Assessing Industrial Cyber Risk to the European Wind Industry
According to recent data from the National Grid ESO, wind power contributed 26.8 percent of the United Kingdom’s total electricity generation in 2022. This is a huge shift from 2008, when the UK sourced only 1.5 percent of its energy from wind power. This upward trend continues across Europe with Germany generating 23 percent of its electricity from wind and Spain leading other countries at 32 percent. Wind is becoming the largest component of the renewable electricity market.
This surge in growth of the wind sector has not only been driven by a global push towards more environmentally friendly renewable energy, but it has also been spurred by technological advances which make wind farms much easier to control and operate remotely. Most wind farms are located in remote areas, making them difficult to access physically, but digital technology has enabled engineers and wind turbine manufacturers to access systems remotely. Remote access allows them to monitor the condition, implement fixes, run updates, carry out maintenance and control turbines without requiring them to visit the site.
While remote access is a boon to the industry, it also raises the cybersecurity stakes and with so many parties that might be able to utilise this connectivity, the attack surface can be significant.
Register for our event at WindEurope in Copenhagen on 26 April. We discuss 5 critical controls for industrial cybersecurity for the wind industry.1
The Increased Cyber Risk to Wind Farms
In 2022, there were at least three major cyber attacks against wind farm operators and wind turbine manufacturers. While there were no reported incidents of physical damage to turbines, these events led to disruption.
Attackers have come to realise that with wind farms being connected to the internet to provision remote access, this provides a route into their operational technology (OT) systems. If attackers were to reach the turbines themselves, the consequences would be significant.
Firstly, there is the obvious downtime where wind turbines are taken out of operation. In this instance, the wind farms have no electricity to sell leading to significant revenue impacts.
While secondly, there are the operational risks. Wind turbines operate at exactly the speed needed to generate power and they also possess sensors which can adjust the pitch of the rotors according to weather conditions. If anything is done to disturb this, it could result in damage to the wind turbines and, in the most extreme cases, mechanical failure. With wind farms being located in remote locations, this damage can be complex and time consuming to rectify, due to the supply chain and logistical challenges.
So, what can the wind industry do to improve defences against cyber crime?
Protecting the Wind Industry Against Cyber Attacks
The major issue for most wind farms all comes down to insecure remote access.
Remote access is essential for engineers and manufacturers, but when it is not secured properly it provides a malicious or nation-state threat actor with access to turbines. The best way to secure this access is by implementing multi-factor authentication (MFA) and secure access points for authorised users.
Only then by inputting valid access credentials and verifying details via MFA, can people access the turbines themselves. Turbines should never be connected directly to the internet; it is essential there are multiple security check points before anyone is given access.
When it comes to OT and IT within wind farm operators, it is essential to keep everything segmented. This means if a criminal was to exploit an IT device, they could not simply pivot across the network, reach OT, and then start disrupting physical processes.
It is also vital to keep critical parts of systems up to date with security updates, especially those on the perimeters, and to keep an up-to-date inventory of all connected devices. If patches can’t be applied to a piece of equipment, segment it from other areas of the network and then layer it with security and threat monitoring tools.
5 Critical Controls for OT Cyber Defence
The SANS Institute recommends five critical cybersecurity controls to protect against cyber threats to OT environments:
- Define an ICS-specific incident response plan.
Create a dedicated plan that includes the right points of contact, as well as robust next steps for specific scenarios at specific locations. Consider tabletop simulation exercises to test and improve response plans.
- Build a defensible architecture.
Wind farm security strategies often start with hardening the environment – removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high risk vulnerabilities.
- Improve visibility and conduct monitoring.
You can’t protect what you can’t see. A successful security program maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors traffic for potential threats.
- Secure remote access.
Secure remote access is critical for wind farms. A key method is multi-factor authentication (MFA). Implement MFA across systems to add an extra layer of security. Where MFA is not possible, consider alternative controls such as jump hosts with focused monitoring.
- Manage and patch vulnerabilities.
Knowing your vulnerabilities and having a plan to manage them is a critical component to a defensible architecture. While patching an IT system is relatively easy, shutting down a wind farm has huge costs. An effective wind farm vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimise exposure while continuing to operate.
Given the increased risk of cyber crime today, it is vital the wind farms and wind turbine manufacturers take steps to improve cybersecurity. By building out an OT security program based on the above controls, the wind industry can significantly improve their defences.
Discover 5 Critical Controls
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.