Like all power infrastructure, offshore wind is quickly becoming a mission-critical power source around the world which has fueled rapid growth in the industry and increased the importance of safety, reliability and security of offshore wind generation systems. Simultaneously, rapid digitalization of the industry, driven by opportunities for operational efficiencies, has drawn OT and IT systems closer together. This has exposed offshore wind assets to cybersecurity concerns previously understood only by office or enterprise IT systems administrators.
To reduce their vulnerability to cyberattack, it is imperative that offshore wind farm operators thoroughly understand the threats and develop sound defense strategies based on IT industry best practices. Understanding how to successfully apply best practices across four common challenge areas is the key to developing an adaptable cyber defense strategy and requires a blend of organizational and technological agility that will be different for every offshore wind owner and operator. Some of those challenge areas, like adhering to industry standards and keeping abreast of technological advances, are complicated but somewhat obvious areas to concentrate on. Other challenges are more obscure. The nuanced complexity of shifting organizational culture or overcoming barriers to adoption of new, organization-wide cybersecurity policies often take power generation companies by surprise.
Challenge Area 1: Keeping pace with emerging technologies.
One of the most challenging aspects of cybersecurity is anticipating the unknown. This is true for both threats and for emerging technologies. Introducing new digital technologies creates fear of exposing OT systems to cyber threats. Many utilities experience organizational paralysis when confronted with new technologies for fear of moving too early, paying too much and experiencing unintended consequences. These fears are real and founded. Adding to the problem is the fact the technological advances are accelerating, making it more difficult to make timely, confident decisions. However, the rest of the world is not waiting and the longer hesitation rules, the more vulnerable an organization becomes and the more difficult it can be to catch up.
Even when an experienced and competent team exists in-house, one of the best ways power generation companies can break the freeze/deadlock of indecision is to seek the guidance of a trusted third party to provide perspective on the technology landscape and ramifications of individual decisions.
Challenge Area 2: Integrating industry frameworks and standards.
Industry best practices, together with governmental policies and regulations, are essential to guide asset owners through the digitalization journey while building a framework to protect your infrastructure from cyber-attacks. Some of the key standards to understand are:
- IEEE 1686 Standard for Intelligent Electronic Devices Cybersecurity Capabilities
- IEEE C37.240 Cybersecurity Requirements for Substation Automation, Protection, and Control
- IEC 62351 Standards for Securing Power System Communications
- IEC 62443 comprehensive cybersecurity framework for control system security rooted from ISA99
- ACP (formerly AWEA) Offshore wind Compliance Recommended Practices (OCRP) cites three of the above cybersecurity standards.
Robust frameworks have been developed to help offshore wind owners and operators complement and integrate industry-specific standards address cyber threats in a holistic, programmatic manner.
- The NERC CIP framework is specific to the electric utility industry, providing guidance for continuous operation and maintenance of cybersecurity procedures and controls.
- The U.S. Department of Energy (DOE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) provides a framework for auditing cybersecurity programs to assess effectiveness.
- The U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidance for implementing cybersecurity controls and procedures for a wide range of situations and industries including electricity utilities.
- The ISO/IEC framework is based on the 27000 series of standards and outlines strategies for continuous improvement, enabling organizations to adapt to changes in the nature of cyberattacks over time.
Challenge Area 3: Aligning cybersecurity culture.
Perhaps the most perplexing – and most overlooked – cybersecurity challenge is an internal challenge. The convergence OT and IT is not only a technical problem; it is also a question of company culture and the interactions of functionally siloed groups. Many power generation companies, including those with offshore wind operations, are very experienced with securing their OT systems but have limited experience defending OT systems against exposure to cyber threats. It has only been in the last decade or so that digitalization has forced a coupling of OT and IT technologies that has also forced a coupling of security cultures within power generation companies. Bringing an organization’s OT and IT security cultures together means bridging differing objectives, technologies and organizational structures and delineating where the responsibility lies for mitigating the operational risk of cybersecurity.
Challenge Area 4: Complying with the web of regulation.
The need for cybersecurity regulations for the power and utility industry is undeniable: Attacks on critical infrastructure can have far reaching and devastating consequences. But regulatory compliance is complex and time consuming. To remain compliant, utilities must thoroughly understand a matrix of laws, requirements and protocols which are developed by many different organizations and enforced by government agencies, industry groups and company policies. In addition to documenting how cybersecurity systems are implemented and perform for compliance purposes, utilities must have a clear and accurate picture of their actual cybersecurity posture – regulatory compliance does not always equate to protection. Even the most well-intended regulations can yield little actual cybersecurity benefit to the utility.
How to start (re)thinking about cybersecurity
Most power generation companies have some understanding of cybersecurity and the implications of being exposed and vulnerable but may also have limited resources to apply to keeping their systems secure. Knowing how and where to start or increase an organization’s cybersecurity maturity is important for getting off center and moving toward a security-first mind set when it comes to OT. For many offshore wind companies, this means focusing on cyber hygiene, following best practices to improve their cybersecurity stance, introducing risk assessment, mitigation and management plans, and elevating organizational maturity as main objectives. If any of these efforts are to be successful, consistent internal communication and organizational alignment are necessary to foster awareness and education which are paramount to developing a cyber-aware culture that permeates the organization.
Companies can start their cyber hygiene program by assessing their cyber maturity level and identifying the incremental steps to improve it. Part of this effort will include consulting applicable standards and frameworks mentioned above that are policy, procedure, practice and personnel related. By addressing the four key challenges outlined above and consulting industry frameworks and standards, offshore wind owners and operators can develop a strong, adaptable cybersecurity posture that can successfully reduce OT system vulnerability and minimize the impact of attacks when they occur – because they most certainly will.
For more information on solutions to your cybersecurity challenges, visit: https://www.hitachienergy.com/offering/solutions/cybersecurity