"Since the war in Ukraine, the number of cyberattacks in the energy sector has increased ten to twenty times," says Gennady Kreukniet, OT security consultant at DNV Cyber, formerly Applied Risk, which advises on cybersecurity in the industry. "The attacks began precisely on the day Russia invaded Ukraine. Over the past two years, there has been a massive spike everywhere.
I see this with my clients in the energy sector in Western Europe, especially in the North Sea." Attackers try to penetrate all systems with an internet connection using scanning tools. "It's still indiscriminate; everything is being examined; I have not yet seen a successful break-in in the North Sea," says Kreukniet. Operations at two onshore wind companies have been delayed by ransomware.
Under the Radar
"Criminals wanting to make money with ransomware do not specifically target the energy sector," says Christo Butcher, executive consultant at Fox-IT, a cybersecurity firm. "They don't care whether they shut down a wind farm or something else. States like Russia and China have different motives and do specifically target infrastructure, among other things. They aim to cause disruption. We know that Russia has hackers who can break into operational systems to position themselves and wait for the right moment to strike. This stays under the radar. It only becomes visible when they decide to cause damage. Only through thorough investigation does this come to light sooner. These attackers try their best to leave no traces."
According to Butcher, offshore wind farms are at greater risk than other parts of the energy system. "A nuclear power plant is strongly isolated from the outside world. Remote access there is difficult. But a wind farm is digitally easier to reach. That makes sense because it's physically difficult to get to; you have to fly or sail there. Therefore, there are good reasons to connect wind farms in various ways to the internet so that you can access them via remote terminals or a smartphone." Moreover, many different parties are involved in offshore wind farms, from turbine suppliers to data analysts and from ecologists to shipping companies for maintenance vessels. "Such a complex supply chain makes it harder to maintain oversight and spot deviations from normal patterns," says Butcher.
Patchwork
Gennady Kreukniet of DNV Cyber sees particular problems at older wind farms. "A wind farm is designed for 25 years, but additional systems are added over time. For example, to detect corrosion or to optimise production. These systems all have external access to operate them from the shore." According to Kreukniet, their security is not sufficiently considered. "Often, the question stops at whether the box gets enough power and the equipment can withstand salty sea air. But not whether the digital access to the bird radar is sufficiently shielded from the operation of the transformer."
"When I visit wind farms for the first time, it is often unclear who is responsible for the security of these systems," Kreukniet observes. "They know exactly where every screw is and where every power cable runs. But I don't come across information about servers and network devices. These are fundamental data. Send someone to the sea for a week to open all the boxes and follow all the communication cables. Who owns the systems? Who takes care of the maintenance? Are the latest patches installed? And if that wasn't possible, have the risks been assessed and described?" Access management should be looked at just as practically. "Does the list of people who can log in match up? Are they still using it?"
Rigid Separation
The operational technology is not always well separated from the office environment, says Kreukniet. "Connections are often made between the two, for example, to process production figures quickly. This can also be an access point for hackers to access operational technology. The two attacks with ransomware in the sector affected the office environment. Someone clicked on the wrong email or visited a strange website. However, they were reluctant to allow operations to continue. These two areas must be rigorously separated with firewalls."
When Kreukniet points out the lack of basic measures during a risk assessment, it often causes unrest. "How could this happen? It's been fine for years; why does it suddenly need to change? But what was safe ten years ago is no longer safe. A system must be continually maintained to remain resilient against new threats."
As Little Change as Possible
According to Christo Butcher of Fox-IT, the dilemma with operational technology is that it is all focused on continuity. "It's about stability, reliability, safety, as little change as possible. In contrast, security involves quickly responding to new vulnerabilities and hacking techniques, adapting systems, and changing. These are two conflicting approaches. Once you connect operational technology to the Internet, you need to bring these two worlds together. This is technically challenging, but also requires a different mindset and culture."
Butcher compares it to the agile approach in software development. "Nowadays, we accept that software development can't be completely planned. It would help if you assumed that software requirements will change. This also applies to cybersecurity. You need to agree on dealing with new threats, rather than planning and setting everything in advance. You must accept that we live in an unpredictable world. This has to be addressed in processes, not in plans."
Suppliers
Butcher notes that operators are more conscious of safety at new wind farms. "But this does not apply throughout the entire supply chain. The chain is long and complex. Suppliers do not always know how to keep their devices secure. Small start-ups are especially happy if their products work. This is a problem across the entire industry, not just offshore wind. This can only be resolved in collaboration with suppliers. Clear agreements and requirements provide a foothold. The financial sector is an example here. Parties that feel the pain of cyberattacks themselves quickly learn to prevent that pain. But in the energy sector, the pain is still only minimally felt. This is part of the problem. Those who only look within their sector learn lessons too slowly. The attack techniques are more general and not specific to wind farms. Therefore, look beyond; then you can learn many lessons that are also relevant within the energy sector."
Checklist Compliance
It also helps that regulations are becoming stricter. In October, the European NIS2 directive will come into force, with stricter requirements for the cybersecurity and resilience of essential services. This will put wind farm operators under supervision; they will be required to perform a risk assessment and have a duty to report incidents. Under NIS2, directors are personally held accountable for cybersecurity, including at their suppliers.
In Germany, the Federal Office for Information Security has compiled a list of hundreds of rules for implementing the NIS2 directive. In the Netherlands, it is still unclear how detailed the new directive will be implemented in legislation. Rules are important, but there is a risk that participants will lean back once they comply with all measures, according to Butcher. "Then a list is checked off without the organisation actively engaging with the risks. If you prescribe too much, you remove the responsibility from the involved parties. Compliance is a risk. Cybersecurity must engage everyone in the organisation, from top to bottom, because you are dealing with an active opponent. It is not a one-time activity, but must be an ongoing process within the organisation."
Words: Bram Vermeer
Portraits: Nicoline Rodenburg