Why should you read this article?
- To uncover the critical importance of a comprehensive approach to OT (operational technology) Security.
- Learn strategic methods for implementing OT security solutions effectively knowing how, when, and where.
- Gain insight into how security management is essential for effective asset management.
- Discover real-world examples illustrating the tangible benefits of prioritizing OT security, highlighting its impact on business continuity and resilience.
With an ever-changing cyber threat landscape, we have in recent years seen an increase in the number of cyber-attacks targeting both the public and private sectors. The renewable energy sector is no exception, having experienced several attacks and attempted breaches across the supply chain, including Original Equipment Manufacturers (OEMs) and utility companies.
In November 2021, OEM Vestas Wind Systems experienced a ransomware attack forcing them to shut down part of their IT system. (Source: reuters.com) Despite Vestas’ swift response, the hackers managed to steal data, some of which were later released. While this attack did not impact production or the wind farm server environment, such an attack could potentially have had serious consequences.
Vestas was particularly concerned with containing the spread of the breach. As the OT and office environments (IT) are converging there was real concern that the hackers would be able to access the networks controlling the wind farms, fortunately, this was not the case.
In 2022, German OEM Nordex faced a similar attack. Although detected early, Nordex had to shut down remote access to all their Wind Turbine Generators (WTGs) as a precautionary measure. (Source: reuters.com)
These incidents, like those experienced by Vestas and Nordex, highlight the potential risks and emphasize the critical importance of safeguarding assets. Energy supplies are crucial to every country’s critical infrastructure, making them highly vulnerable. As a result, efforts to mitigate these risks have prompted an increase in requirements and legislative compliance demands from governments and local authorities. Therefore, taking a strategic, forward-thinking, and structured approach to cybersecurity for wind farms is imperative.
OT, IT, and ICS
When establishing a strategy for designing a system for SCADA and infrastructure within a project, it is important to have a clear understanding of what type of system you are designing and the necessary features or functionalities it should encompass. Terms such as OT, ICS, IACS, and IT systems are often used interchangeably, and it is important to grasp their distinctions and note that organisations may use them differently.
For the purposes of this article, Operational Technology (OT) refers to all hardware and software installed at the wind farm on protected networks to ensure operations. This includes control systems, networks, radios, and marking systems, among others. IT is the office environment we use daily as a regular employee, excluding systems which are involved in the operation or control of wind farms.
OT Security is a technology developed to meet the unique security requirements of OT environments. It is typically utilised for monitoring, analyzing, and controlling the system, safeguarding system availability, and preventing potential attacks on the systems. These systems may be set up either on-site or remotely and are designed to protect both physical and virtual assets.
Potential OT security risks differ from other risks and threats identified when working with a renewable asset; the risks are dynamic in nature, and attackers are continually seeking new ways to infiltrate or exploit vulnerabilities in a system. Certain industry developments inadvertently exacerbate these risks. For example, the renewable energy industry is experiencing an increase in demand for remote monitoring and system access. While remote access enhances time and resource efficiency, it also leads to an increase in potential vulnerabilities. The increased threat landscape has resulted in heightened compliance and reporting requirements. The following section discusses possible contractual setups to address these concerns.
Contractual set-up with stricter legislative requirements and increased reporting demands
With governments and local authorities introducing stricter legislative requirements, it is critical to include reporting, monitoring, and information flows for OT Security into the overall strategic approach. Standards and requirements vary from market to market. In the US, authorities require compliance with the very prescriptive and heavily enforced NERC CIP (Reliability Standards), whereas other countries use a risk or scenario-based approach to cybersecurity. A typical project would have to consider both project requirements for the entire project and specific employer’s requirements towards the suppliers and service providers, which both have requirements and contribute to ensuring overall monitoring but are distinctly different.
- Project requirements should outline the obligations on cyber security implementation, monitoring, and reporting for the entire project. These are often high-level policies aimed at meeting policy and government requirements.
- Employer’s requirements typically detail expectations towards specific suppliers and service providers. These also encompass requirements around cyber security implementation, monitoring, and reporting, but in greater detail and tailored to the delivery and integration into the project requirements.
While the two sets of requirements may appear similar, they are distinct and different. Owner’s requirements serve as the “cornerstones” for the security level and ambition of the project. These “cornerstones” are then implemented and executed by the individual supplier and service provider contracts, which are governed by the employer’s requirements. It is vital that owners are aware of the requirements outlined in the employer’s requirements, as this serves as a mechanism to receive the right level of security and reporting from suppliers. The contracting manager must, therefore, ensure that all contracts entered have sufficient cyber security requirements implemented to ensure the overall project’s security. There could be a discrepancy between the OT security level delivered by suppliers and what is required by authorities; ensuring this gap is bridged – is the responsibility of the owner. It should be noted that even though the requirements are met, the owner would still have to assess the risk and determine whether it can be accepted from a commercial and technical standpoint. This demonstrates why it is so important that the OT security strategy is designed and incorporated into the owner’s and employer’s requirements for any given project at an early stage.
When discussing successful OT security strategies, it is important to remember that technology is only part of the solution, it is crucial to also focus on people and processes. The following section discusses the role of people, process and technology and risk mitigation vs cost.
OT Security: working with people, processes, and technology
This rise in complexity emphasizes the need for a cohesive approach. A common misconception is that successful OT security is mostly technology-dependent and can be “solved” using firewalls, jump hosts, and other technologies. However, a successful OT security strategy should have a three-pronged approach focusing on people, processes, and technology.
Employees (people) must be aware of the impact they have on cybersecurity. Employees clicking on links in phishing emails may compromise the entire organisation and the OT systems, thereby impacting the reliable production of electricity. Similarly, processes must be in place to support the people involved with OT systems in taking correct actions in situations where the security of the OT systems could be at risk.
Cost and risk reduction
Developments in threat landscapes and complexities have led to an increase in security requirements mandated by governments for critical infrastructure. These requirements often demand a higher level of security than what has been traditionally considered the industry norm. In meeting these requirements, owners may face increased costs. Furthermore, these requirements are not necessarily tailored to specific contexts or conditions. For instance, the same requirements are enforced for an offshore wind energy supply as for a thermal power plant, despite their significantly different operational setups.
When considering which OT security measures or controls to implement, cost must be evaluated against the potential risk reduction the measure offers. Some measures are highly effective but also extremely costly, however, more cost-efficient measures could still provide an acceptable risk profile while meeting governmental requirements.
Considering OT security strategy at all the stages of the asset lifetime
Early involvement in OT security is essential to ensure delivery of operations and the required security in the operations phase, as a significant part of the decisions in development/design will have a large impact on secure operations.
When considering the design concept, it is important to consider; for whom are we building this solution, what are they looking to achieve, and how are they going to achieve it? Further, when designing the security measures or controls of OT system it is vital to always consider the operational side. Some designs may be optimal for security reasons, but they may also make operations near impossible due to their level of complexity. Including OT security considerations at every stage in planning, enables an asset owner to ensure an up-to-date risk register and cohesive approach, which can be sustained during the operation. An overview of the over-arching strategy (such as design concept/philosophy) is crucial as this would form the foundation for building the OT strategy. Early-stage planning also allows for an up-to-date risk register to be kept – enabling some risk mitigation.
In asset management, there are several aspects, reporting requirements, and interphases of OT Security to consider.
In the end, the owner sets the final OT security level and risk for the project. It is important to assess whether governmental requirements are sufficient or if additional measures need to be taken to secure the project.
Keep in mind…
- Include OT Security at all early stages and throughout every stage of planning. Always consider the integrated setup involving people, processes, and technology in OT Security planning and implementation.
- Balancing cost versus risk reduction is key when considering which OT Security measures to implement. Remember to assess the cost of operation in this evaluation.
- Ensuring the implementation of the OT security strategy in the owner’s requirements for projects will provide a solid starting point for setting the employer’s requirements towards suppliers and service providers.
- OT Security is not a one-off project; it is ever-evolving. The adversaries become smarter, and so must we. Therefore, requirements in projects and towards suppliers and service providers will evolve over time.
Want to learn more about successful OT Security?
Just reach out to us, we are always happy to answer your questions and engage in discussions about OT security for optimised operations and asset management!
Troels Rahbek Lindhard I Country Director Korea I Get in touch
Christian Carstensen I Senior Data Engineer I Get in touch