This article was originally published on IndustrialCyber.co.
The idiom ‘throwing caution to the wind’ is defined as ‘doing something without worrying about the risk or negative results.’ While we all embrace these words of wisdom within our own personal lives, this axiom should not be applied to the wind power industry.
As countries around the globe embrace the benefits of wind power, two of the key challenges in the placement of turbines and solar PV plants are their remoteness and the digital connectivity needed to connect them to monitoring, control and operational centers. For wind power to be successful, it is crucial that the infrastructure be digitally connected - no matter where it is located.
These challenges are no different than those being faced in the oil and gas industries, where pipelines, valves, sensors, and monitoring equipment are located in similarly desolate areas. But unlike the oil and gas industry, which has security regulations that require the monitoring, detection and alerting of physical and cyber threats, the wind industry is in its infancy in drafting such requirements. Regrettably, events over the past few years have shown just how vulnerable the infrastructure is.
In February 2022, German wind turbine maker Enercon lost remote connectivity to 5,800 turbines following a significant disruption of the Viasat satellite network. This particular disruption can be directly linked to a physical conflict, namely the Russian invasion of Ukraine. However, the disruption could have been caused by a cyber threat or systems failure as well. While the turbines were in auto mode and not impacted by the incident, damage to thousands of ground terminal units resulted in their needing to be replaced.
Just weeks later another German wind turbine maker, Nordex, suffered a ransomware attack on their IT systems. To prevent the spread of the attack to the OT infrastructure, network connections to internal OT systems were disconnected, as were remote connections to the wind turbines. Again, the wind turbines were not damaged, but this attack made clear the growing concern of what if they had been affected, as we've seen with other cyberattacks on centrifuges, a blast furnace and water control mechanisms.
The key threat vector facing the OT sector today, based on industry reports and threat indicators, is ransomware; however. other threat vectors such as phishing, physical attacks and human/system error are always present and concerning as well.
Several wind farm attack vectors can be exploited, including physically breaking in to weak on-site security of the turbine or ground infrastructure and connecting a system to the internal network or systems. A second attack vector is to compromise a remotely connected system, such as one using a VPN, and gain control of the systems that control the turbines. A last example is to compromise an indirectly connected asset such as internet-facing closed-circuit television (CCTV) or weather control system located at the facility and then laterally moving across the shared network/systems to the wind turbine core systems. No matter which attack vector is used, the goal is to gain access to the supervisory control and data acquisition (SCADA) system and take command and control of the wind farm infrastructure. And unfortunately, this goal is usually achievable.
While wind is still considered by many to be non-critical and a secondary source of power generation, wind farms and their infrastructure are clearly a core piece of the global energy grid and must be treated as such. As with all critical infrastructure, companies need a clear understanding of their people, process, and technology. This includes mapping of their infrastructure, including assets, network connectivity, data flows, access methods, users, and third-party connectivity. We need to not just discover, assess and tabletop, but to act in a way that truly ensures that safety and resiliency are at the core of every decision and action made in regards to the turbines and systems that support them.
Even without strong global regulations, operating companies (Opco) should embrace core best practices such as user access control, firewall placement, network segmentation, network diversity, strong asset management, reducing the use of VPNs, eliminating shared credentials (and if they must be used, utilizing technology such as password vaulting), embracing supervised/just-in-time access, and using multi-factor authentication (MFA) when possible. While this is not a complete list, it is a starting point for any vertical or industry.
You may notice that these suggestions sound like the beginning of a zero-trust implementation, and that is true. But they are also real best practices, similar to alerting on changes to a baseline, strong change management practices, and ensuring that incident response plans are tailored to meet the threats and isolated conditions facing wind farms.
Finally, when it comes to assessments, infrastructure projects, cyber threat response, and other needs, companies should leverage third parties that are focused on the energy/industrial space. This is not to say that IT companies are without skill in these general areas, but the need to understand the impact on human/infrastructure safety above all else is key and cannot be compromised.
Author
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.