Cyber-attacks on offshore wind could derail UK’s net zero agenda
Published by Jessica Casey,
Editor
Energy Global,
Offshore wind is set to play a pivotal part in the UK’s decarbonised future. However, the criticality of the technology to the UK’s decarbonised power system agenda means there must be a corresponding shift in its cyber security paradigms, to ensure renewable energy security is safeguarded. While developers and operators need to keep up with technological developments to avoid losing competitive edge, system innovations, together with growing interconnectedness, are increasing vulnerability to cyber attacks.
If cyber risks in offshore wind are not addressed, adversaries could outpace organisations’ existing cyber defence and controls, causing extensive – and potentially expensive – damage.
This threat to wind infrastructure has already been realised in Germany, where three cyber-attacks led to turbines losing connection with satellites, and internal IT systems being disrupted. A separate ransomware attack on Danish wind company, Vestas, in 2021, forced it to shut down IT systems across several locations, and stolen sensitive data was published on the dark web.
Legislating for resilience
A key factor in safeguarding wind farm infrastructure will be imposing mandatory security legislation and regulations. At present, offshore wind farms are not legally mandated to protect their networks and systems and consequently, numerous offshore wind farms may not be secure by design, nor being managed securely.
This lack of mandated cyber security legislation leaves offshore wind farms vulnerable to adverse cyber activity, which could result in damage not only to the farms’ operations and performance, but to their companies’ reputations.
In Europe, the most obvious regulatory candidate for adoption would be the Network and Information Systems (NIS) Directive – the first EU legislation for the protection of Critical National Infrastructure (CNI) from cyber disruption. In the UK, government has implemented the NIS Regulations (NIS-R), which centre on providing the legal measures required to improve the overall security posture of systems that support the delivery of essential and digital services to the public.
The NIS-R, however, were developed with traditional energy ecosystems in mind and not designed to accommodate the progressive energy transitions needed to underpin a net zero society. This is reflected within the regulations’ restricted definitions. As they stand, many wind farms do not currently meet the power output thresholds to be deemed an ‘essential service’.
Despite this though, good practice frameworks such as the NCSC Cyber Assessment Framework exist, which provide guidance on risks, while maturity assessments and compliance assessments can highlight gaps in cyber security, allowing a roadmap to be developed to prioritise cyber risk mitigation activities.
The pressing necessity for more flexible regulations is heightened by the unique operating environment of offshore wind farms, which intensify the effects of cyber threats.
Remote, unmanned locations for example, can slow down the recovery times required when responding to a cyber attack. Travel to and from a wind farm can be costly, and many logistical complexities are involved in responding at short notice, compared to sending someone to visit an onshore site. To mitigate this, offshore farms are often fitted with robust sensors to predict maintenance requirements, but whilst these play a key role within operations and maintenance activities, they too are targets for attack.
Taking action to protect assets
The Energy Security Strategy, released last year, and the more recently launched Powering Up Britain blueprint, describes the government’s aim to have up to 5 GW of floating offshore wind operating by 2030, backed up by £160 million in ports and supply chains, and £31 million in research and development. But it fails to mention the need to embed cyber security, and its importance in protecting this increasingly critical national infrastructure.
Given the value of wind energy to the UK’s drive towards decarbonisation, cyber-attacks have the potential to undermine the UK’s net zero agenda. The need for heightened focus and re-evaluation of cyber security requirements within the wind industry, is now pressing.
The government should give the industry a clear mandate, and recognise both the risks to this vital energy resource, and the importance of protecting it from attack. Wind operators, despite the lack of mandatory requirements, should increase their awareness of the threats and understand how to best mitigate these.
Written by Polly Curtin, Cyber Security Consultant at Atkins.
For more news and technical articles from the global renewable industry, read the latest issue of Energy Global magazine.
Energy Global's Spring 2023 issue
The Spring 2023 issue of Energy Global hosts an array of technical articles focusing on offshore wind, solar technology, energy storage, green hydrogen, waste-to-energy, and more. This issue also features a regional report on commodity challenges facing Asia’s energy transition.
Read the article online at: https://www.energyglobal.com/special-reports/31032023/cyber-attacks-on-offshore-wind-could-derail-uks-net-zero-agenda/
You might also like
ILI Group secures consent for 100 MW battery storage project in North Ayrshire
ILI Group has announced that Section 36 planning consent has been granted for its 100 MW Flemyland battery energy storage system project in North Ayrshire by Scottish Ministers.