Stepping up Cybersecurity in Offshore Wind: How to Protect Against an Unseen Enemy

Published 28 April 2020

By Charlotte Wilkinson, Graduate Data Scientist, Offshore Renewable Energy Catapult

Charlotte Wilkinson

With most aspects of our lives becoming ever more digitalised, the issue of cybersecurity has never been more important. The increasing abundance of big data and analytics and our reliance on cyberspace has improved the productivity and efficiency of our energy production but has also left us more vulnerable than ever to cyber-attacks. But what exactly is cybersecurity and how does it relate to offshore renewable energy?

According to the National Cyber Security Centre (NCSC), cybersecurity is the ‘way in which individuals and organisations reduce the risk of a cyber-attack’. This can be through protecting the devices we all use in our day-to-day lives, including computers, smartphones and tablets as well as the services we use, both online and at work, to protect them from theft and damage. Cybersecurity can also prevent unauthorised access to vast amounts of confidential information that is stored on these devices and in cyberspace. However, its not all firewalls and protocols, a big part of cybersecurity is also the good practice that employees should follow to minimse the risk of attack.

Cybersecurity and Offshore Wind

Both domestically and globally, offshore wind production has grown exponentially over the past decade. With this record-breaking growth comes an increasing level of reliance on wind farms as critical infrastructure for keeping the lights on. This reliance is making offshore wind an ever more attractive target for cyber-attacks and hackers, whether politically or criminally motivated.

So why should we care? Security of electricity supply forms part of the energy trilemma, alongside affordability and environmental impact. If a cyber-attack were to hit an offshore wind farm, it could result in financial, energy output and reputational losses. For example, an unchecked cyber-attack could halt production of a wind farm altogether, resulting in no input to the grid and therefore no power and no income. Estimates equate one day of downtime for a 500MW wind farm to a loss of approximately £360,000[1]. Additionally, some attacks could even cause physical damage to the turbines due to the unnecessary wear-and-tear experienced. Not only could these cyber-attacks affect individual wind farms,  hackers shutting down offshore wind production could potentially result in our electricity supply being interrupted or completely stopped.

It is this potential for national disruption that is bringing cybersecurity to the forefront of the offshore wind sector’s priorities. Cybersecurity must be considered integral at all stages of development and operations – it is not something that should simply be retrofitted years later. Turbine manufacturers need to build cybersecurity into the design of the turbine. Wind farm owner/operators should  create secure digital ecosystems and ensure cyber best practice at their sites, and the supply chain must ensure their products and solutions are robust and secure. It will be a collaborative effort to best protect our offshore wind sector from cyber-attacks.

Industry Challenges

But, with cybersecurity taking on increasing importance within the industry, there remains a significant gap in the knowledge and understanding of how to best implement these security measures. A historic lack of collaboration, knowledge sharing and a shortage of key skilled workers are contributing factors. Also, current regulations only apply in a small number of cases, leaving many owner/operators in the dark when it comes to how best to integrate cybersecurity practices into their wind farm operations.

The Network and Information Systems (NIS) Regulations 2018 has set out strict compliance obligations for Operators of Essential Services (OES), which covers electricity generators. The NIS Regulations include two main requirements that must be adhered to:

  1. OES must put in place “appropriate and proportionate technical and organisational measures” to “manage rights” and “prevent and minimise the impact of incidents”.
  2. OES must notify the competent authorities/regulators of any “significant impact”. For an offshore wind farm, this is within 72 hours.

Worst case scenario, a single breech of these regulations can incur a financial penalty of up to £17 million! However, these regulations were developed with traditional energy generation in mind, and need to be adapted to better suit the growing level of renewable energy production in the UK. Indeed, many offshore wind farm owner/operators don’t currently meet the classification as OES i.e they must supply electricity to more than 250,000 final customers or operate more than 2GW of capacity.

All this leads to a lack of understanding of the current policies in place and the cybersecurity measures required, leaving the industry increasingly vulnerable to cyber-attacks and hackers.

ORE Catapult’s Initiatives

At ORE Catapult, we are researching ways in which the offshore wind sector can better protect itself and ultimately prevent these cyber-attacks from happening. Our Wind Digital Innovations Forum is building on our extensive experience and existing portfolio of wind-related data initiatives, focusing on four key strategic areas, including cybersecurity. We are bringing the wind industry and the digital  supply chain together with academia to tackle some of the key data issues facing the industry today. The Forum is investigating the importance and ease with which security could be breached, especially with the proliferation of Internet of Things (IoT) technology used by data owners and their supply chain.

We’ll be conducting further research into the prevention of cyber-attacks through more robust cybersecurity procedures and benchmarking. We will also work with the UK Government to influence policy and better inform new regulation that encompasses all owner/operators to ensure we protect as much of our critical infrastructure as possible.

Protecting our offshore wind farms, and other offshore renewable energy infrastructure, from online attacks through effective cybersecurity protocols and practice, must be at the forefront of our policy, planning, innovation and development for the future to ensure we can deliver a reliable supply of electricity to the entire UK population.

[1] Lost revenue = installed capacity * hours * capacity factor * price per MWh = 500 * 24 * 0.5 * £60 = £360,000