Post

Four Cybersecurity Challenges for Offshore Wind

Posted to Hitachi Energy in the Digital Utility Group
image credit: Hitachi Energy
Gian Schelling's picture
Business Development Manager, Renewables Hitachi Energy

Having started his career with Vestas Wind Systems 13 years ago, Gian dedicated his entire career to the energy transition for Wind, Solar, BESS and Energy Efficiency in mostly global Business...

  • Member since 2022
  • 4 items added with 3,345 views
  • Apr 27, 2022
  • 1628 views

This item is part of the Special Issue - 2022-04 - Cybersecurity 2022, click here for more

Like all power infrastructure, offshore wind is quickly becoming a mission-critical power source around the world which has fueled rapid growth in the industry and increased the importance of safety, reliability and security of offshore wind generation systems. Simultaneously, rapid digitalization of the industry, driven by opportunities for operational efficiencies, has drawn OT and IT systems closer together. This has exposed offshore wind assets to cybersecurity concerns previously understood only by office or enterprise IT systems administrators.

To reduce their vulnerability to cyberattack, it is imperative that offshore wind farm operators thoroughly understand the threats and develop sound defense strategies based on IT industry best practices. Understanding how to successfully apply best practices across four common challenge areas is the key to developing an adaptable cyber defense strategy and requires a blend of organizational and technological agility that will be different for every offshore wind owner and operator. Some of those challenge areas, like adhering to industry standards and keeping abreast of technological advances, are complicated but somewhat obvious areas to concentrate on. Other challenges are more obscure. The nuanced complexity of shifting organizational culture or overcoming barriers to adoption of new, organization-wide cybersecurity policies often take power generation companies by surprise.

Challenge Area 1: Keeping pace with emerging technologies.

One of the most challenging aspects of cybersecurity is anticipating the unknown. This is true for both threats and for emerging technologies. Introducing new digital technologies creates fear of exposing OT systems to cyber threats. Many utilities experience organizational paralysis when confronted with new technologies for fear of moving too early, paying too much and experiencing unintended consequences. These fears are real and founded. Adding to the problem is the fact the technological advances are accelerating, making it more difficult to make timely, confident decisions. However, the rest of the world is not waiting and the longer hesitation rules, the more vulnerable an organization becomes and the more difficult it can be to catch up.

Even when an experienced and competent team exists in-house, one of the best ways power generation companies can break the freeze/deadlock of indecision is to seek the guidance of a trusted third party to provide perspective on the technology landscape and ramifications of individual decisions.

Challenge Area 2: Integrating industry frameworks and standards.

Industry best practices, together with governmental policies and regulations, are essential to guide asset owners through the digitalization journey while building a framework to protect your infrastructure from cyber-attacks. Some of the key standards to understand are:

  • IEEE 1686 Standard for Intelligent Electronic Devices Cybersecurity Capabilities
  • IEEE C37.240 Cybersecurity Requirements for Substation Automation, Protection, and Control
  • IEC 62351 Standards for Securing Power System Communications
  • IEC 62443 comprehensive cybersecurity framework for control system security rooted from ISA99
  • ACP (formerly AWEA) Offshore wind Compliance Recommended Practices (OCRP) cites three of the above cybersecurity standards.

Robust frameworks have been developed to help offshore wind owners and operators complement and integrate industry-specific standards address cyber threats in a holistic, programmatic manner.

  • The NERC CIP framework is specific to the electric utility industry, providing guidance for continuous operation and maintenance of cybersecurity procedures and controls.
  • The U.S. Department of Energy (DOE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) provides a framework for auditing cybersecurity programs to assess effectiveness.
  • The U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidance for implementing cybersecurity controls and procedures for a wide range of situations and industries including electricity utilities.
  • The ISO/IEC framework is based on the 27000 series of standards and outlines strategies for continuous improvement, enabling organizations to adapt to changes in the nature of cyberattacks over time.

Challenge Area 3: Aligning cybersecurity culture.

Perhaps the most perplexing – and most overlooked – cybersecurity challenge is an internal challenge. The convergence OT and IT is not only a technical problem; it is also a question of company culture and the interactions of functionally siloed groups. Many power generation companies, including those with offshore wind operations, are very experienced with securing their OT systems but have limited experience defending OT systems against exposure to cyber threats. It has only been in the last decade or so that digitalization has forced a coupling of OT and IT technologies that has also forced a coupling of security cultures within power generation companies. Bringing an organization’s OT and IT security cultures together means bridging differing objectives, technologies and organizational structures and delineating where the responsibility lies for mitigating the operational risk of cybersecurity.

Challenge Area 4: Complying with the web of regulation.

The need for cybersecurity regulations for the power and utility industry is undeniable: Attacks on critical infrastructure can have far reaching and devastating consequences. But regulatory compliance is complex and time consuming. To remain compliant, utilities must thoroughly understand a matrix of laws, requirements and protocols which are developed by many different organizations and enforced by government agencies, industry groups and company policies. In addition to documenting how cybersecurity systems are implemented and perform for compliance purposes, utilities must have a clear and accurate picture of their actual cybersecurity posture – regulatory compliance does not always equate to protection. Even the most well-intended regulations can yield little actual cybersecurity benefit to the utility.

How to start (re)thinking about cybersecurity

Most power generation companies have some understanding of cybersecurity and the implications of being exposed and vulnerable but may also have limited resources to apply to keeping their systems secure. Knowing how and where to start or increase an organization’s cybersecurity maturity is important for getting off center and moving toward a security-first mind set when it comes to OT. For many offshore wind companies, this means focusing on cyber hygiene, following best practices to improve their cybersecurity stance, introducing risk assessment, mitigation and management plans, and elevating organizational maturity as main objectives. If any of these efforts are to be successful, consistent internal communication and organizational alignment are necessary to foster awareness and education which are paramount to developing a cyber-aware culture that permeates the organization.

Companies can start their cyber hygiene program by assessing their cyber maturity level and identifying the incremental steps to improve it. Part of this effort will include consulting applicable standards and frameworks mentioned above that are policy, procedure, practice and personnel related. By addressing the four key challenges outlined above and consulting industry frameworks and standards, offshore wind owners and operators can develop a strong, adaptable cybersecurity posture that can successfully reduce OT system vulnerability and minimize the impact of attacks when they occur – because they most certainly will.

For more information on solutions to your cybersecurity challenges, visit: https://www.hitachienergy.com/offering/solutions/cybersecurity

Connect with Hitachi Energy

Fill out this form to receive more information from Hitachi Energy.

Hitachi Energy
Hitachi Energy is a global technology leader that is advancing a sustainable energy future for all. We serve customers in the utility, industry and infrastructure sectors with innovative solutions and services across the value chain.
RECENT POSTS FROM THIS COMPANY
Gian Schelling's picture
Thank Gian for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Discussions

Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Henry Craver's picture
Henry Craver on May 9, 2022

All the more important as offshore wind looks set to boom in North America thanks to floating systems. I'm looking at you Washington state. 

Doug Houseman's picture
Doug Houseman on May 11, 2022

The four listed are a great start, but there is a unique 5th that most remote generation sources share, that is that physical access is possible and once gained the actor can take control of the communications from the site to the control center, and in the case of off-shore wind, the actual turbine controls. 

This is a cyber/physical risk that is one of the most likely vectors for a bad actor to cause issues. 

Care needs to be taken with locks, cameras, overrides, control system programming, physical limits, and other mechanisms to minimize what someone can do at the site, and if bad data is sent, the central control software should be checking information being sent against other turbines in the installation for confirming data.

Turbines might be a mile or more from shore making small boats hard to see from shore. There are nation state bad actor scenarios that should be reviewed. 

Gian Schelling's picture
Gian Schelling on May 12, 2022

Cybersecurity (without the space) includes physical security. Most of the Offshore substations are designed to comply NERC CIP requirements around Physical Access Control System (PACS) to manage and monitor access to the Bulk Electric System cyber assets and communications systems.  Another physical security solution that will address the physical access is the Hitachi Vantara Smart Security Video Intelligence solutions.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »