Blog

CYBER ATTACKS AND PROTECTION IN RENEWABLE ENERGY

As the share of renewable energy in world energy production increases, news of cyber-attacks on wind farms or turbine manufacturers is also on the rise.

Most recently, Germany-based wind turbine manufacturer Nordex’s IT systems were hacked, shutting down IT systems at its own business and connections to remote support. The company said the attack was detected on March 31 and an incident response team of internal and external security experts was “immediately established to contain the issue and prevent its further spread and to assess the extent of potential exposure,” adding that the shutdown could affect customers, employees and other stakeholders. No further details about the incident have been released so far. [Source]

Other current attacks and system vulnerabilities are as follows:

• Satellite cyber-attack knocked out 5800 (11 GigaWatts) of Enercon’s wind turbines across Germany (2022) [Source-1]
• Data leak in the IT systems of Danish manufacturer Vestas (2021) [Source-2]
• Ukraine’s blackout was actually a cyber attack: Ukrenergo (2015)[Source-3]
• A serious software bug was found in the RLE Nova-Wind Turbine human-machine (HMI) interface that would allow remote code execution. (2015) [ICS Raporu] [Source-4]
• XZERES 442SR Wind Turbine CSRF vulnerability (2018) [ICS Report]
• Nordex NC2 XSS vulnerability (2018) [ICS Report]

In 2015, penetration tests were conducted by Tusla University in 5 different wind farms. The results were as shocking to the team conducting the tests as to the owners.

“We were shocked when we started poking around, the only thing standing between us and the wind farm control network was a simple padlock, once we got access to one of the turbines, game over.”

In their attack, the Tulsa researchers exploited an extensive security flaw at the wind farms they infiltrated: While the turbines and control systems had limited or no connectivity to the internet, they also lacked any authentication or segmentation that would block a computer within the same system. Two of the five sites had encrypted connections from the operators’ computers to the wind turbines. But in each case, the researchers were able to send commands to the entire turbine network by placing their radio-controlled Raspberry Pi in the server cabinet of just one of the machines at the site. [Source]

OT and IT: Make a difference in cybersecurity

For cybersecurity, it is necessary to understand the differences between IT and OT. For IT, privacy is the most important, for OT, availability. One example is that IT deals with transactional processes and OT deals with real-time processes. While usability is the most important aspect and focus, it is often not part of the design and implementation.

There are also many interconnections, and with the digitalization of infrastructure, the connections will increase and expand. Our priority should be to protect the integrity of the system in real time before availability. Monitoring systems to detect changes will support cyber security and field engineers to protect and control the integrity of control systems in real time.

Hacking wind farms/industrial control systems requires expert domain knowledge of the specific system, physical processes and organization. Such attacks take a long time to plan and prepare and attackers only attack when they are sure they will succeed. So if you are not monitoring your facility in real time, you will always be left behind during an attack.

The threat of insider attacks is also a major threat because they already have specialized domain knowledge.

Vulnerabilities of wind farms

Although SCADA/DCS and Operational control networks are considered to be closed to external networks and internet access, internet connected devices, tethering (portable network point shares), remote access, physical access and internal threats (misuse, subcontractor access, sabotage) are often overlooked.

There are several reasons why wind farm facilities are generally vulnerable to hackers.

1. The cybersecurity approach has mainly focused on IT, without a different approach for operations technology (OT) in mind.
2. There are legacy wind parks, including communication systems, that were never designed with a “safety by design” mentality like the IEC/ISO 62443 standard.
3. Operational technologies such as SCADA and substations for wind farms need a different approach to security compared to IT security.
4. Physical security is often not adequately addressed in the design, resulting in poor quality of locks applied in wind farm cabinets, for example.
5. The vendor’s remote access is not always managed properly.
6. Communication connections to wind farms can be carried out by more than one provider without notification.
7. Without security improvements, old communication protocols continue to be used.

Holistic approach to capture cybersecurity challenges

A holistic approach is inevitable to ensure cybersecurity robustness and resilience.

Therefore, a risk-based approach is recommended for cyber security projects. With the preparation of company security procedures and risk matrix, risk probabilities and impacts should be planned in advance and necessary regulatory-preventive actions (RPAs) should be established.

This holistic approach will provide efficient, cost-effective technical validation to provide “bottom-up” evidence that appropriate security measures are in place for a complete system from an end-to-end perspective. Basically, what needs to be done are the following.

• Providing continuous network visibility and real-time monitoring and data flow analysis
• Applying secure network design principles
• Physical cyber defense and intrusion prevention
• Policies and procedures for prevention, detection, mitigation and recovery.

Nozomi Networks Real-Time Monitoring, Cybersecurity and Anomaly Tracking Core Infrastructure