“Most tech-savvy teenagers” would easily be able to access a wind farm’s control system and shut it down, due to the poor cybersecurity of standard SCADA communication technology, according to a leading expert in the field.
“We are now seeing hackers as a significant risk on energy sites and by attacking projects, they could be attacking owners’ pockets. With the increasing size of new offshore projects and an increasing number of installations, the risk is becoming more urgent,” says Richard Nichol, a senior consultant at renewables consultancy K2 Management, who previously managed SCADA (supervisory control and data acquisition) system development at turbine maker Vestas.
The technology — which enables communication between wind turbines and project control centres and substations — is so vulnerable that wind farm operators may not even be aware the cause of a shutdown was a hacker.
“It could easily be put down to a bug in the software or a configuration error that is fixed by simple reconfiguration or reset,” says Nichol, a senior consultant at renewables consultant K2 Management, who previously managed SCADA (supervisory control and data acquisition) system development at turbine maker Vestas.
Even standard anti-virus software does not offer any protection, making a large proportion of wind-farm SCADA-based systems less secure than the average personal computer (PC).
“When a SCADA system is running [Microsoft] Windows, several practices are useable from the corporate IT security practices, but most control systems are built upon PLCs [programmable logic controllers — industrial computer systems that do not use Windows as their operating system], therefore the traditional anti-virus systems cannot be used,” Nichol tells Recharge.
“For example, an office anti-virus program will secure the PC on which it is installed, but will not tackle the security of the wind turbine controller or a substation controller.”
The issue has largely been overlooked by the industry due to SCADA being an off-the-shelf, low-priority standard, Nichols explains.
“A SCADA system still only accounts for around 1% of total wind project costs, so it is low among the priorities of managers — project, sourcing, procurement and tendering managers — and doesn’t get much attention,” he says.
“The focus for managers at this point is on developing and constructing a good project — and consideration of the SCADA system is often seen as a task for the O&M [operations and maintenance] or service-agreement phase to look at much later in the project’s development.”
Cybersecurity requirements are virtually non-existent in construction contracts in European and Asian wind and solar projects, according to tendering material reviewed by K2 — or are covered in service agreements, which are usually agreed once the overall project design has already been signed off.
Yet SCADA systems can be sufficiently protected by qualified IT professionals — but only if developers and project owners are aware of the problem. And it would make economic sense to ensure adequate protection at an early stage of project development.
“Retrofitting a non-secure SCADA system will cost far more than installing the correct security measures in the earlier stages of the project,” says Nichol. “So by preparing an adequate security set-up up front, owners are not only protecting their projects, but protecting their business case and, ultimately, return on investment.”
He explains that the operation team responsible for cybersecurity should provide input even before the turbine supply agreement has been signed.
However, he adds that project owners should be careful not to go overboard with cybersecurity.
“Owners can spend too much money protecting their project and system from all possible incidents, but it’s unlikely that their project requires the same Fort Knox-style security as Google servers. By going too far, it can become bad for their business case, so striking the right balance is essential.”