As the rise in Renewable energy sources increases pace, wind farms and, in particular Offshore Wind Farms, are becoming a great source of interest for the adversary groups. On 31st  March 2022, the German wind turbine manufacturer Nordex was hit with a large-scale cyber-attack that shut down the company for several days across multiple sites in several countries where they operate. This was preceded by an attack earlier in the month on the satellite comms company, Viasat, which shut down communications to over 5800 Enercon wind turbines. In November 2022, Vestas (another manufacturer of turbines) was also hit with a large ransomware attack affecting most of the company. These attacks highlighted the growing interest in Wind energy and there have been several risk studies carried out since.

There are several widely known vulnerabilities in wind farm design not least the geographic locations which prevent speedy response to sites. Because of this, many organisations are deciding to increase the use of remote access and monitoring, but early systems include bespoke or less secure communications channels. A lot of the manufacturers have taken it upon themselves to include a ‘sealed box’ approach where they demand exclusive, and often encrypted, communications with their product which means that the security tenet of segregation of duties becomes very cloudy and Accountability and Responsibility becomes less clear, especially in times of incident response.

One risk reduction factor that is often overlooked is to have a structured approach to workforce development including an understanding of accountabilities as well as a formal Awareness and Training programme. This will bring all staff and contractors onto the same page so that risks can be properly identified, discussed, and dealt with in terms of criticality and priority. An ISA/IEC62443-3-2 risk assessment will help not only identify the risks but also assist with separating the system into logical, defensible zones with known communication channels. In addition, a Cyber PHA, aligned to IEC 61511-8 and 61511-11, will inform the organisation as to the cyber security risks to the Safety Systems.

 

Factors specific to wind farms

Some of the widely publicised factors when assessing the cyber security of a wind farm are:

     

      • There are many independently operating units to deal with. 

      • Each unit contains multiple field devices for control and power conversion e.g. gearbox, braking mechanisms, generator, anemometer, variable pitch blades, etc.

      • Requirements for multiple access connections including the manufacturer of the turbine, trusted third party services, the host organisation, etc.

      • Geographic location is often hostile and difficult to reach.

     

    Where do you start?

    There are many different factors to consider including:

       

        • Does your organisation employ secure network design principles including robust device testing, code reviews, communications testing?

        • Does your vendor match those principles?

        • Does your site require additional physical security and physical cyber security defences?

        • How do you deal with the analysis of the data stream and where is you central logging location e.g. onshore or offshore?

        • What is the organisational approach to patching e.g. do you utilise the Never-Next-Now principle?

        • Who is responsible for the patching?

        • Does your site/farm, have specific policies and processes for identifying, containing, and dealing with a cyber intrusion as well as wind farm specific Incident Response playbooks?

       

      This approach will help the general, holistic method of day-to-day cyber security but it needs to be dynamic and flexible enough to deal with any new threats and vulnerabilities as they arise. After all, the world of OT cyber does not stand still for very long!

       

      Author: Tim Harwood, CEO, Siker Ltd