult to justify expenditure. The risk assessment helps to ensure that security spend goes towards the most critical components and systems that result in the greatest risk-reduction value for the assets.
Testing is another important part of validation. All good cybersecurity programs should require tests to check that defences and controls are performing as intended and that the security requirements defined at the outset are being met. Different types of tests may be required, including on individual components and software packages, as well as during systems integration.
The focus can then shift to monitoring and the objective here is to leverage data and knowledge gathered during the validation phase to develop an effective monitoring program based on the implemented security controls. The key is understanding what specific data streams are important so that monitoring can be targeted and measurable.
Proactive monitoring based on security control objectives can minimize the ‘lag time’ between when a potential control failure occurs and when it is detected.
This is a critical metric for successful incident response, either via automated playbooks based on control failure or via clear alerting to security teams for proactive response. Too often, individual control failures are only detected as part of a larger intrusion or attack, necessitating aggressive and costly measures, like an asset shutdown.
There is no easy way of securing wind assets from cyber threats. The generating capacity of the wind farm, its location and operating profile are all variables in the optimal cybersecurity strategy.
But it is important for the asset owner to view cybersecurity not as an event, but as a continuous process that is integral to the facility’s safety and operational excellence.
As wind farms scale and infrastructure evolves - and especially as digitization and remote management increases - a strong cybersecurity foundation will become critical to successful operations.
Dereck Stubbs is director, industrial cybersecurity consulting, at ABS Group