Power to act21 December 2022
As the energy crisis rumbles on, renewables are proving increasingly important as nations search for alternatives to Russian oil and gas. However, the green energy sector has also found itself to be a target for cyber criminals and, worse still, state actors. Is enough being done to protect the sector and its customers? Andrew Tunnicliffe speaks with Ana Kosareva, an energy consultant with Ørsted and former chair of WindEurope’s Cybersecurity Task Force, about the threat landscape.
Since the start of Russia’s offensive against Ukraine at the end of February 2022, energy – among other commodities – has fast been weaponised by Vladimir Putin and his generals. Attacks against Ukraine’s energy and water infrastructure, financial and economic moves intended to push up the price of oil and gas, threats to cut supply, and even attacks carried out against supply routes like the Nord Stream 2 pipeline, which many have blamed on Russia, have become commonplace.
Russia’s actions haven’t only been targeted at its enemy across the border, so-called ‘unfriendly countries’ have been hit too, with the Baltic nations – Estonia, Latvia and Lithuania – preparing for blackouts ahead of expected Russian attacks on their energy grids, and Moldova disconnecting power lines as a safety measure during Russian bombardment on Ukraine’s energy system. As a result, Europe has faced massively inflated wholesale energy prices, pushed higher by competition to secure gas supplies ahead of the colder months. However, while much of the focus has been on gas, renewables have been the source of hope that some European countries might be able to mitigate the impact of the conflict. Of course, it isn’t just the war that has pushed up gas prices – rising costs have been with us for many months now. The events in Eastern Europe have amplified that trend, though. At the same time, reliance on renewable power has also grown.
In 2020, renewables became the UK’s primary power source. By the end of winter 2021, they accounted for 41.5% of the energy mix, followed by gas at 37.2% and nuclear at 17.7% according to the Department for Business, Energy and Industrial Strategy. Analysis by Ember found that across the European Union’s 27 member states, renewables accounted for more than a third (37%) of power generation in 2021, highlighting the growing role it plays in powering the bloc’s economies and keeping homes warm.
It’s little wonder, then, that any disruption to renewable power would likely have a devastating impact – something Europe and its enemies are acutely aware of. But with gas supplies being compromised and the increasingly rapid threat of climate change, the renewable sector continues to grow, in particular wind energy generation. “As we are facing an energy crisis in Europe, wind energy is on the rise again.” says Ana Kosareva, an energy consultant with Ørsted and former chair of WindEurope’s Cybersecurity Task Force. “That means we should expect higher installations in both the onshore and offshore wind sectors.”
The average cost of one single malware attack on a company.
Caught in the crosshairs
Threats to supply have hit the headlines in the past year or so, largely thanks to bad actors. Windfarms, their operators and even the industry’s supply chain have all fallen victim. As 2021 drew to a close, Danish manufacturer Vestas was hit with a ransomware attack. The company moved to reassure its customers that the threat had been contained and had little impact on anything other than internal systems but, nevertheless, they had fallen into someone’s crosshairs. Ransomware attacks have become one of the most popular tools in the toolkit of bad actors – now happening almost every 10 seconds, according to research, with their use rocketing upwards by 435% year-on-year in 2020.
As Russian forces poured over Ukraine’s border, news broke of another significant attack, this time targeting German-based Enercon wind power infrastructure, and more specifically the satellites that provide remote monitoring to 5,800 wind turbines, collectively supplying 11GW of power across central Europe. The company said the cyberattack had led to “massive disruption” to satellite connections, provided through KA-Sat satellites belonging to global communications provider Viasat.
Ultimately the impact was limited, largely thanks to existing contingency plans, according to Kosareva. “Luckily, most of the wind farms had a backup connection in this particular case. Their operation wasn’t affected, while others switched to a self-operating mode,” she says, noting the attack showed that the fallback strategy in place worked well. “We got away without any noticeable damage.”
Just weeks later and another attack was reported. Nordex Group, a Germany-based turbine manufacturer, said it had to shut down IT systems across multiple sites to protect customers’ assets. Although again caught early, it seems this attack also targeted remote control capabilities; but the company said its intervention restricted any impact to internal IT systems.
The variety of targets impacted by these attempts to disrupt shows both the willingness of would-be attackers to pursue multiple elements of the sector, and the sector’s growing importance to the energy mix. “There are different types of cyberattacks and the consequences are, of course, different too,” Kosareva says.
She adds that in the case of the attack on satellite systems, a non-existent backup internet connection and lack of a fallback strategy at wind farms could have, depending on the wind situation, caused major problems for the grid and electricity supply; whereas attacks on individual companies might have caused a “negative financial, company image and similar [impacts]”.
She warns a successful attack on operational technology (OT) could result in greater numbers of people impacted by local power outages, system splits and potentially even a Europe-wide blackout, leading to shortages of supplies, such as water, fuel and food. “Therefore, we need to address the resilience of the OT and IT systems of the wind energy assets,” she notes.
Resilience is everyone’s responsibility
“It must be noted that this is a shared responsibility of all parties – from technology providers and OEMs to the wind farms and grid operators, who must set up and ensure that all measures are taken and enforced,” Kosareva says, adding that the attack on satellites showed how interdependent different industries are. “We need to consider the system as a whole, with all the subsystems it relies on.”
Ensuring procedures and protocols are in place is becoming critical, particularly as the push for zero carbon intensifies considering the growing climate change crisis. Wind power is, and will continue to be, vital in the energy transition. Kosareva says wind began as a “nice addition to conventional power plants”, without assuming “any major grid responsibility”, generating electricity only when there was wind. “Today, however, we are looking at wind farms that are larger than some nuclear power plants. There’s a much higher penetration of renewables into the grids and we see wind farms take over some grid responsibility.”
Vulnerability of the sector has long been a concern for the industry, but events of recent months have emphasised the need for a laser focus if it is to protect itself, and those it serves, from major disruption. Enhancing resilience is a priority. Calling for an equal measure of focus on OT as IT infrastructure has received, Kosareva sees a major obstacle: decoupled international regulations and standards.
She says there needs to be an industry-wide baseline that is ensured independently of the security standards of the individual operators, manufacturers, country and so on. In Europe, steps have been taken to standardise requirements, broadly, and now proposals are in place for more targeted energy infrastructure requirements. The Network Code for Cybersecurity – which will regulate all aspects of cross-border electricity flows, including rules on risk assessments, common minimum requirements, planning, monitoring, reporting and crisis management – is currently under consultation; but nothing has yet been applied.
Europe isn’t alone in needing greater guidance and clarity. In the US, there also remains gaps that significant elements of the wind power sector fall through. Where regulations do exist, they’re often disparate and in some cases can conflict others, leading stakeholders to navigate their own paths, having to unpick the tangled web of regulation that are there. Kosareva says introducing standardised approaches is imperative: “We should look for the best international practices, utilise the existing standards and norms and align the definitions and terminology across the industry and region.” Labelling proposals in the EU as “relatively slow-moving initiatives”, she says there’s a risk that by the time they’ve been approved they will be “outdated or insufficient”.
There are financial reasons to act more quickly too. “I think it is crucial to be aware of the costs that come hand-in-hand with the desire to increase the resilience of our wind assets, especially for international companies that need to comply with different local regulations across the globe; it can be challenging,” Kosareva says. “Therefore, when we’re defining that security baseline within the EU, we need to ensure we use existing international standards and definitions to be as efficient as possible.”
The average cost incurred from a company data breach in 2021.
The increase in security data breaches since 2014.
For the past 30 years or so, advances in technology have come thick and fast; but so too have the tools and determination applied by those looking to do harm. It’s an indisputable fact that this will continue, as too will our reliance on technology to carry out operational tasks. At the same time, as the world pivots to counter the worst effects of climate change, and adversaries – state backed or otherwise – try to exploit the technologies used, it’s obvious cybersecurity will only become a bigger, more pressing concern.
“Higher renewable energy penetration and the increasing size of farms – especially offshore – will call for additional cybersecurity measures as these assets become more and more critical to the electricity grid,” Kosareva warns. “Not to forget the complicated political situation we are in at the moment, which only highlights how quickly – and sometimes unexpectedly – things can change and take a new turn. We should always stay alert, preparing for what could potentially happen next.” It’s a stirring call, but also one that recent months have proved should not be overlooked.