The challenges of Wind Power ’Throwing caution to the wind’

The idiom ‘Throwing caution to the wind’ is defined as ‘doing something without worrying about the risk or negative results’ While we all embrace these words of wisdom within our own personal lives, this wisdom should not be applied to the wind power industry.
As countries around the globe embrace the benefits of wind power two of the key challenges in the placement of the turbines and solar PV plants are their remoteness and the digital connectivity needed to connect them to monitoring, control and operational centers. For wind power to be successful, it is critical that the infrastructure be digitally connected no matter where located.

These challenges are nothing different than being faced in the oil and gas industries where pipelines, valves, sensors, and monitoring equipment are located in desolate areas. But unlike the oil and gas industry, which has security regulations that require the monitoring, detection and alerting of physical and cyber threats, the wind industry is in its infancy in drafting requirements globally. Sadly, events over the past few years have shown just how vulnerable the infrastructure is.
In February 2022, Enercon, a German wind turbine maker, lost remote connectivity to 5,800 turbines following a significant disruption of the Viasat satellite network. While this disruption can be directly linked to a physical conflict, the Russian invasion of the Ukraine, the disruption could have also been caused by a cyber threat or systems failure as well. While the turbines were in auto mode and not damaged, the disruption led to the damage of thousands of ground terminal units needing to be replaced.

Last March,, Nordex, another German wind turbine maker, suffered a ransomware attack on their IT systems. To prevent the spread of the attack to the OT infrastructure, network connections to internal OT systems were disconnected as well as remote connections to the wind turbines. Again, the wind turbines were not damaged, but this attack clearly raises the growing concern of what if they were damaged as we have seen with other cyber-attacks on centrifuges, a blast furnace and water control mechanisms.
The key threat vector facing the OT sector today, based on industry reports and threat indicators is ransomware, however other threat vectors such as phishing, physical attacks and human/system error are always present and concerning as well.
There are several wind farm attack vectors that can be exploited including physically breaking into weak on-site security of the turbine or ground infrastructure and connecting a system to the internal network or systems. A second attack vector is to compromise a remotely connected system, such as one using a VPN, and gain control of the systems that control the turbines. Lastly, is compromising an indirectly connected asset such as internet facing closed- circuit television (CCTV) or weather control system located at the facility and laterally moving across the shared network/systems to the wind turbine core systems. No matter which attack vector is used, the goal of gaining access to the SCADA (supervisory control and data acquisition) system and taking command and control of the wind farm infrastructure is achievable.
While wind is still considered by many as non-critical (as they many times see turbines sitting idle) and a secondary source of generation, they clearly are a core piece of the global energy grid and must be treated as such always.

As with all critical infrastructure, companies need a clear understanding of their people, process, and technology. This includes mapping of their infrastructure including assets, network connectivity, data flows, access methods, users, and third-party connectivity, to name just a few. If we now all agree that wind farms are critical infrastructure, we need to not just discover, assess and tabletop, but truly act to ensure that safety and resiliency are at the core of every decision and action made in regards to the turbines and systems that support them.
Even without strong global regulations, operating companies (Opco) should embrace core best practices such as user access control, firewall placement, network segmentation, network diversity, strong asset management, reducing the use of VPNs, eliminating shared credentials (and if they must be used utilizing technology such as password vaulting), embracing supervised/just-in-time access and using multi-factor authentication (MFA) when possible. While this is not a complete list of best practices, it is a starting point for any vertical or industry.

While this may sound like implementing Zero Trust in reality, these suggestions are just good core best practices just like alerting on changes to a baseline, strong change management practices and ensuring Incident Response plans are tailored to meet the threats and isolated conditions facing wind farms.
Lastly, companies need to leverage third parties that are focused on the energy/industrial space when it comes to assessments, infrastructure projects, cyber threat response, etc. This is not to say that IT companies are without skill in these general areas but the need to understand the impact on human/infrastructure safety above all else in the processes is key

Kevin Kumpf

Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the Chief OT Strategist at Cyolo.