January 17, 2019
Cybersecurity presents a new dimension of windfarm risk. As increasingly cyber-connected systems, windfarms are vulnerable to interruptions, lost revenue and even physical damage as the result of cyber intrusions. Such interruptions can also impact the reliability of the electric grid, which has led to growing regulations and compliance costs to protect this critical infrastructure.
The objective of this article is to examine the cyber risk landscape of windfarms and provide guidance on how to achieve reasonable levels of security. Financial and other consequences of cyber attacks will be identified, as will various approaches for helping to protecting windfarms from cyber breaches.
Distributed energy systems are becoming increasingly linked as they incorporate Internet of Things (IoT) components. This enables smart grid functionality and the high penetration of renewables into the generation mix. Utilities and energy managers require access to systems in order to monitor and control output and loads, thereby maintaining grid reliability.
Windfarms are cyber-physical systems consisting of overlapping networks of power distribution, controls and data flows. These networks incorporate sensors, actuators, data communications and decision-making algorithms. This configuration contains numerous access points for potential cyber intrusions, including:
- Control centers (onsite and remote)
- SCADA systems
- Remote terminal units (RTUs)
- Individual wind turbines
- Embedded devices and software
- Remote vendors such as turbine OEMs
Because windfarms are typically sited in remote locations without full-time supervision or fencing, they can be vulnerable to physical breaches which can in turn lead to cyber breaches. This was demonstrated by researchers at the University of Tulsa who were able to gain physical access into the base of turbine towers (by cutting door latch locks). They intentionally compromised turbine operations (as a security exercise at the permission of the windfarm owner) by installing a simple remote communications device into the turbine controllers.
Consequences of Cyberattacks
The consequences of cyberattacks come in many forms. The most obvious is the loss of production and revenue. For example, a single day’s outage at a 100 MW windfarm can result in lost revenue of $50-100K, depending on windiness and energy purchase prices. If a cyberattack impairs the control functions of the turbines, it could lead to equipment damage and high repair costs. There could even be harm to staff or bystanders if the turbines became uncontrollable and operate in unsafe modes. Other consequences include the theft of proprietary data and intellectual property, and the subsequent reputational damage. Grid stability can also be impacted, compromising reliability and possibly triggering a grid outage. Unfortunately, risks and consequences impact not just the windfarm owner. Stakeholders across the spectrum, including OEMs, supply chain vendors, O&M providers, financiers and utilities all have a vested interest in cybersecurity.
Internal operations staff can unwittingly facilitate cyber breaches. For example, a windfarm operator recently explained how an infected laptop computer caused a sequence of turbine outages. A turbine technician used a service laptop in his hotel room the previous night to surf the web, and the next day inadvertently uploaded malware to turbine controllers when he was out servicing turbines as part of routine O&M. This is a classic example of the inappropriate use of a device that could have been prevented, as established procedures were not followed in this case. It’s important to note that human error among staff is a frequent path for security breaches in most organizations and efforts to reduce this risk vector deserve considerable attention.
Regulations and Frameworks
There are a number of regulatory and voluntary drivers in North America and Europe that require or encourage compliance to certain cybersecurity regulations or standards. In North America, the most relevant is NERC-CIP (North America Electric Reliability Corporation - Critical Infrastructure Protection), which is applicable to projects rated greater than 75MW that are interconnected to the grid at transmission voltages above 100 kilovolt-amperes (kVA).
NERC-CIP is a multi-segmented framework and compliance program that sets minimum requirements for the protection of critical assets that affect or control the bulk electric systems. These critical assets include devices that use a routable protocol or are dial-up accessible. The program is managed by eight regional entities that perform periodic security audits and spot checks. Registered windfarms under the purview of NERC-CIP have various compliance, reporting and training responsibilities, and non-compliance can lead to financial penalties.
The National Institute of Standards and Technology (NIST) has prepared a comprehensive framework for improving critical infrastructure cybersecurity. All US federal agencies are required to implement this framework, and other organizations have begun adopting it as well.
Standards have also been established by the IEC and UL for the security of industrial control systems and network connectable products. The UL 2900 Standards series are among the first standards targeting this market.
Europe also has been active in establishing security guidance, including the 2013 launch of an EU Cybersecurity Strategy. In 2016, the EU adopted the NIS Directive – the Directive on Security of Network and Information Systems. More recently, the General Data Protection Regulation was adopted and became effective on May 25, 2018.
Compliance versus Security
It is important to understand that compliance does not necessarily equal security. Compliance to regulations like NERC-CIP is an important step for creating a security baseline and holding organizations accountable, but there are still additional steps an organization can and should take to improve its security. It is of utmost importance to place the focus on actively maintaining security and making ongoing compliance a byproduct of those efforts.
For example, compliance requirements may state that all networked operational assets are to be inventoried and mapped. An asset owner could simply stop there to satisfy compliance requirements but in reality they’ve not really done anything to directly mitigate their security risks. In this case, there are ways to go above that minumum threshold to ensure a greater level of security such as by monitoring those assets regularly for breaches and running frequent vulnerability scans rather than only waiting for vendors to issue patches.
Another example is the logging of security events. This can be done manually to satisfy requirements but this alone does little to create the visibility an organization needs to understand related events across the enterprise. A more effective action is to automate the process using an event management platform that not only logs events but also actively monitors across the networks and creates alerts to any sequence of events that could indicate a wider breach. This type of automation – while going above and beyond compliance requirement - can create a more sustainable security program.
When it comes to maintaining security, the cyber landscape is rapidly changing and becoming more sophisticated. Generally, like most companies, windfarm stakeholders don’t update their security practices as often as they should. Additionally, compliance criteria are consistently being updated to keep pace with industry best practices and newer innovative technologies. Therefore companies need to maintain a proactive security program.
Creating a Sound Security Program
There are several elements to establishing an effective security program. When creating a fully integrated security enterprise, a framework like the NIST one provides useful guidance. A first step is to define the system to be secured. This means taking an inventory of all connected devices, both IT and OT (operating technologies), and determining the system boundaries and attributes. This exercise is important for prioritizing the levels of protection needed for your data, assets and networks since some are more critical than others. Taking a risk based approach to prioritization will facilitate the establishment of a pragmatic security management or governance plan.
Security is a continuous exercise and requires regular monitoring, software patches and tool updating. Monitoring is important to ensure that breaches are found in a timely manner before much damage can be done. For software patches, it is important to not only rely on vendors to provide them but to also monitor for ongoing vulnerabilities that may affect critical assets. Routine vulnerability assessments and penetration tests on critical assets provide added protection.
When it comes to assembling turbines and windfarms, it is important to recognize that many integrated components contain software and communications that should conform to security requirements. Therefore demonstrable security features should be part of a procurement process. Request information about the vendors’ security software development lifecycle and require that the product meets minimum security criteria from an industry standard (such as UL 2900 or IEC 62443). The same is true for vendors who continue to have remote access to their devices once the windfarm is operating. They need to fall within your overall security enterprise.
Having a security program doesn’t guarantee that a breach won’t occur, so it is important that incidents are discovered early and managed appropriately to minimize harm. This includes having a recovery plan in place. The plan should also include a method to analyze how an incident occurred, once it is resolved. Steps should be taken to prevent a repeat event in the future.
Because windfarms are typically remote and unmanned, it is important to implement reasonable physical security and detection practices for that environment. This includes remote intrusion monitoring, alarms, access control, CCTVs, etc. Also, a response plan should be created to address if and when a physical intrusion occurs.
Roles for Third Parties
Since most companies aren’t equipped with cybersecurity experts, it pays to bring in outside expertise to provide a comprehensive assessment and improve security practices. Even if an organization has an existing security program, it can be very valuable to obtain a second opinion from seasoned experts to validate efforts and uncover gaps.
One of the early forms of engagement can be enlisting a qualified third party to perform a cybersecurity program assessment. As part of the review, the third party will examine all relevant cybersecurity policies, supply chain requirements, network designs, and data flows. It will also identify gaps and risks and offer suggestions to help mitigate them. This review can offer assurance that existing policies are either reasonable or can be improved with a road map to address critical risks in a prioritized fashion. It also can be useful to gain buy-in from top level management to invest further in cybersecurity.
Another example of engagement is supply chain validation. Where procurement requirements have security criteria included, it is important to also have a method of validation to ensure those requirements are being met. One way to do that is to request certifications. Another is to request a test report from a qualified third party to verify that the specific security requirements have been met.
For installed equipment, or before purchasing equipment having critical security risks, a penetration test is also recommended. The third party can help identify the appropriate equipment to be tested as well as perform the testing to identify security vulnerabilities. Penetration testing can help parties better understand the risk of exploitation and harden the network appropriately to manage cyber risk.
Since employees are one of the greatest assets or potential liabilities to maintaining a security program, it is important to ensure they are properly trained to maintain a strong security culture within the organization. According to a 2016 report from PhishMe (now Cofense), over 90% of cyberattacks begin with spear phishing emails. Staff can easily let an attacker into a network unknowingly, so it is important to make sure everyone is aware of the consequences and knows how to prevent attacks from happening. A variety of training programs are available to educate staff on specific security needs or provide general best practices guidance.
Cybersecurity is a new concern for the wind energy industry. It represents another risk factor for which there is limited experience. Fortunately, the wind industry hasn’t yet experienced a major incident (at least one that has been disclosed), but it is likely it is only a matter of time before one does. It is best to be proactive in limiting your cyber risks, which means establishing a sensible and comprehensive security regime. Although costs and effort are involved, the consequences of not taking appropriate action in advance can be much higher.
To learn more about cybersecurity for windfarms, listen to this on-demand webinar.