Ioannis Papadopoulos, Business Lead, Wind, DNV
Anyone who follows the trends in the energy sector can see that many regions of the world are shifting to dispersed power systems, based on various and distributed power sources supplying the grid. Wind farms, especially those located offshore, are currently favoured in many regions around the world due to their low cost and power output. These offshore wind assets generate power that needs to be delivered to the demand centres to satisfy our growing need for electricity; but in this digital era, the data that goes to and from these power projects is as important as the power that comes from them.
The National Cyber Security Centre (NCSC) defines cyber security as ‘the practice of safeguarding IT systems, devices, and their data from unauthorized access and interference, commonly known as cyber-attacks.’ Therefore, it is ironic that the digitalization that enables our power systems to adapt and integrate more renewable energy projects also make them vulnerable to interference and manipulation. This means that, besides the risks of power disruptions, new risks arise in how wind farms operate, especially from cyber security threats.
DNV’s UK Energy Transition Outlook 2024 highlights that offshore wind capacity will significantly increase from around 14 GW today to 90 GW in 2050, meaning that offshore wind farms could soon be adorning even more of the UK’s coastline and further afield. But with great growth comes great vulnerability. Offshore wind farms are critical infrastructure, helping to keep the lights on. A cyber-attack hitting one or more large wind farms could have a potentially devastating impact! The financial losses associated with lost energy production, and of course any reputational damage, would be hard to quantify. However, it has been reported that one day of downtime for a 500 MW wind farm (which is less than half the size of many projected offshore wind projects in UK waters) would be a painful £360,000.[i] Hackers, whether politically motivated or simply mischievous, see a prize worth chasing in offshore wind farm projects. They could halt production leaving grids crippled; worse still, they might inflict vandalism on the turbines by damaging control algorithms, prolonging the harm to the grid and the overall economy, all from the safety of their computer.
At the same time, offshore wind farms are by their very nature, exposed physical assets located at the fringes of the power grid and not within easy reach of quick response security teams. As such, they are attractive entry points for physical sabotage but even more frequently as a good target for “data tapping”, as part of broader, potentially malicious, reconnaissance objectives.
So, what can be done to avoid these acts of modern digital piracy? Wind farm stakeholders can lower their risks of attacks by doing two main things: undertaking supply chain due diligence and implementing strategic governance plans for their assets according to cyber security best practises.
Supply chain risk management
It is generally agreed that to meet our renewables targets globally, let alone on a more regional basis, all avenues need to be kept open and all suppliers need to be considered, simply due to the nature and scale of the task we are faced with. However, this heightens the need for thorough and holistic risk assessment and management. To minimize the cyber security risks associated with potential interference from corrupt third parties or security compromised designs from Original Equipment Manufacturer (OEM), making third party and supply chain management critical. Due diligence is a normal process for any project, but it is fair to say that the assessment of cyber security threats is only beginning to be taken onboard as an equally important step in the assessment. Security aspects need to be considered at every stage of the supply chain, not as an afterthought!
Strategic asset cyber security governance
With any offshore wind farm, there are a number of stakeholders involved, that have influence over the ongoing management of all aspects of the project, including cyber security considerations. In general, the main parties involved are the OEM, the Asset Owner and, in most cases, an external Operations and Maintenance (O&M) provider. Although this setup clearly offers advantages to the ongoing operation of wind assets, it is probably fair to say that in the new and ever evolving cyber security landscape, this arrangement leaves significant gaps in the assignment of responsibility for the ongoing digital security of a wind farm. It is crucial to know who is responsible for what part of cyber security and to have clear action plans for both regular operations and emergencies, as these are essential steps for the overall functioning of all power assets. But for offshore wind farms, they will also need to consider all other possible ocean users, including naval forces from any nation.
It is important that a frank discussion is held as early as possible between all the parties involved, to identify the potential gaps in the provision of services around (and associated responsibilities for) ongoing cyber security, so that a framework can be developed to effectively manage the “defensive” element of IT operations, as well as the “reactive” response mechanisms in the event of a serious cyber-attack.
Cyber security is much more than just firewalls and encrypted files – it needs to be a holistic and actively implemented framework that considers all possible vectors of attack and contains appropriate avoidance and mitigation actions for when things go wrong - and they inevitably will!
Comments