Wind cyber defence experts urge tighter control of supplier access

Wind operators must identify and control supplier third-party access and introduce comprehensive cyber security measures at construction and operations phases to improve defences, cyber experts told New Energy Update.

Renewable generators and grid operators are placing an increasing emphasis on cyber security as wind and solar capacity rises and the threat of cyber attacks grows. The wider deployment of industrial control systems such as SCADA, combined with data analytics, has increased the exposure to internet threats.

In one recent example, Russian hackers gained access to the control rooms of U.S. electric utilities by first penetrating the networks of suppliers who had trusted relationships with the power companies, officials at the Department of Homeland Security (DHS) said in July.

The hackers claimed hundreds of electricity sector victims and could have "thrown switches" and disrupted power flows, DHS officials reportedly told the Wall Street Journal.

Key vulnerabilities of wind farms include insecure programmable automation controllers (PACs), a lack of encryption of control messages and no network segmentation between wind turbines, Jason Staggs, computer science researcher at the University of Tulsa, told the Blackhat information security conference in 2017.

Wind farm sites can be accessed with ease and individual turbine units often lack sufficient physical security measures, Staggs noted.

Wind operators are calling for increasing levels of security from vendor suppliers, JohnFranzino, Director of Grid Security at Grid Subject Matter Experts (GridSME), told New Energy Update.

“Contractual requirements for vendors (such as SCADA integrators, software providers, etc.) have very quickly ramped up,” he said.

Despite an increasing awareness of cyber threats, O&M contracts are yet to incorporate comprehensive security measures.

O&M contracts have “a lot of catching up to do,” Geoffrey Taunton-Collins, senior analyst at GCube Insurance Services, said.

“We expect this to change, and quickly,” he said.

Heavy losses

Downtimes from cyber-attacks can lead to significant lost revenues and compromized control systems can cause further physical damage.

A 24-hour outage of a 100 MW wind farm operating at 35% capacity could equate to around $50,000 of lost revenue, based on an average power price of $60/MWh.

In North America, windfarms of capacity over 75 MW are required to meet cyber security standards set by the North American Electric Reliability Corporation’s critical infrastructure protection.

Non-compliance can result in financial penalties of up to $1 million per day, but no major penalties appear to have been levied against wind operators to date.

The US Government Accounting Office has warned that a regulation-driven program can create a prescriptive culture where companies focus on compliance rather than the provision of comprehensive security.

Attack strategies

Electricity sector hackers have exploited special relationships between utilities and vendors with access to update software and run equipment diagnostics, according to information from the DHS and FBI.

The attackers used conventional techniques such as spearfishing emails and watering hole attacks to compromize the networks of suppliers. This allowed them to gain access to utility networks.

Human errors and lack of diligence by staff remain key sources of sub-security breaches. Phishing remains the main method of cyber attack, through the use of social engineering enquiries, links and embedded files, and password security remains a crucial factor.

Wind asset owners should identify all points of access to a turbine and establish a clear understanding of the parties that can potentially access the system, authorized or unauthorized, Lucas Truax, a security engineer at Concurrent Technologies Corporation (CTC), said.

“Well-documented communication paths will permit the organization to establish monitoring on the traffic in and out of the network and configure early detection of malicious behaviour," he said.

Experts also recommend strong locks, pre-authorized access procedures and security cameras to reduce physical vulnerabilities.

Operations focus

Cyber security is set to increasingly impact O&M requirements and spending plans.

“Cyber security is an operational technology – as well as IT – responsibility," Bruce Bailey, senior technical advisor for energy and power technologies at UL, a science safety company, noted.

A key way to minimize O&M costs is to implement cyber security measures during the design and commissioning of the project, rather than "bolting on security after fact," Franzino said. These solutions must be followed by effective monitoring strategies and system updates.

Security features should be part of the procurement process for components that contain software and communications, and vendors with remote access to devices must be covered by the asset owner's security system, Bailey said.

"Investing in a continuous cyber security program, which protects digital as well as physical assets, has implications on capital costs as well as O&M costs,” he said.

Specialist insurers are providing new cyber security policies in response to growing demand.

GCube believes its cyber risk coverage is the first to specifically cover losses additional to property damage for renewable energy projects.

“Until now, there has been cyber coverage for damage events but not the ‘non-damage cyber portion,” Taunton-Collins said.

The policy includes SCADA systems and excludes non-project related client data breaches in order to keep pricing competitive, according to GCube. Growing data on cyber security impacts should lead to a wider range of insurance services.

Going forward, spending on cyber security measures is likely to increase as asset owners and banks better understand the risks, Bailey said.

In addition, compliance requirements will grow as renewables contribute a growing proportion of national generating capacities, he said.

By Neil Ford