Less than a minute of lock-picking
Researchers from the University of Tulsa reported that it took less than a minute of lock-picking on one unsupervised turbine's door to gain access to the unsecured server. From there, the researcher connected the laptops via the server of that singular turbine to instantly access IP addresses representing every single turbine in the network.
This is just one example of the vulnerability of windfarms to cyber-attacks. Our ability to defend against these attacks is becoming ever more critical. According to the US Department of Homeland Security, the energy sector is a serious target for hackers. The energy sector led all industries in 2014 and in 2015 it is reported as second most targeted. According to WindEurope, wind power is growing more than any other form of power generation. In 2017, onshore installations grew 14.3%, while offshore grew 101% compared to 2016.
Power blackouts in Ukraine in December 2015 and 2016 have been blamed on cyber-attacks on the electric grid. Hackers disrupted the power system feeding parts of the capital Kiev, reportedly through remote control of SCADA and substation infrastructure. These systems are also applied for offshore windfarms.
EU's energy security
The cost of onshore wind power is competitive with other sources of electricity and the potential of offshore wind power is very high - but the sector needs to bring down costs. The North Sea is well suited to the development of offshore wind energy and will be key in increasing the EU's energy security and decarbonising the economy.
However, due to their inherent uncertainty, wind generators are often unable to participate in the electricity markets like the more predictable and controllable conventional generators. Given this, virtual power plants (VPPs) are being advocated as a solution for increasing the reliability of such intermitten renewable sources. The increasing number of offshore windfarms used as VPP in the future, combined with the targeting of windfarms by hackers could seriously destabilize the power grid across Europe.
The most frightening of all are the so-called state sponsored actors for offshore windfarms --> Figure 1.
Vulnerability of wind farms
There are several reasons why offshore and wind parks in general are vulnerable to hackers.
- The approach for cyber security was focussed on IT mainly, without having in mind a different approach for operations technology (OT)
- There are old wind parks, including communication systems, never designed with the “security by design” mindset like the IEC/ISO 62443 standard
- Operational technologies like SCADA and their substations for offshore wind parks do need a different approach for security compared to IT security
- Physical security has often not been sufficiently covered in the design, resulting in a poor quality of locks e.g. applied at wind farm cabinets
- Vendor’s remote access is not always managed properly (segregation of duties)
- Communication links to the windfarms can be realized by more than one provider without notice
- Use of outdated communication protocols without security enhancements
The operational technology/industrial control systems (OT/ICS) of offshore windfarms are most of the time decentralized. Mutual interactions to fulfil the total functionality are required for the optimization of the processes. With information technology (IT) different elements are delivering own functionalities and do not require other systems.
OT and IT: Make a cyber difference
It is necessary to understand the differences between IT and OT for cyber security. For IT, confidentiality is most important, for OT: availability. One of the examples is that IT deals with transactional processes and OT with real time processes. While availability is the most important aspect and focus, it was often not part of the design and implementation.
Besides these many interconnections are existing and will be extended. Do we have time, knowledge and experience to really check the full system integrity every day or even every hour? Our priority should be maintaining system’s integrity in real time before availability. Monitoring systems to detect changes will support engineers to maintain and check integrity of the control systems in real time.
Hacking offshore wind farms/industrial control systems requires expert domain knowledge of the specific system, physical processes and organization
- state-sponsored attacks take a long time of preparation
- they only attack when they are sure to succeed
- they have all the time of the world
- during an attack, you are always behind.
Insider threat is a big threat too, because of the fact he/she has already expert domain knowledge.
Holistic approach to capture cyber security issues
Holism is the idea that natural systems (physical, biological, chemical, economic, etc.) and their properties should be viewed as wholes, not as a collection of parts. A holistic approach to ensure cyber security robustness and resilience is therefore inevitable.
This can be achieved by combining the well-known V-model with cyber security services. Throughout the testing community, the V-model is widely known as an illustrative depiction of a development process, described for testers. The above-mentioned services include, code review, device health test including functional-, negative- and robustness testing. Finally, known vulnerabilities testing and leveraging global vulnerability database can be added. The outcome is a holistic overview of findings and recommendations. On top of that end to end system testing is inevitable.
One might have the impression that these projects are costly, a risk based approach is therefore recommended for cyber security projects.
This holistic approach will provide efficient, cost-effective technical validation to provide “bottom up” proof that proper security measures have been taken for a complete system from an end-to-end perspective. The results include:
- secure network design principles
- physical cyber defences and intrusion prevention
- data stream analysis
- policy and procedures for prevention, detection, mitigation and recovery.
Based on our experience it is critical to start today and check the devices connected to the internet and especially remote access. Are you in control of your offshore wind park? Many times, staff is not aware of devices connected to the internet.
This article was first published in Offshore Industry
Wolf K. Freudenberg, DNV