Cybersecurity: From Cockpits to Control Rooms 

Two Core Questions for the Renewable Energy Market

As the global energy landscape transitions toward sustainability, the renewable energy industry has emerged as a cornerstone of the world’s power supply. However, with this increasing importance comes heightened scrutiny and responsibility. Governments and regulatory bodies worldwide are now classifying renewable energy assets as critical infrastructure, recognizing their critical role in ensuring a stable and secure electricity supply. This shift has not gone unnoticed by cybercriminals and state-sponsored threat actors, who seek to exploit vulnerabilities in wind, solar, and hybrid power systems, disrupting operations, causing financial losses, and endangering energy security. By 2025 worldwide cybercrime costs are projected to reach an annual cost of $10.5 trillion1. Therefore, it is necessary to improve the technical resilience in our entire economies and increased cybersecurity is in the self-interest of every company. 

To maintain a resilient and secure energy supply, mitigating cybersecurity risks is no longer an option – it is a necessity. The industry’s growing reliance on intelligent grid systems, cloud-based monitoring, remote asset control, and IT/OT convergence has introduced new attack surfaces that require proactive protection. While compliance with international cybersecurity standards such as ISO 27001 and IEC 62443 has long been an industry best practice, regulatory requirements are evolving rapidly. The European Network and Information Security Directive 2 (NIS2) is a prime example of how governments and regional bodies are now focusing risk mitigation through cybersecurity policies. This directive not only mandates active risk management but also increases accountability at the executive level, ensuring that cybersecurity is no longer just an IT concern but a strategic business imperative. 

Drawing from Lufthansa Industry Solution’s and PEAK Wind’s combined experience in both aviation and renewable energy, this article helps organizations review their own approach to cybersecurity risk management. As a baseline for this review we highlight two fundamental questions that every renewable energy organisations should address. The reflections are based upon hands-on project experience and exposure to various international markets and legislation.  

A further and even deeper insight will be addressed in a comprehensive whitepaper to be released in Q2/2025. 

Is the door already open?

Many organizations are unaware of existing vulnerabilities in their IT and/ OT systems. Without full visibility into network communication and the technologies inside your assets, vulnerabilities may be unintentionally exposed to external parties, leaving the metaphorical “door” open to attackers. 

Understanding the backbone(s) and network architecture of OT (Operational Technology) assets allows you to evaluate potential vulnerability and risks.  Without a proper understanding of the backbone(s) and network architecture it can be hard to enforce effective security management. Critical infrastructure often consists of multiple brands, models, configurations making maintaining an overview more challenging. 

Defining your security strategy

The security strategy derives from your business strategy, your chosen reference framework and your governance structure. It covers a vision, a mission and a roadmap to achieve a future state of maturity in all security measures. Therefore, comprehensive cyber security maturity assessments, including a gap analysis towards specific standards, is necessary as this allows your organisation to understand where they stand currently in terms of cyber security and which areas should be addressed.

Take measurement of exploitable vulnerabilities exposed to the outside world

Open doors or unknown vulnerabilities can become your Achilles heel, with vulnerabilities  being exploited through targeted or in widespread attacks. To find them in time you can use vulnerability scans and technical inspections. Another approach is to preform offensive tests. These tests should be fulfilled by professionals that operate as real hackers using the same set of weapons. Penetration tests, provide a deeper dive and allows you to receive specific advice on how to handle potential threats. Penetration tests provide a deeper technical insight than scanners or defensive audits. Preforming penetration tests focusing the internet exposed systems and services and your directory services (e.g. Active Directory) should be your minimum. 

Observing renewable assets

Energy production assets often require remote connectivity and usually have multiple systems integrated. We have observed instances of unintentional or authorised connectivity to or from renewable energy assets, this could constitute a vulnerability. Tracking connectivity of an asset, over a period of two weeks,  allows an insight into to whom and where assets are sending data. In some cases, sending data globally may be required but being aware of to whom and where your data is being sent allows you to mitigate risk exposure by limiting access.  

If unintended connections are observed there are several measures that should be implemented to limit unauthorised remote access. These measures included network management, secure remote access, solutions for data exchange and system monitoring.  Lack of awareness could mean that a door is already ajar and allowing insights or access that was not intended.  

Deep dive– breaking the system

To get a first overview of the internet exposed attack surface the penetration test team got a range of IP addresses and a list of domains. Without any other knowledge regarding usernames, password or other credentials they found various point of interest and analysed them deeper. One highlight was a search field in a website that allowed arbitrary texts as inputs with inefficient filtering. Given that, it was possible to exfiltrate the entire database content. Another critical issue was found in an API. These technical interfaces allow programs to interact with each other. But this was accessible from the internet with poor authentication mechanisms. After a first bypass of these mechanisms, it was possible to inject system commands which allowed a full system takeover. 

What am I required to do by law?

The regulatory landscape is fragmented and evolving with more and more national and regional legislation being introduced. Organisations may struggle to keep up with which laws and directives apply to them in different markets, leading to potential non-compliance, penalties, and cybersecurity gaps. 

Steps to solve that challenge:

It is always important to be aware of what legislation applies to your company and update your strategies thereafter, requirements vary from market to market. Requirements by law are either set out on a regional or national level. An example of significant updates in regional legislation was the General data protection regulation (GDPR) that came into effect in May 2018 across the EU. This required organisations and companies to maintain a clear policy and process for how they handled and stored personal data.  

NIS2 is a similar piece of EU  legislation, the revised EU directive is aimed at improving the level of cyber resilience across member states. NIS2 also mandates the classifications of sectors into essential entities and important entities. Essential entities include transport, digital infrastructure and energy. It is therefore essential to understand the impacts of updates in legislation for your organisation.  NIS2 has an increased focus on risk assessment measures, reporting and governance of security.  Senior management are ultimately responsible OT and IT security in their organization. Non-compliance may result in high financial penalties.  To comply with the NIS2 regulation, organizations should take several steps. 

How control rooms can benefit from cockpit-knowledge

In the aviation industry international regulations on safety and security are much more common than in younger industries and the adoption speed for new regulations is quite fast. Nevertheless, it is still an ongoing challenge for aviation companies to deal with cybersecurity regulations as they operate in many different countries, in heterogenous ecosystems and they are more digital than ever before. It is essential for them to have the ability to recognize new requirements in time, to create clear pictures which piece is effected by which rule and understand what risk it actually addresses. 

To handle this challenge and to keep it manageable in an efficient manner, aviation companies created well defined processes driven by international standards. In addition, they created exchange formats with national authorities, competitors and especially with their IT and  
IT-Security providers. These networks help them to stay compliant, prevent incidents and shorten reaction times in case something goes wrong. 

Renewable energy assets are increasingly being classified as critical infrastructure and as with the aviation the demand for adaptation of requirements is increasing. We observe a tendency to waiting for national legislation to implement NIS2, but as with the aviation sector many companies operate across and in multiple countries. Thus your company should focus on taking the necessary steps already ensuring that the approach has agility and allows for adaptation for minor national adaptations.  

Compliance and operations are often regarded as one being a pre-requisite of the other but should perhaps instead be seen as an enabler. The increased focus on cybersecurity compliance should rather be seen an enabler for risk reduction and to make sure that measures you take as a company will also be taken by other actors. Decreasing the likelihood of a costly cyber incident.

Closing Remarks:

This article has explored two foundational questions to help renewable energy organizations better understand their current cybersecurity exposure and legal obligations, with concrete examples and actionable steps. In our upcoming whitepaper, to be published in Q2, we will provide in-depth insights into the remaining six questions, offering a holistic approach to managing cybersecurity risks tailored to the renewable energy sector. 

Stay tuned for the full whitepaper or contact us for further information

About Lufthansa Industry Solutions

Lufthansa Industry Solutions (LHIND) is a leading IT service provider and part of the Lufthansa Group. With over 25 years of experience, the company offers innovative solutions and services in the areas of AI, IT Security, Cloud, IoT, SAP and more. Extensive know-how and cross-industry expertise make LHIND a reliable partner for the digital transformation. Its customer base includes companies both within and outside the Lufthansa Group, as well as more than 300 companies in various lines of business. The company is based in Norderstedt and employs more than 2,600 members of staff at several branch offices in Germany, Albania, Switzerland and the USA.  

About PEAK Wind

PEAK Wind is an independent renewable energy specialist in commercial, financial and technical operations delivering advisory, intelligence and asset management services for investors and developers around the world. Currently managing +2.6GW of renewable energy assets for our clients and driving projects throughout the energy lifecycle to optimise O&M and enhance asset performance. PEAK Wind are experienced in delivering end-to-end experience on SCADA operation, data management, and cybersecurity for renewable assets.  

Authors – Contact us