Can a turbine get a virus? Protect your wind farm from a cyber attack.

The issue of cyber security in the wind industry is a relatively unexplored topic and commonly, project owners and developers are neglecting to ask themselves whether their security set up, both IT (information technology) and OT (operational technology) is robust enough.

Wind turbines can get a virus in much the same way as a computer can, but a virus is only one of many possible cyber security threats to wind projects.

To set the scene, turbines communicate with the entire wind farm and energy system via a SCADA system (Supervisory Control and Data Acquisition) and by default, this is often set up under commercial, ‘off-the-shelf’ standards, to keep costs low.

However, this set up offers insufficient protection against cyber-attacks and the reality is that most tech-savvy teenagers could access a wind farm’s control system easily and shut it down. Cyber risks go beyond simple viruses and we are now seeing hackers as a significant risk on energy sites and by attacking projects, they could be attacking owners’ pockets.

With the increasing size of new offshore projects and an increasing number of installations, the risk is become more urgent.

Is this a real threat?

Cyber-attacks on wind projects aren’t commonly heard of, for a couple of reasons – firstly, manufacturers and owners tend to keep quiet about security issues for obvious reasons and don’t want to draw negative attention to their project or technology.

Secondly, it’s very easy to be unaware that a failure was caused by a virus or a cyber breach and put it down to another issue. If an operator isn’t aware of potential cyber threats and what they may look like, it could easily be put down to a bug in the software or a configuration error that is fixed by a simple reconfiguration or reset.

But delve deeper into the SCADA data and the source of the failure may be revealed as something more sinister like a system hack from an external source, whether deliberate or accidental.

Why aren’t projects protected in this digital age?

A SCADA system still only accounts for around 1% of total wind project costs, so it is low among the priorities of project, sourcing, procurement and tendering managers and doesn’t get much attention.  

The focus for managers at this point is on developing and constructing a good project – and consideration of the SCADA system is often seen as a task for the O&M or service agreement phase to look at much later in the project’s development. 

With potential exposure to ever-increasing cyber risks over a 20+ year operational lifetime, having both awareness of the risks and a prevention plan is essential, particularly if project owners want to sell for a decent price down the line. A business case with minimal risks – and optimal cyber protection - will contribute towards achieving a decent price upon sale. 

In a large portion of the tendering material reviewed by K2 Management in European and Asian projects, cyber-security requirements are virtually non-existent in contracts or are covered much later in the service agreement. This often creates issues as the overall design has already been signed off during contracting and retrofitting to include this later can be costly.

The policies don’t exist

There is currently little regulation in European markets to protect against IT security breaches – another reason that it falls to the bottom of the to-do list for developers.

In Germany, there is a requirement by federal agency BNetzA that all projects over 420 MW in the country must prove that they have sufficient security measures in place – energy generation above this capacity is classed as ‘critical infrastructure’.

Similar policy will likely come into play for larger energy projects across Europe in the near future and this will help to tighten the security across larger scale energy projects and provide protection for owners and their investments.

Insurance companies are already beginning to offer this type of protection and many are now demanding a cyber-security setup covering both a physical and electronic security perimeter for wind and solar farms as a condition when they’re offering cover.

With financial penalties in the form of higher premiums from insurers if projects aren’t suitably equipped to deal with cyber risks and the implementation of guidelines and policy in the future, robust cyber security should be an essential for every project.

Corporate IT Security isn’t enough

The assumption that a standard IT security setup will cover all of these potential risks is a common one, but not necessarily an accurate one.

In some instances, this type of security will be sufficient, particularly for data security, but general IT security can only go so far. Most corporate IT security specialists lack the understanding of control systems and power generation so more tailored security is required to ensure sufficient protection.

When a SCADA System is running Windows several practices are usable from the corporate IT security practices but most control systems are built upon PLCs therefore the traditional anti -virus systems cannot be used. For example, an office antivirus program will secure the PC on which it is installed but will not tackle the security of the WTG controller or a substation controller.

How can owners best protect their projects?

There is always a cost vs risk balance to strike.

Owners can spend too much money protecting their project and system from all possible incidents but it’s unlikely that their project requires the same Fort Knox-style security as Google servers. By going too far, it can become bad for their business case so striking the right balance is essential.  

At the very least, a reasonable IT-security setup will begin with a simple risk analysis to determine where the security measures are best placed and needed. It’s important that the operational team who will be responsible for the security is given input to the turbine supply agreement (TSA) at an early stage to ensure early implementation of long-term measures.

Road mapping the future requirements of the project and exploring the future regulations of the market of the operational project will ensure that the project is adequately covered in the long-term. Retrofitting a non-secure SCADA system will cost far more than installing the correct security measures in the earlier stages of the project, so by preparing an adequate security setup up front, owners are not only protecting their projects, but protecting their business case and ultimate return on investment.