Abstract
This Research Report explores how the resilience of offshore wind farms could be reinforced by artificial intelligence (AI) and intelligent automation, and what actions policymakers and industry should take to enhance the cybersecurity of offshore wind. The findings are the result of a collaborative project between The Alan Turing Institute’s CETaS and Data-Centric Engineering programme. Recent cyberattacks on companies such as Enercon and Vestas underscore the vulnerability of offshore wind infrastructure. To address this, resilience should be enhanced in critical areas such as grid integration points, control centres, and supply chain intersections. The most promising AI applications identified in the research include anomaly-based intrusion detection, intrusion protection systems, and predictive maintenance. The report provides recommendations to enable a shift towards resilience-based engineering, increased heterogeneity in system designs, network segmentation, and enhanced security protocols.
This publication is licensed under the terms of the Creative Commons Attribution License 4.0 which permits unrestricted use, provided the original authors and source are credited.
Executive Summary
This Research Report explores how the resilience of offshore wind farms could be reinforced by artificial intelligence (AI) and intelligent automation, and what actions policymakers and industry should take to enhance the cybersecurity of offshore wind. The findings are the result of a collaborative project between The Alan Turing Institute’s CETaS and Data-Centric Engineering (DCE) programme, which was funded by the Lloyd’s Register Foundation.
Cyberattacks directly or indirectly affecting offshore wind are happening already with companies like Enercon, Vestas, Nordex and Deutsche Windtechnik reporting malware and ransomware attacks. On the day of Russia’s invasion of Ukraine, the cyberattack on ViaSat satellite communications affected space-based assets engaged for command and control of Enercon’s wind turbines in Germany, leading to the loss of remote monitoring access to more than 5,800 wind turbines. With plans to significantly scale offshore wind capacity in the UK, resilience to similar cyberattacks must be reinforced.
Some areas in the cyber-physical infrastructure require more attention from a security perspective because they could lead to cascading damage. This includes areas where the grid integrates new and legacy offshore wind infrastructure, the control centre, intersections with external actors along the offshore wind supply chain and points of integration with the Internet.
Harnessing AI and intelligent automation will reinforce the resilience of offshore wind if swift action is taken by government and industry. The AI and intelligent automation applications identified as the most promising in this report were: anomaly-based intrusion detection systems (IDS), anomaly detection, intrusion protection systems (IPS), and hardening and predictive maintenance. While AI and intelligent automation could be introduced to protect access points that result in the most cascading damage, there are systemic, supply chain and physical risks which also need to be mitigated. There is an opportunity to integrate systems that enhance security in the design and construction of offshore wind systems before offshore wind infrastructure projects are completed.
Bolstering resilience requires a radical overhaul of systems-engineering practices towards resilience-based engineering and a range of systemic changes to wind industry operations, regulation, intelligence sharing and research. Offshore wind design and engineering choices can explore increasing heterogeneity in systems designs within a wind fleet, as well as increased network segmentation to prevent cascading damage when one turbine faces an attack. Organisational emergency response plans, cross-border intelligence sharing, and security response protocols are also required.
This report proposes mitigative actions to address the main resilience challenges, which are summarised in Table 1. The rationale and promising practice informing these recommendations are presented in Section 4.
Table 1. Summary of offshore wind resilience challenges and mitigative actions
NIST Cybersecurity Framework component | Challenge | Mitigative action | |
Industry action | Policy action | ||
Identify | Underreporting of cyberattacks on offshore wind | Contribute anonymised offshore wind cybersecurity threat intelligence and good practice to the National Cyber Security Centre (NCSC) Connect Inform Share Protect (CISP) platform and the NCSC Early Warning and open-source Malware Information Sharing Platforms (MISP). | Coordinate public-private roundtables to discuss and document sector-wide cybersecurity trends, good practice and lessons learned based on intelligence gathered through anonymised CISP and MISP data without penalties on vendors. |
Protect | Enforcing and incentivising standards compliance | Develop an organisational assessment of cybersecurity risks and structures for safeguard implementation. Explore applications of AI and machine learning (ML) to automate and streamline standards compliance processes. | Develop or adapt existing standards (e.g. IEC 62443 4-2) to plug gaps for automation and industrial control systems, covering offshore wind among other sectors. Establish an offshore wind standards certification process across the supply chain. |
Supply chain cybersecurity | Batch test sub-systems and components. Impose software bill of materials (SBOM) requirement on suppliers, to inventory offshore wind components and ensure that cybersecurity requirements for each component are met. Dedicate budget for cybersecurity, including maintenance costs. | Cyber labelling components and products that meet cybersecurity standards (e.g. US Cyber Trust Mark). | |
Offshore wind cybersecurity workforce gap | Train and develop specialist personnel in cybersecurity who understand operational technology (OT) and information technology (IT) for wind energy. Define cybersecurity roles and responsibilities across the entire supply chain to promote security culture. | Incentivise academia to set up skills development programmes or fund PhD grants in cybersecurity for wind energy and resilience-based engineering. | |
Detect/analyse | AI-enabled intrusion ad anomaly detection, protection and hardening systems | Introduce specialist training for AI-enabled intrusion and anomaly detection, protection and hardening systems. Evaluate the cost-benefit ratio of intrusion detection systems (IDS) and intrusion protection systems (IPS). | Commission public-private research to test AI-enabled IDS/IPS that are context-aware and able to cover a wide attack surface.
|
Respond | Public-private and cross-border cybersecurity coordination | Participate in inter-industry strategic discussions on security response. Develop and share a common reference architecture to protect offshore wind energy systems. | Convene industry groups and relevant international public and private wind energy partners to set security response protocols. Develop a comprehensive research and coordination plan for enhancing the cyber resilience of offshore wind. Launch cybersecurity exercises with bordering countries. |
Slow response and recovery | Develop cybersecurity emergency response plans based on existing attack scenarios through table-top exercises, and ask OT risk managers to continuously assess wind platform components against the risks in those scenarios. | Establish cross-border security dialogues and response plans, share good practice and set up emergency response simulations. | |
Recover/Manage | Resilience-based engineering tailored to offshore wind | Set up digital twins to model cyber threats and to inform resilience-based engineering practices. | Set requirements for offshore wind development projects to incorporate resilience-based engineering and best practice. |
Introduction
Offshore wind is the next major growth area for renewable wind energy with industry increasingly offering a range of digital innovations for integration into wind energy infrastructure. However, with increased digital interconnectedness, comes increased vulnerability to cyberattacks.
The UK currently has more offshore wind energy capacity than any other nation[1] and has set a target to deliver 50 gigawatts of offshore wind energy by 2030.[2] Moreover, in 2023, wind energy surpassed the proportion of electricity generated by gas for the first time.[3] The role of offshore wind is only going to increase further as part of the UK’s critical energy infrastructure, particularly given the UK is an island nation.
Recent cyberattacks on wind energy systems foreshadow the potential cascading risks for UK national, climate, energy and economic security objectives. When Deutsche Windtechnik faced a ransomware attack in 2022, the company was forced to disable around 2,000 out of 7,500 of the company’s wind turbines across Germany to prevent further damage.[4] After a ransomware attack on Vestas, there were sensitive data leaks, production delays and costs, as well as a 3% decrease in the company’s shares.[5] Recovery sometimes takes several months – as was the case with Enercon in 2022.[6] At worst, cyber threats could lead to losing functionality of critical systems, and the possible cascading resilience failures could lead to power outages if cyberattacks on offshore wind are combined with cyberattacks in other energy sectors. If critical infrastructure such as hospitals lose power supply or if failure of security systems results in a fire in the wind turbine, then there could also be loss of life.
Power outages also carry a significant financial cost, especially if there are lawsuits, and premiums to pay for electricity they cannot generate, fuel for generators and other unplanned expenses resulting from the outage.[7] Normally, the grid would be able to cope with a loss of smaller volumes. However, simultaneous or large volume outages exceeding the capacity of the grid cause challenges. As wind generation capacity increases, there must also be an increase in reserve energy. Some estimates gauge that one day of downtime for a 500-megawatt wind farm could cost around £360,000.[8] In the case of the 2019 power blackout in the UK, the companies Hornsea One Ltd and RWE Generation UK Plc were fined £4.5 million.[9]
Successful cyberattacks could also lower public trust in wind energy or other renewable energy and counteract efforts to achieve Net Zero. In the 2021 Texas Big Freeze, when the winter cold led to power outages and other disruption, critics of renewable energy blamed frozen wind turbines as the source of power outages and the reason why people died. Texas Agriculture Commissioner Sid Miller posited, “we should never build another wind turbine in Texas. The experiment failed big time.”[10] However, while some turbines were frozen, so were gas, coal and nuclear sources, which Texas generates most of its energy from.
There is a need to explore these risks in the specific context of UK offshore wind because there may be unique cybersecurity requirements that are not otherwise covered by existing regulations or policies for energy systems more broadly. Offshore wind is remote and requires more cyber infrastructure to communicate with onshore systems, so there is a larger attack surface for malicious actors to exploit. The international academic literature on offshore wind cybersecurity has grown in recent years but there is a gap amongst UK-based stakeholders despite the UK’s leading role in offshore wind adoption.
There is a critical window of opportunity to integrate secure-by-design and cyber resilience principles to these systems before wind companies need to recoup the investment in offshore wind infrastructure. There is also an opportunity to implement lessons learnt from other offshore wind-reliant countries like Denmark and the US. Action now will reap benefits decades into the future due to the lifespan of wind farms[11] while reactionary approaches will worsen the challenges that create vulnerabilities. Inaction could also generate higher operational, financial, human and legal costs compared to the costs of designing cyber resilience into the system.
Research methodology
This study sought to understand how the resilience of offshore wind farms could be reinforced by AI and what actions policymakers and industry could take to enhance the cybersecurity of offshore wind. Specifically, the project explored the following research questions:
- RQ1: How can cybersecurity threats to offshore wind energy be characterised?
- RQ2: What are the unique cybersecurity requirements and vulnerabilities of offshore wind?
- RQ3: How could AI and intelligent automation enhance the cyber resilience of offshore wind power infrastructure?
- RQ4: How could policymakers leverage policy levers to enhance the cyber resilience of offshore wind?
- RQ5: How could industry bolster the resilience of offshore wind?
Data collection for this study was conducted over a seven-month period from July 2023 to March 2024, including two core research activities:
- Literature review covering academic and policy literature on technical advances in AI for energy systems, threat assessments for offshore wind and strategy and policy recommendations for enhancing cybersecurity and resilience.
- Semi-structured interviews with 29 participants from government; industry (including wind energy IT and OT operators, original equipment manufacturers and maintenance or penetration testing service providers); academia, standards organisations, energy research and innovation centres, and relevant intergovernmental organisations.
Report structure
The remainder of this report is structured as follows. Section 1 characterises cybersecurity threats to offshore wind. Section 2 describes the cybersecurity of offshore wind and commonly known vulnerabilities in the system. Section 3 explores opportunities for AI and intelligent automation to enhance the cyber resilience of offshore wind. Section 4 describes policy and industry challenges and mitigative actions. Finally, Section 5 summarises the study team’s main conclusions.
1. Cybersecurity Threats to Offshore Wind
Cyberattacks on offshore wind are happening in Germany and Denmark already.[12] Industry interviewees also stated they are already happening in the UK,[13] but there is a lack of publicly available information on these attacks to triangulate this, and wind energy companies do not always specify which countries have been affected by attacks. Nevertheless, the vulnerability of an offshore wind system’s network has been highlighted by successful cyberattacks in the case studies below, interviewees and anecdotal evidence from ethical hackers[14] and penetration testers.[15] Potentially far-reaching consequences require an increased focus on this sector’s resilience.
There is limited historical data on cybersecurity threats to offshore wind, due to the relative novelty of offshore wind. Interviewees believed underreporting of cyberattacks exacerbates this issue, which makes attack baselining difficult.[16] Publicly available information on the few reported cyberattacks illustrate that there are both cyberattacks directly targeting offshore wind, and cyberattacks on space communications infrastructure, which indirectly impact offshore wind. Cyberattacks are aimed not only at operators but across the supply chain, including turbine manufacturers and maintenance companies. The attack on ViaSat, which affected Enercon wind turbines, was indirect as it targeted satellite communications. Wind farm operators use satellite communications like ViaSat’s system to transmit monitoring data and Enercon’s wind farms were collateral damage. The Vestas and Nordex ransomware attacks were both direct attacks on wind farms.
Tables 2 – 5 below summarise case studies on cyberattacks on wind-related companies and their impacts.
Table 2. Vestas cyberattack
Cyberattack | Impact overview | |
Vestas (November 2021) Danish wind manufacturer Vestas faced a ransomware attack.[17]
| Operational impact | Multiple business units and locations had to shut down IT systems.[18] |
Human impact | Data was retrieved from Vestas’ IT systems and attackers threatened to publish the stolen data, which included addresses, emails, phone numbers, pictures, job applications, salary information and more.[19] The data was reportedly used to extort Vestas’ customers.[20] | |
Financial and reputational impact | Vestas shares decreased by 3% the Monday after the cyberattack and the cyberattack caused production delays and costs.[21] |
Table 3. Nordex cyberattack
Cyberattack | Impact overview | |
Ransomware attacks on Nordex (March 2022) German turbine manufacturer Nordex faced a ransomware attack on its control centre.[22]
| Operational impact | The company disabled the platform and IT, but no third-party assets were affected.[23] |
Human impact | None identified. | |
Financial and reputational impact | None identified. |
Table 4. Deutsche Windtechnik cyberattack
Cyberattack | Impact overview | |
Ransomware attacks on Deutsche Windtechnik (April 2022) German maintenance company Deutsche Windtechnik’s IT system was hit by a cyberattack attributed to the Conti ransomware group resulting in the disabling of remote connectivity.[24]
| Operational impact | The company cut off communications between wind turbines and remote monitoring centres. Around 2,000 out of 7,500 Deutsche Windtechnik wind turbines across Germany were shut down.[25] Remote data monitoring connections to the wind turbine were disabled.[26] |
Human impact | None identified. | |
Financial and reputational impact | None identified. |
Table 5. Enercon sustained damage after ViaSat cyberattack
Cyberattack | Impact overview | |
Enercon sustained damage through attack on ViaSat’s satellite communications (February 2022) A cyberattack on the German wind turbine manufacturer Enercon was attributed by UK and US governments to Russian state-sponsored actors.[27] The attack disrupted broadband satellite Internet access on the day of Russia’s invasion of Ukraine, which was attributed by SentinelLabs researchers and Danish wind manufacturer Vestas to wiper malware called “Acid Rain.”[28]
| Operational impact | Of ViaSat’s hundreds of thousands of modems, 40,000 were compromised. Some of these were engaged for command and control of Enercon’s wind turbines in Germany, which lost remote monitoring access to more than 5,800 wind turbines.[29] The turbines could no longer communicate with Enercon’s Supervisory Control and Data Acquisition (SCADA) system and server, so the service centres lost the ability to control the turbines.[30] The loss of control of wind turbines was collateral damage, but nonetheless illustrates the vulnerability of wind communications to attack. Some impacted turbines took two months to come back online.[31] |
Human impact | Ukrainian civilians could not access reliable information from the government. Populations in EU countries experienced Internet outages.[32] | |
Financial and reputational impact | None identified. |
1.1 Actors
While the public case studies above predominantly highlight criminal actors’ ransomware attacks, potential state-sponsored threats are the most concerning because these aim for high-consequence events.[33] Based on publicly available information, criminal ransomware attacks like those on Nordex and Deutsche Windtechnik have not had as much significant human, financial or reputational impact. On the other hand, attacks like the one that affected Enercon have had considerable international and long-lasting impact before systems could be recovered. Once cybercriminal malefactors discover how to monetise cyberattacks against offshore wind, they will likely intensify attacks against offshore wind infrastructure. It is worth noting that green activists concerned about the negative impacts of offshore wind development platforms[34] may also be motivated to disrupt wind farms.
1.2 Attack types and their impacts
Some attack types were described by interviewees. Generally, there are cyber-physical attacks and purely digital attacks. Cyber-physical systems are integrated hardware, software and potentially human systems, and cyber-physical attacks are typically defined as digital attacks that can have a physical outcome. For example, attackers could aim for the key sensors of turbine operations in a way that results in physical damage – such as by operating outside its normal parameters.[35] Alternatively, the system could be spoofed to shut down, resulting in excessive downtime.[36] Hackers could also pivot from a digital/cyberattack on IT systems to OT systems to cause physical damage to the turbine by increasing the speed of operation, and generating wear-and-tear.[37] This shows that the range of possible digital or physical impacts can be caused by attacks on IT, OT, or both.
There are also some cyber-physical attacks which are physical attacks with a digital impact. For example, tampering with physical systems can also disrupt communications. While less common in some other sectors, offshore rigs and ships have experienced tampering, which jams signals or erases data.[38]
There are also pure cyber-attacks, with little physical impact involved. That is, traditional IT attacks like intrusion (e.g. human attackers gaining access to data and networks) and malicious software (malware). Malware attacks aiming to disrupt computing systems or to gain unauthorised access to data are most frequent.[39] Denial-of-service attacks that disrupt system resources and ransomware attacks are also prevalent.[40] There is a concern that malware designed for other systems could still have a negative effect on these systems if they were accidentally infected. The impact of this tends to be systems getting slower or crashing. However, there is always the concern of custom, intentional malware attacks, which are more likely to lead to data manipulation or theft.
1.3 Attack vectors
There are major vulnerabilities across the entire hardware and software supply chain, including those working to maintain or build offshore wind infrastructure.[41] External partners create vulnerabilities through unintentional errors, physical access threats, as well as backdoors implanted somewhere along the supply chain that may remain undetected for years.
1.3.1 Human factors
Unintentional human errors and negligence could create vulnerabilities and are difficult to predict.[42] Social engineering can also increase the chance that a human error will benefit an attacker. For example, the worm Stuxnet was theorised to have spread from USB-flash drives found unattended that were then connected to a computer.[43] Infected USBs and disks have been left in parking lots of targeted buildings in the past to increase chances of infection. Offshore wind farms are unattended most of the time, but third-party maintenance workers occasionally attend to the turbine platforms. Targeted blackmail, social engineering or spear phishing attacks on remote employees is a possibility.[44] In the future, the risks outlined above could be exacerbated by AI for more sophisticated and believable phishing and social engineering.[45] This is both because of new vulnerabilities AI can bring, and attackers using AI to enhance their attacks.
Weak security processes and cyber resilience implementation across the wind farm’s supply chain create vulnerabilities and will be explored in more detail in this report. One interviewee claimed wind farm operations do not subscribe to typical cyber hygiene practices.[46] Maintenance updates are also usually done by the systems integrator, not the operator, and they may not always have the appropriate cybersecurity training.[47] Security measures such as restricted access by design, adequate key card systems, authorisation limits and limiting external access and traffic to the network are required.[48]
1.3.2 Physical access threats
Some risks are less likely to occur but have high probability of success. A human or unmanned vehicle with physical access (e.g. utility, maintenance, technician personnel, wind installers and integrators, software-as-a-service providers) could jam motor controls,[49] highlighting the difficulty of applying the same level of assurance to wind farm operator employees as opposed to other personnel along the wind farm’s supply chain. Malicious actors could cross the physical water barrier surrounding an offshore wind platform with naval vessels, diving equipment or unmanned aerial or naval vehicles. It is also worth noting that personnel operating wind farms are not typically required to undergo vetting.[50] Operators essentially lack sufficient control over employees of third parties to provide adequate cyber resilience.
While not a cyberattack, it is worth noting that other physical threats to the operation of an offshore wind farm include physical or kinetic strikes on the fiber optic and copper cabling used to monitor offshore wind farms.[51] Since offshore wind farms are typically unattended, there are no personnel physically securing the facility.
2. Cybersecurity Vulnerabilities of Offshore Wind
The cybersecurity requirements of offshore wind overlap with the requirements of onshore wind energy and other components of the wider power grid, but there are a few characteristics that are particularly prominent in offshore wind. These include:
- The unattended, distributed and remote nature of the cyber-physical infrastructure compared to onshore wind;
- Mix of digital technologies in new offshore wind development projects that will need to connect to more antiquated legacy systems of the existing grid system;
- Attack obfuscation or masking techniques which hide the origin or existence of an attack.
2.1 Cybersecurity requirements of offshore wind
2.1.1 Unattended, distributed and remote infrastructure
Onshore and offshore wind vendors are using similar OT and IT,[52] but compared to traditional energy systems, offshore wind is typically unattended, distributed and remote from land.[53] This sometimes leads to an assumption of security by virtue of its physical isolation. However, a physical gap does not guarantee an air gap[54] from the turbines to onshore infrastructure. Digital communication systems between the turbines and onshore infrastructure are crucially exploitable.[55] Cellular, satellite, or wired communications are needed to communicate with, and manage, offshore wind infrastructure across the sea.[56] There is a rush for centralised cloud-based management systems for offshore wind, but these create opportunities for remote compromise.[57] Moreover, operators will be choosing between requiring physical site visits or remote software updates for maintenance. If the latter, then this will contribute towards increasing digitalisation. As described in Section 1, the cyberattack on ViaSat affected Enercon wind farms, illustrating remote compromise through indirect vulnerabilities.
Figure 1. Offshore wind farm electric grid components
Source: Senate RPC.[58]
In contrast, traditional wired cables connecting offshore wind to onshore infrastructure are more secure from a cybersecurity perspective,[59] but are vulnerable to physical attacks or strikes such as anchor drags or crashes because of marine traffic.[60]
2.1.2 Mix of digital and legacy infrastructure
The integration of digital technologies with existing OT, which were historically designed to work in isolation, creates security gaps between the previously siloed OT and the IT systems.[61] New offshore wind systems could be integrated with transformers that are 20 or 30 years old.[62] Adapting OT protocols to communicate with newer protocols and devices such as those under the umbrella of ‘Internet of Things,’ is an enormous challenge that will require a lot of investment.[63] Old OT systems are difficult to integrate with cloud platforms and penetration testers (pentesters) do not yet know how to consolidate securing OT in their assessments.[64] For example, while it is typical for IT to have a password policy which locks a user out after three failed attempts, this policy is less applicable to OT because if the system was locked, then operation would be disrupted, with potential safety, financial and other costs.[65]
2.1.3 Attack obfuscation opportunities
There are several ways attackers can obfuscate their activity because different defensive monitoring systems detect threats differently. Due to real data often being ‘messy’ compared to training data, hiding interruptions is slightly easier.[66] If malicious actors are able to access key systems, they could alter real operational data with false operational or forensic data.
There are cases of attackers not only applying stealth to intrusion of the network but hiding evidence of their activity after the attack. This means that there is a window where their actions can be detected, but if the intrusion or cyberattack is likely to be quick, an attacker could decide to wait until after the attack before deleting forensic data.
Using these techniques to obfuscate their behaviours during, and/or after an attack, attackers can mask sensor data and make an interruption look normal.[67] Without properly configured intrusion detection systems (IDS) and intrusion prevention systems (IPS), attack masking can easily be achieved. However, some attackers can even hide their activity from signature-based IDS/IPS with small changes to their code. Some attacks can also hide from behavioural-based detection by spreading out the malicious activity over a longer period of time, so it is harder for defenders to understand what is happening.
2.2 Significant points of vulnerability
While all parts of the offshore wind infrastructure require security, the areas that often require the most are the grid integration infrastructure,[68] control centre,[69] and largely anything connected to the Internet.[70] As the central brain of the system, the control centre has the most connections to other parts of the system, so attacks on the control centre may have the most potential to generate cascading damage. The section of infrastructure that connects the new offshore wind systems to the established onshore power grid could be a single point of failure during a cyber-physical attack. As discussed in Section 1, vulnerabilities and attack vectors related to external partners physically/remotely accessing equipment and networks also require security because this area is the most common point of access.[71]
Figure 2. Areas in offshore wind infrastructure that are at highest risk of cascading high-consequence impacts
Source: Adapted from Federal Government of the United States (2020).[72]
2.2.1 Grid integration
The grid integration infrastructure is critical because it is what connects new and old offshore infrastructure. In some grid integrations, there is a two-way flow of electricity and information, resulting in an automated and distributed energy delivery network.[73] To protect this network, the Grid Interconnect Firewall needs to be chosen and set up carefully.[74] Voltage-source-converter high-voltage direct-current (VSC-HVDC) connections from wind farm to grid are also vulnerable to cyberattacks.
One way of measuring potential vulnerabilities is by measuring the number of connections to other parts of the wind infrastructure, as well as how many people can access a hardware or software component.[75] If the component is connected to wider and/or public networks such as the Internet, then risk increases considerably.[76] Guardrails such as network segmentation to ensure that impacts are localised are required.[77]
2.2.2 Control centre
Control centres were described by one interview respondent as the ‘crown jewels’ for cyber attackers,[78] because of its numerous connections to other assets. If a wind turbine is compromised, the impact is likely localised to that turbine, but if control centres are compromised, then all connected wind farms are at high risk.[79] Crucially, turbines are largely unsupervised in person.[80] The operators supervising the control centre may also not have the requisite cybersecurity knowledge to detect or respond to a cyberattack.[81] An attack could commence at a control centre, then propagate out to the transmission system, then the infrastructure integrating the grid, then from one control centre to another control centre until the effects are felt at a regional level, then national or even cross-border level, as illustrated in Figure 3 below.[82]
Figure 3. Potential cascading effects of a cyberattack on an offshore wind system’s control centre
2.2.3 Supply chains, external partners and data management
See Section 1.3 ‘Attack vectors’ for more detail on vulnerabilities through external partners.
Interviewees gave mixed messages on how much security the Supervisory Control and Data Acquisition (SCADA) system or data acquisition and monitoring requires since these systems are usually more bespoke and difficult to compromise.[83] Vendors were also described to have the security of SCADA systems well covered.[84] At the same time, some interviewees highlighted the importance of securing the SCADA[85] because compromise of data management throughout the offshore wind infrastructure could lead to another high-consequence impact – compromise of confidential data.[86] An uncrewed aerial vehicle could access the ICS switch near wind turbines onsite and compromise an entire network.[87] There is no requirement for active checks to secure the SCADA, a network common to OT systems, in offshore wind systems.[88]
Cloud data storage of wind platform condition-monitoring data and other third-party services could also be a point of vulnerability.[89] At the same time, the security of third-party cloud systems is usually handled by large providers that invest significantly in securing their systems, so some interviewees were less concerned.[90]
3. AI and Intelligent Automation for the Cyber Resilience of Offshore Wind
Integrating AI and intelligent automation into cybersecurity systems for offshore wind will provide an uplift to cybersecurity but will not be sufficient on their own. There are opportunities to integrate AI and automation in solutions such as IDS and IPS, as well as in hardening and predictive maintenance. However, there are also technical research gaps that need to be addressed first. The convergence of OT and IT could also create new unknown vulnerabilities, so stakeholders will need novel ways of thinking about security engineering for offshore wind. Implementing any AI-based capability in offshore wind legacy infrastructure would create considerable security engineering challenges.[91]
3.1 Anomaly-based IDS and anomaly detection
There is great potential to improve the resilience of offshore wind with automated or ML-enabled anomaly detection or anomaly–based intrusion detection and analysis systems, which are already being used in other sectors.[92] Anomaly–based IDS is one example of how signature or rule-based IDS and IPS can be improved to detect more complex, and even zero-day threats using AI/ML.
Similar advancements can be made to popular security solutions like firewalls and anti-virus. Offshore wind systems predominantly have neither IDS nor next generation ones.[93] Although there are some emerging industry solutions, it is unclear how reliable these are.
While some systems flag single anomalies, there would be benefit in exploring systems that can trace traffic patterns coming through the firewall over time, to determine what is normal as opposed to anomalous traffic that moves systems to insecure modes.[94] Doing this on the scale of a wind farm or power grid would also point to the benefits of AI/ML, which rely on large datasets.
Anomaly detection on SCADA data produced by turbines is another avenue that can benefit from AI/ML. Given the natural fluctuations in wind, and the large volumes of data flowing through the system, anomaly detection and analysis may better recognise an attack as it deviates from the norm.[95]
Figure 4. Example anomaly detection system for offshore wind
Source: Steffen Dienst and Jonas Beseler (2016).[96]
In Figure 4 above, the example system applies Least Absolute Shrinkage and Selection Operator (LASSO) regression analysis to simplify variables for human operators, thereby contributing to operator interpretability of the threat picture. It then compares predictions and determines probable origins for model divergences.
3.2 Intrusion protection systems
Going beyond passive cybersecurity actions of IDS, there is also potential in nascent AI research for more active protection tasks such as reinforcement learning (RL) for evicting, isolating and deceiving threats on the network.[97] While not necessarily AI-enabled, automated security orchestration, automation and response (SOAR) systems have been demonstrated to effectively quarantine an adversary in wind network scenarios.[98] IPS systems were discussed far less than IDS with interviewees, and it was clear there are still a number of technical challenges for a robust IPS.
3.3 Hardening and predictive maintenance systems
There is potential for AI to support human operators with recognising and predicting risks to offshore wind infrastructure and making recommendations on how to protect infrastructure.[99] Deep reinforcement learning (deep RL) could support operators with assessing vulnerabilities and dynamically reconfiguring optimal policies as threat intelligence is enhanced over time.[100]
4. Policy and Industry Challenges and Mitigative Actions
This Section focuses on challenges to the cyber resilience of offshore wind and mitigative actions that policymakers and industry could take to address them.
4.1 Cyber resilience challenges
4.1.1 Underreporting of cyberattacks on offshore wind
Interviewees stated that underreporting of cybersecurity attacks across the energy sector, including offshore wind, is creating an intelligence gap regarding the size and scale of incidents, as well as their impact.[101] Industry vendors and operators are seemingly not required to report all the details of cyberattacks because offshore wind had previously not scaled to an extent that required it.[102] Furthermore, there is a fear of the financial and reputational repercussions of reporting these cyber incidents.[103]
Another consequence of underreporting is that it creates an excuse for inaction, whereas better awareness of the scale and impacts of threats could galvanise policy and industry action and funding.[104] Introducing cybersecurity considerations in offshore wind engineering should not be seen as an unnecessary delay to construction, but as a life-, cost- and reputation-saving opportunity. Practical and evidence-based cybersecurity solutions are required.
There are a number of threat intelligence platforms that could be better leveraged by the wind industry such as: NCSC Early Warning;[105] Connect Inform Share Protect (CISP);[106] and the open-source Malware Intelligence Sharing Platform (MISP).[107] Similarly, the European Union has established sector-specific Information Sharing and Analysis Centers (ISACs).[108] ISACs set up regular public-private meetings, allow participation free of charge, and facilitate sharing of good practice and knowledge on major disruptions. Despite commercial sensitivities of sharing information with competitors and regulators, industry participants contribute information because of the potential cost savings of enhanced resilience and the quality and value of the information shared. Members themselves will need to identify an acceptable methodology for sharing information anonymously and protecting these processes,[109] but could explore options that enable information sharing with NCSC or trusted third parties who then share the information with members without attribution.
4.1.2 Supply chain cybersecurity
While manufacturers have more control over security engineering practices, operators hold the risks and are held publicly accountable for the impacts of cyberattacks.[110] This also means that when operators receive equipment with vulnerabilities, it creates additional costs when components from third-party suppliers do not meet cybersecurity requirements.[111] Limited supply chain stocks could then lead to delays in construction or more expensive component parts.
In the US, the National Institute of Standards and Technology (NIST) issued guidance to require a software bill of materials (SBOM), which is, “a formal record containing the details and supply chain relationships of various components used in building software.”[112] This could be applied to offshore wind.
Figure 5. Illustrative example of how an SBOM may be assembled
Source: NIST.[113]
An SBOM itemises components and helps inform decisions about how to continuously monitor and secure software applications within an offshore wind system.
Although not focused on wind energy, policy on securing energy supply chains is steadily evolving. To help energy asset operators select products that meet cybersecurity standards, the US launched a ‘US Cyber Trust Mark’ programme awarded to vendors who invest in security innovation.[114]
See Section 1.3 ‘Attack vectors’ and Section 2.2.3 ‘Supply chains, external partners and data management’ for more details on the supply chain security challenges related to external actors.
4.1.3 Enforcing and incentivising cybersecurity standards compliance
While there are high-level standards that cover offshore wind, there is a gap in the detail between high-level standards and industry compliance policies specifically for offshore wind.[115] These standards include Europe’s Network and Information Systems (NIS) Directive, NIS Regulations (NIS-R),[116] as well as ISA/IEC 62443 addressing cybersecurity of operational technology in automation and control systems.[117] Some standards like NIS-R were developed for the traditional energy sector and are not tailored to offshore wind.[118] While the NCSC’s Cyber Assessment Framework provides helpful guidance on good practice, interviewees highlighted ambiguity and uneven implementation across offshore wind operators and manufacturers.[119]
The quote above highlights the disconnect between standards and practical implementation in companies operating wind farms. In the future, this challenge may be exacerbated if standards remain static and do not acknowledge the cross-border nature of the threats.[120]
To help demonstrate cyber standards compliance in Australia, the Australian Energy Sector Cyber Security Framework (AESCSF) gives energy companies a limited timeframe to demonstrate how they comply with the critical infrastructure risk management program (CIRMP).[121] This helps government assess cybersecurity maturity across Australia’s energy sector. In the US, standards are enforceable and backed by penalties and fines, but not in the UK.[122] The North American Electric Reliability Corporation (NERC) can determine and levy $1,000,000 per day per violation if a Reliability Standard Requirement is not met.[123] Companies that have received penalties for lack of compliance are listed on the NERC website.
4.1.4 Offshore wind cybersecurity workforce gap
Like other sectors, the offshore wind sector lacks dedicated personnel to deal with cybersecurity issues and relies on external cybersecurity service providers.[124] Even for cybersecurity service providers, cybersecurity and offshore wind OT expertise are currently siloed from one another, so IT and cybersecurity experts do not understand the hardware equipment in wind farms.[125] Specialised expertise on the intersection between software and hardware is required by operators, and the range of stakeholders in offshore wind also require specific cybersecurity roles and responsibilities.[126]
4.1.5 R&D in AI-enabled intrusion and malware detection
AI-enabled detection includes both intrusion detection and malware detection. Since the integration of AI-enabled cybersecurity systems is nascent and the industry is inexperienced in implementing AI for the security of offshore wind, there is still much research to be done.
Defensive AI strategies for Industrial Control Systems (ICS) are notably lacking. Offensive AI, on the other hand, exhibits significant potency in reconnaissance, malware generation and initial access. ICS operate on intricate and less common protocols, often not covered in traditional university education. Conversely, AI holds a distinct advantage due to its access to extensive information sources. Reconnaissance, which typically consumes most of ethical hackers’ and pentesters’ time, can be accomplished by AI faster than human teams. The primary drawback of AI lies in its inability to replicate the creative ingenuity possessed by top-tier human teams. Nonetheless, the evolution of ML capabilities suggests that AI may eventually outstrip human teams in effectiveness. Even as the threat from offensive AI is high, these same capabilities can be leveraged by pentesters in the race to outpace the adversaries.
Some of the technical research gaps that emerged from this study include:
- Security engineering implications of overlaying several conflicting algorithms. While there is individual research on intrusion detection or anomaly detection for energy systems more broadly, there is no research on the consequences of multi-layered algorithms integrated in offshore wind.[127] These algorithms may contradict and counteract each other. For example, AI algorithms are employed to determine when wind turbines should be shut down (e.g. to protect against adverse weather). However, wind farms serve the grid. As wind energy forms an increasing proportion of the energy mix, measures to preserve grid stability are more important than ever. If wind farm infrastructure shuts down, to cover the shortfall, the potential impact to the national grid could be higher carbon emissions and consumer costs.[128] A scenario like this exemplifies the complexity of multi-layered algorithms that may trade off higher priorities. Protecting wind turbines cannot be considered in isolation; the priority lies in generation and distribution. It is necessary to envelop management processes around these considerations. While AI can offer advice and support, it is not yet capable of complete autonomy.
Offshore wind security engineering will likely require re-conceptualisation in the context of AI more broadly. As wind infrastructure is composed of multiple, interconnected systems, algorithms must take a comprehensive approach, considering the system as a whole. - Data and model poisoning. Operator data could be injected with false information to confuse IDS.[129] These poisoning attacks seek to compromise the intrusion detection model and undermine its protective capacity by integrating tainted traffic data into the ML database. Cyber attackers could also implant vulnerabilities and backdoors early in the development of the wind farm, which could last decades.[130] Research on how to secure systems from these threats in the particular context of offshore wind is essential.
At present, industrial security solutions are said to be poor and wind companies reportedly pursue the most cost-effective solution over medium or higher tier solutions.[131]
4.1.6 Public-private and cross-border coordination
There is a lack of inter-industry, public-private and cross-border coordination on threat intelligence and security response.[132] Industry stakeholders lack a direct path to communicate concerns to government stakeholders and there is no formalised structure to coordinate between wind companies.[133] Residential stakeholders are also often left out of discussions on cybersecurity,[134] despite the fact that they are likely to suffer the effects of a cyberattack the most. Where wind farms are in international waters and shared with bordering countries, there is currently no dialogue on what a security response should look like.[135]
Anecdotally, security officers may invite another officer in another company for bilateral security discussions, but without incentives to cooperate, companies mainly have a competitive relationship.[136] Security engineering good practice could be shared between wind energy companies and other energy platform companies by distributing common reference architecture and threat intelligence sharing.[137]
On the government side, part of the challenge is securing long-term 20-30-year funding to resource coordination across different stakeholders.[138] Instead, national and local government stakeholders describe that funding is constantly on a ‘cliff edge’ in line with changes in government.[139]
More strategic coordination would accelerate resilience. The US Department of Energy (DoE)’s Wind Energy Technologies Office (WETO) developed a Roadmap for Wind Cybersecurity, which seeks to raise wind companies’ awareness of cyber threats, facilitate sharing of good practice, and identify research gaps among others.[140] The US DoE’s Office of Cybersecurity, Energy, Security and Emergency Response (CESER) also initiates collaborations with energy companies and US national laboratories to test advanced analytic capabilities and critical operational components for points of weakness.[141] Similar types of collaborations could test novel IDS, IPS or hardening solutions for offshore wind. Trilateral initiatives like the EU-Japan-US exercises for industrial control systems cybersecurity[142] could conceivably also be applied to offshore wind cybersecurity exercises across the UK and bordering countries that also have offshore wind infrastructure.
4.1.7 Slow response and recovery
After the attack on ViaSat’s satellite communications systems, it took Enercon months to recover. While many of the technical solutions including the AI-based IDS, IPS and hardening systems described in Section 3 could reinforce cybersecurity, the true measure of cyber resilience is the speed of recovery.[143] However, not all vendors and operators have established cybersecurity emergency and maintenance plans.[144] Given the volume of cyberattacks, it is certain that some of these attacks will be successful, but the key to cyber resilience is ensuring that impacts on sustained power generation are minimised to the degree possible through redundancy, and that recovery is rapid.[145]
4.1.8 Resilience-based engineering tailored to offshore wind
Security engineering for offshore wind lacks systems level analysis of redundancy to prevent power outages in the case of cyberattacks.[146] Some redundancy is usually already part of the basic design – for example, there are usually two communication channels, two transformers, and a backup engineering server onshore and offshore.[147] However, the problem is not one wind turbine platform losing power, but a portion of a wind fleet being out of service. A cyberattack on a single turbine will not significantly impact power generation but cyberattacks on multiple turbines or an entire wind farm, or the integration between wind farm and the power grid, may result in cascading damage. More holistic, and resilience-based engineering practices at fundamental conceptualisation stage of the wind farm is needed.
Figure 6. Current state of security engineering for energy systems versus desired future state of resilience engineering
Source: Federal Government of the United States.[148]
More heterogeneity in clusters of turbines within a wind farm could enhance redundancy.[149] Engineering practices for offshore wind should also explore appropriate network segmentation[150] and isolating core elements of the system from the network. For example, in ships, the rudder, propulsion and stabilisation are the core elements and accepting less functionality in exchange for making these systems difficult to hack could enhance resilience.[151] Updating and maintaining network segmentation as the mixture of legacy and new offshore wind systems evolve is important. Design choices that move systems to a safe standby mode when communications with the control centre fail would also be beneficial.
The US DoE’s WETO commissions research to characterise cybersecurity threats, identify hypothetical attack scenarios and determine cost-benefit trade-offs for technical solutions.[152] WETO also supports R&D activities to increase the effectiveness of identifying, protecting, detecting, responding to and recovering from cybersecurity attacks.[153] Government R&D support can also come in the form of establishing research centres with test beds and digital twins[154] to simulate cybersecurity attacks on offshore wind like the German Energy Lab 2.0 by the Karlsruhe Institute of Technology (KIT)[155] or the UK Cyber-Resilience of Offshore Wind Networks (CROWN) project.
The Cyber-Resilience of Offshore Wind Networks (CROWN) project The CROWN project is a £650,000 initiative led by researchers from the University of Plymouth in cooperation with the Offshore Renewable Energy (ORE) Catapult and Expleo Engineering UK Limited.[156] The project is exploring cybersecurity vulnerabilities in offshore wind software and hardware and will use this baseline to develop security and resilience protocols.[157] |
The US DoE’s Cybersecurity, Energy, Security and Emergency Response (CESER)-led Securing Energy Infrastructure Executive Task Force (SEI ETF) developed a Cyber-Informed Engineering Strategy for the energy sector.[158] The strategy is not specified for wind energy but may yield promising practice and includes example hypothetical scenarios and design engineering choices to illustrate how resilience-based engineering could work in practice in energy systems.
4.2 Summary of challenges and mitigative actions
Table 6 presents a high-level overview of these challenges and mitigative actions suggested by interviewees and the core study team.
Table 6. Summary of challenges and mitigative actions related to enhancing the cyber resilience of offshore wind
NIST Cybersecurity Framework component | Challenge | Mitigative action | |
Industry action | Policy action | ||
Identify | Underreporting of cyberattacks on offshore wind | Contribute anonymised offshore wind cybersecurity threat intelligence and good practice to the NCSC Connect Inform Share Protect (CISP) platform and the NCSC Early Warning and open-source Malware Information Sharing Platforms (MISP). | Coordinate public-private roundtables to discuss and document sector-wide cybersecurity trends, good practice and lessons learned based on intelligence gathered through anonymised CISP and MISP data without penalties on vendors. |
Protect | Enforcing and incentivising standards compliance | Develop an organisational assessment of cybersecurity risks and structures for safeguard implementation. Explore applications of AI and ML to automate and streamline standards compliance processes. | Develop or adapt existing standards (e.g. IEC 62443 4-2) to plug gaps for automation and industrial control systems, covering offshore wind among other sectors. Establish an offshore wind standards certification process across the supply chain. |
Supply chain cybersecurity | Batch test sub-systems and components. Impose SBOM requirement on suppliers, to inventory offshore wind components and ensure that cybersecurity requirements for each component are met. Dedicate budget for cybersecurity, including maintenance costs. | Cyber labelling components and products that meet cybersecurity standards (e.g. US Cyber Trust Mark). | |
Offshore wind cybersecurity workforce gap | Train and develop specialist personnel in cybersecurity who understand OT and IT for wind energy. Define cybersecurity roles and responsibilities across the entire supply chain to promote security culture. | Incentivise academia to set up skills development programmes or fund PhD grants in cybersecurity for wind energy and resilience-based engineering. | |
Detect/analyse | AI-enabled intrusion ad anomaly detection, protection and hardening systems | Introduce specialist training for AI-enabled intrusion and anomaly detection, protection and hardening systems. Evaluate the cost-benefit ratio of IDS and IPS. | Commission public-private research to test AI-enabled IDS/IPS that are context-aware and able to cover a wide attack surface.
|
Respond | Public-private and cross-border cybersecurity coordination | Participate in inter-industry strategic discussions on security response. Develop and share a common reference architecture to protect offshore wind energy systems. | Convene industry groups and relevant international public and private wind energy partners to set security response protocols. Develop a comprehensive research and coordination plan for enhancing the cyber resilience of offshore wind. Launch cybersecurity exercises with bordering countries. |
Slow response and recovery | Develop cybersecurity emergency response plans based on existing attack scenarios through table-top exercises, and ask OT risk managers to continuously assess wind platform components against the risks in those scenarios. | Establish cross-border security dialogues and response plans, share good practice and set up emergency response simulations. | |
Recover/Manage | Resilience-based engineering tailored to offshore wind | Set up digital twins to model cyber threats and to inform resilience-based engineering practices. | Set requirements for offshore wind development projects to incorporate resilience-based engineering and best practice. |
Conclusions
The UK’s ambition to accelerate towards Net Zero is making progress, but as this research has shown, there are still several security gaps throughout the offshore wind system that need to be closed. There is an opportunity to make the most of novel developments in AI and intelligent automation, as well as lessons learnt from energy policy and industry initiatives internationally to develop more resilient UK offshore wind systems in the future.
There is also a need to think beyond cybersecurity considerations when thinking about the resilience of the entire system, which is about continued or rapid recovery of power generation rather than elimination of cybersecurity threats.
Most mitigative actions are best led by industry, but policymakers have many opportunities to support by developing new or adapting existing regulation, convening stakeholders and incentivising research on technical solutions and offshore wind resilience.
The authors’ review of the cybersecurity threats and vulnerabilities show that introducing AI and intelligent automation alone would not be sufficient by itself to develop more resilient offshore wind systems. Emerging AI-enabled cybersecurity tools are yet untested for cyber-physical systems and could create new vulnerabilities, so further research is required to test these systems in operational environments. Nonetheless, as other sectors have shown, there is great potential to enhance the cyber resilience of offshore wind through AI and intelligent automation enabled tools.
To realise envisaged benefits, nascent AI research needs to scale considerably and resilience-based engineering for offshore wind will need radical re-conceptualisation. A systems-level perspective on offshore wind resilience is needed and evidence-based solutions must be reflected in the UK’s strategic choices.
References
[1] HM Government, Offshore Wind Net Zero Investment Roadmap (Department for Energy Security and Net Zero: 2023), 2, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1167856/offshore-wind-investment-roadmap.pdf.
[2] “Harnessing offshore wind,” UKRI, last modified 8 February 2024, https://www.ukri.org/news-and-events/responding-to-climate-change/topical-stories/harnessing-offshore-wind/.
[3] Gavin Maguire, “Wind overtakes fossil fuels for UK electricity generation,” Reuters, 23 April 2024, https://www.reuters.com/business/energy/wind-overtakes-fossil-fuels-uk-electricity-generation-maguire-2024-04-23/.
[4] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj; Catherine Stupp, “European Wind-Energy Sector Hit in Wave of Attacks,” WSJ Pro Cybersecurity, 25 April 2022, https://www.wsj.com/articles/european-wind-energy-sector-hit-in-wave-of-hacks-11650879000.
[5] “Vestas Data ‘Compromised’ by Cyber Attack,” Reuters, 23 November 2021, https://www.reuters.com/markets/europe/vestas-data-compromised-by-cyber-attack-2021-11-22/.
[6] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj.
[7] Author interview (4) with academic participant, 16 November 2023.
[8] Charlotte Wilkinson, “Stepping Up Cybersecurity in Offshore Wind: How to Protect Against an Unseen Enemy,” ORE Catapult Blog, 28 April 2020, https://ore.catapult.org.uk/blog/cybersecurity-in-offshore-wind/.
[9] “Companies pay £10.5 million over 9 August power cut,” Ofgem, press release, 3 January 2020, https://www.ofgem.gov.uk/press-release/companies-pay-ps105-million-over-9-august-power-cut.
[10] Ali Swenson and Arijeta Lajka, “Texas blackouts fuel false claims about renewable energy,” AP News, 18 February 2021, https://apnews.com/article/false-claims-texas-blackout-wind-turbine-f9e24976e9723021bec21f9a68afe927.
[11] Author interview with industry participant, 10 November 2023; Author interview with academic participant, 22 November 2023; Author interview with industry participant, 4 December 2023; Author interview (2) with academic participant, 29 November 2023.
[12] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj; Sanjana Vijayshankar et al., “Assessing the Impact of Cybersecurity Attacks on Energy Systems,” Applied Energy 345 (September 2023): 121297; Federal Government of the United States, Roadmap for Wind Cybersecurity (US Department of Energy Office of Energy Efficiency and Renewable Energy: 2020), 15, https://www.energy.gov/sites/prod/files/2020/07/f76/wind-energy-cybersecurity-roadmap-2020v2.pdf.
[13] Author interview with industry participant, 4 December 2023; Author interview with industry participant, 16 February 2024.
[14] Nina Chestney, Christoph Steitz and Nora Buli, “Cyberattacks On Renewables: Europe Power Sector’s Dread in Chaos of War,” The Japan Times, 16 June 2023, https://www.japantimes.co.jp/news/2023/06/16/world/cyberattacks-renewables-europe-war-chaos/.
[15] Author interview with industry participant, 4 December 2023.
[16] Author interview with academic participant, 24 November 2023; Author interview with academic (2) participant, 11 December 2023.
[17] Centre for Cyber Security, The cyber threat against the Danish energy sector (Centre for Cyber Security: February 2023), https://www.cfcs.dk/globalassets/cfcs/dokumenter/trusselsvurderinger/en/-cyber-threat-against-the-danish-energy-sector.pdf.
[18] Jessica Casey, “Cyberattacks on Offshore Wind Could Derail UK’s Net Zero Agenda,” Energy Global, last modified 31 March 2023, https://www.energyglobal.com/special-reports/31032023/cyber-attacks-on-offshore-wind-could-derail-uks-net-zero-agenda/; “Vestas Data ‘Compromised’ by Cyber Attack,” Reuters, 23 November 2021, https://www.reuters.com/markets/europe/vestas-data-compromised-by-cyber-attack-2021-11-22/.
[19] “Third Update on Cyber Incident,” Vestas, last modified 6 December 2021, https://www.vestas.com/en/media/company-news/2021/third-update-on-cyber-incident-c3466518; Eduard Kovacs, “Ransomware Operators Lead Data Stolen from Wind Turbine Giant Vestas,” SecurityWeek, 9 December 2021, https://www.securityweek.com/ransomware-operators-leak-data-stolen-wind-turbine-giant-vestas/.
[20] Freja Celine Eriksen, “Hackers Extort Vestas Customers Using Stolen Data,” Energy Watch, 14 February 2022, https://energywatch.com/EnergyNews/Renewables/article13734618.ece; Jessica Casey, “Cyberattacks on Offshore Wind Could Derail UK’s Net Zero Agenda,” Energy Global, 31 March 2023, https://www.energyglobal.com/special-reports/31032023/cyber-attacks-on-offshore-wind-could-derail-uks-net-zero-agenda/.
[21] “Vestas Data ‘Compromised’ by Cyber Attack,” Reuters, 23 November 2021, https://www.reuters.com/markets/europe/vestas-data-compromised-by-cyber-attack-2021-11-22/.
[22] Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[23] Nathan Farrar and Mohd Hasan Ali, “Cyber-Resilient Converter Control System for Doubly Fed Induction Generator-Based Wind Turbine Generators,” Electronics 13, no.3 (January 2024): 492, https://www.mdpi.com/2079-9292/13/3/492.
[24] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj; Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[25] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj; Catherine Stupp, “European Wind-Energy Sector Hit in Wave of Attacks,” WSJ Pro Cybersecurity, 25 April 2022, https://www.wsj.com/articles/european-wind-energy-sector-hit-in-wave-of-hacks-11650879000.
[26] Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[27] National Cyber Security Centre, “Russia behind cyber attack with Europe-wide impact an hour before Ukraine invasion,” NCSC News, 10 May 2022, https://www.ncsc.gov.uk/news/russia-behind-cyber-attack-with-europe-wide-impact-hour-before-ukraine-invasion.
[28] “Case study: Viasat,” Cyber Peace Institute, https://cyberconflicts.cyberpeaceinstitute.org/law-and-policy/cases/viasat.
[29] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022); Nicolò Boschetti, Nathaniel Gordon and Gregory Falco, “Space Cybersecurity Lessons Learned from The ViaSat Cyberattack,” in AIAA Ascend 2022 (Las Vegas: AIAA, 2022), https://www.researchgate.net/publication/363558808_Space_Cybersecurity_Lessons_Learned_from_The_ViaSat_Cyberattack; European Space Policy Institute, The War in Ukraine from a Space Cybersecurity Perspective (ESPI: October 2022), 6, https://www.espi.or.at/wp-content/uploads/2022/10/ESPI-Short-1-Final-Report.pdf.
[30] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj; Sanjana Vijayshankar et al., “Assessing the Impact of Cybersecurity Attacks on Energy Systems,” Applied Energy 345 (September 2023);
[31] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj;
[32] National Cyber Security Centre, “Russia behind cyber attack with Europe-wide impact an hour before Ukraine invasion,” NCSC News, 10 May 2022, https://www.ncsc.gov.uk/news/russia-behind-cyber-attack-with-europe-wide-impact-hour-before-ukraine-invasion.
[33] Author interview with academic participant, 9 November 2023; Author interview with industry participant, 10 November 2023; Author interview with government participant, 13 November 2023; National Cyber Security Centre, “Heightened threat of state-aligned groups against western critical national infrastructure,” NCSC News, last updated 1 May 2024, https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups.
[34] Ciara Nugent, “Why Greta Thunberg and Other Climate Activists Are Protesting Wind Farms in Norway,” Time, 28 February 2023, https://time.com/6259144/greta-thunberg-norway-protests-climate-activists/.
[35] Evi Elisa Ambarita et al., “On Cyber-Attacks Against Wind Farms,” in IECON 2023: Proceedings of the 49th Annual Conference of the IEEE Industrial Electronics Society (Singapore: IEEE Industrial Electronics Society, 2023).
[36] Ibid.
[37] Charlotte Wilkinson, “Stepping Up Cybersecurity in Offshore Wind: How to Protect Against an Unseen Enemy,” ORE Catapult Blog, 28 April 2020, https://ore.catapult.org.uk/blog/cybersecurity-in-offshore-wind/.
[38] Jeremy Wagstaff, “All at sea: global shipping fleet exposed to hacking threat,” Reuters, 24 April 2014, https://www.reuters.com/article/idUSBREA3M208/.
[39] Evi Elisa Ambarita et al., “On Cyber-Attacks Against Wind Farms,” in IECON 2023: Proceedings of the 49th Annual Conference of the IEEE Industrial Electronics Society (Singapore: IEEE Industrial Electronics Society, 2023), 1.
[40] Evi Elisa Ambarita et al., “On Cyber-Attacks Against Wind Farms,” in IECON 2023: Proceedings of the 49th Annual Conference of the IEEE Industrial Electronics Society (Singapore: IEEE Industrial Electronics Society, 2023), 2; The Cyber Threat Against the Danish Energy Sector (Centre for Cyber Security: February 2023), https://www.cfcs.dk/globalassets/cfcs/dokumenter/trusselsvurderinger/en/-cyber-threat-against-the-danish-energy-sector.pdf.
[41] Author interview with industry participant, 21 March 2024; Author interview with government participant, 13 November 2023; Author interview with academic participant, 24 November 2023; Author interview with industry participant, 16 February 2024; Author interview with standards body participant, 8 March 2024; Author interview with industry participant, 8 March 2024; Author interview with industry (2) participant, 15 December 2023; Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj.
[42] Author interview with (4) academic participant, 16 November 2023, Author interview with industry participant, 9 February 2024; Author interview (2) with industry participant, 15 December 2023; Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[43] Marie Baezner and Patrice Robin, “Stuxnet,” CSS Cyberdefense Hotspot Analyses 4 (October 2017), https://www.research-collection.ethz.ch/handle/20.500.11850/200661, 4.
[44] Author interview with academic participant, 9 November 2023; Mary Ann Hoppa, “Understanding Cybersecurity Risks in Offshore Wind Farms,” in Proceedings of Association of Computer Science Departments at Minority Institutions Conference (ADMI ’23) (Virginia Beach: ACM, 2023), 1-5.
[45] Author interview with academic participant, 9 November 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with industry participant, 23 November 2023; Author interview with (2) academic participant, 11 December 2023.
[46] Author interview with academic participant, 9 November 2023.
[47] Author interview with industry (2) participant, 15 December 2023.
[48] Jennifer Mielniczek et al., “Cyber-Physical Security and Resilience for Offshore Wind,” in MARESEC 2021: Proceedings of the first European Workshop on Maritime Systems Resilience and Security (Bremerhaven: MARESEC, 2021), https://zenodo.org/records/5603368, 1-6.
[49] Author interview with government participant, 13 December 2023.
[50] Author interview with academic participant, 22 January 2023.
[51] Author interview with industry participant, 9 February 2024; Author interview with industry participant, 9 February 2024; Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[52] Author interview with industry participant, 10 November 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with academic participant, 4 December 2023; Mary Ann Hoppa, “Understanding Cybersecurity Risks in Offshore Wind Farms,” in Proceedings of Association of Computer Science Departments at Minority Institutions Conference (ADMI ’23) (Virginia Beach: ACM, 2023), 1-5.
[53] “Offshore Wind Farms Are Vulnerable to Cyberattacks,” ScienceDaily, 24 January 2024, https://www.sciencedaily.com/releases/2024/01/240124132757.htm; Sarah G. Freeman et al., Attack Surface of Wind Energy Technologies in the United States (US Department of Energy Office of Scientific and Technical Information: January 2024), https://www.osti.gov/biblio/2297403.
[54] An air gap is a security measure where the network is isolated from unsecured networks.
[55] Author interview with government participant, 13 November 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with academic participant, 23 November 2023; Author interview with academic participant, 24 November 2023; Author interview (2) with industry participant, 15 December 2023.
[56] Author interview with academic participant, 4 December 2023.
[57] Author interview with academic participant, 4 December 2023.
[58] “Infrastructure cybersecurity: the US electric grid,” Senate RPC, 16 July 2021 https://www.rpc.senate.gov/policy-papers/infrastructure-cybersecurity-the-us-electric-grid.
[59] Author interview with academic participant, 4 December 2023.
[60] Author interview with academic participant, 23 November 2023; Author interview with industry participant, 9 February 2024; Wolf K. Freudenberg, “Why windfarms need to step up cyber security,” DNV, last modified 7 January 2019, https://www.dnv.com.au/article/why-windfarms-need-to-step-up-cyber-security-128082.
[61] Author interview with academic participant, 22 November 2023; P11; Author interview (2) with academic participant, 11 December 2023; Wolf K. Freudenberg, “Why windfarms need to step up cyber security,” DNV, last modified 7 January 2019, https://www.dnv.com.au/article/why-windfarms-need-to-step-up-cyber-security-128082.
[62] Author interview with industry participant, 12 March 2024.
[63] Author interview with industry participant, 21 March 2024.
[64] Author interview with industry participant, 21 March 2024.
[65] Author interview with academic participant, 22 November 2023.
[66] Author interview with (4) academic participant, 16 November 2023; Author interview with industry participant, 21 March 2024.
[67] Author interview with industry participant, 21 March 2024; Author interview with government participant, 13 November 2023.
[68] Author interview with (4) academic participant, 16 November 2023; Author interview with industry participant, 10 November 2023; Author interview with government participant, 13 November 2023; Author interview with academic participant, 24 November 2023; Author interview with industry participant, 12 March 2024.
[69] Author interview with academic participant, 16 November 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with academic participant, 23 November 2023; Author interview with government participant, 13 November 2023; Author interview with industry participant, 12 March 2024; Author interview with industry participant, 9 February 2024; Author interview with industry participant, 9 February 2024.
[70] Mary Ann Hoppa, “Understanding Cybersecurity Risks in Offshore Wind Farms,” in Proceedings of Association of Computer Science Departments at Minority Institutions Conference (ADMI ’23) (Virginia Beach: ACM, 2023), 1-5.
[71] Author interview with industry participant, 12 March 2024.
[72] Federal Government of the United States, Roadmap for Wind Cybersecurity (US Department of Energy Office of Energy Efficiency and Renewable Energy: 2020), 15, https://www.energy.gov/sites/prod/files/2020/07/f76/wind-energy-cybersecurity-roadmap-2020v2.pdf, adapted by CETaS.
[73] F. Richard Yu et al., “Communication Systems for Grid Integration of Renewable Energy Resources,” arXiv(July 2011), https://arxiv.org/abs/1107.3313.
[74] Author interview with government participant, 13 November 2023.
[75] Author interview with (4) academic participant, 16 November 2023.
[76] Author interview with (4) academic participant, 16 November 2023.
[77] Author interview with academic participant, 24 November 2023.
[78] Author interview with academic participant, 23 November 2023; Alexander Gabriel, Babette Tecklenburg and Frank Sill Torres, “Threat and Risk Scenarios for Offshore Wind Farms and An Approach to Their Assessment,” in 19th International Conference on Information Systems for Crisis Response and Management (Tarbes: ISCRAM, 2022), 162-173.
[79] Author interview with industry participant, 9 February 2024.
[80] Author interview with industry participant, 16 February 2024.
[81] Author interview with industry participant, 16 February 2024.
[82] Author interview with industry participant, 12 March 2024.
[83] Author interview with academic participant, 23 November 2023; Evgeni Sabev et al., “Analysis of Practical Cyberattack Scenarios for Wind Farm SCADA Systems,” in 2021 International Conference Automatics and Informatics (Varna: ICAI, 2021), 420-424.
[84] Author interview with industry participant, 16 February 2024.
[85] Author interview with industry participant, 9 February 2024; Author interview with academic participant, 22 November 2023; Author interview with industry participant, 9 February 2024.
[86] Author interview with academic participant, 23 November 2023.
[87] Author interview with industry participant, 21 March 2024.
[88] Author interview with industry participant, 9 February 2024.
[89] Author interview with academic participant, 4 December 2023.
[90] Author interview with industry participant, 21 March 2024.
[91] Author interview (2) with industry participant, 15 December 2023; Author interview with academic participant, 4 December 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with academic participant, 24 November 2023.
[92] Author interview with academic participant, 16 November 2023; Author interview (2) with academic participant, 11 December 2023; Author interview (2) with industry participant, 15 December 2023; Author interview with academic participant, 22 November 2023; Author interview with academic participant, 4 December 2023; Author interview with (4) academic participant, 16 November 2023; Author interview with academic participant, 24 November 2023; Federal Government of the United States, Roadmap for Wind Cybersecurity (US Department of Energy Office of Energy Efficiency and Renewable Energy: 2020), 15, https://www.energy.gov/sites/prod/files/2020/07/f76/wind-energy-cybersecurity-roadmap-2020v2.pdf; Hamed Badihi et al., “Smart Cyber-Attack Diagnosis and Mitigation in a Wind Farm Network Operator,” IEEE Transactions on Industrial Informatics 99, no. 9 (September 2023): 9468-9478; Simon M. Smith et al., “Anomaly Detection in Offshore Wind Turbine Structures Using Hierarchical Bayesian Modelling,”arXiv (February 2024), https://arxiv.org/abs/2402.19295; V. Siva Brahmaiah Rama, Sung-Ho Hur and Jung-Min Yang, “Predictive Maintenance and Anomaly Detection of Wind Turbines Based on Bladed Simulator Models,” IFAC-PapersOnLine 56, no. 2 (2023): 4633; Steffen Dienst and Jonas Beseler, “Automatic Anomaly Detection in Offshore Wind SCADA Data” in Proceedings of the Wind Europe Summit 2016 (Hamburg: University of Leipzig, 2016), 1-6.
[93] Author interview with industry participant, 21 March 2024.
[94] Author interview with government participant, 13 November 2023.
[95] Author interview with government participant, 13 November 2023.
[96] Steffen Dienst and Jonas Beseler, “Automatic Anomaly Detection in Offshore Wind SCADA Data” in Proceedings of the Wind Europe Summit 2016 (Hamburg: University of Leipzig, 2016), 1-6.
[97] Author interview with academic participant, 24 November 2023; Author interview with industry participant, 21 March 2024; Author interview with (4) academic participant, 16 November 2023; Andrew Lohn et al., “Autonomous Cyber Defence: A Roadmap from Lab to Ops,” CETaS Research Reports (June 2023), https://cetas.turing.ac.uk/publications/autonomous-cyber-defence.
[98] Michael McCarty et al., “Cybersecurity Resilience Demonstration for Wind Energy Sites in Co-Simulation Environment,” IEEE Access 11 (2023), 15297-15313.
[99] Author interview with academic participant, 22 November 2023; Author interview with (4) academic participant, 16 November 2023; Jay Johnson, E10 – Hardening Wind Energy Systems from Cyber Threats – 2021 Project Peer Review (U.S. Department of Energy, Office of Energy Efficiency & Renewable Energy, Sandia National Laboratories: 2021); V. Siva Brahmaiah Rama, Sung-Ho Hur and Jung-Min Yang, “Predictive Maintenance and Anomaly Detection of Wind Turbines Based on Bladed Simulator Models,” IFAC-PapersOnLine 56, no. 2 (2023): 4633-4638, https://www.sciencedirect.com/science/article/pii/S2405896323013575.
[100] Author interview with academic participant, 24 November 2023; Xiaorui Liu, “Deep Reinforcement Learning for Cybersecurity Assessment of Wind Integrated Power Systems,” IEEE Power & Energy Society Section (2020).
[101] Author interview with government participant, 8 November 2023; Author interview with academic participant, 9 November 2023; Author interview with industry participant, 12 March 2024.
[102] Author interview with industry participant, 12 March 2024.
[103] Author interview with government participant, 8 November 2023.
[104] Author interview with government participant, 8 November 2023.
[105] “Early warning,” NCSC, https://www.ncsc.gov.uk/information/early-warning-service.
[106] “Connect Inform Share Protect,” NCSC, https://www.ncsc.gov.uk/cisp/home.
[107] “MISP Threat Sharing,” MISP-Project.org, https://www.misp-project.org.
[108] “Information Sharing and Analysis Centers,” ENISA, https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing.
[109] MITRE, Cyber Information-sharing Models: An Overview (MITRE: October 2012), 4, https://www.mitre.org/sites/default/files/pdf/cyber_info_sharing.pdf.
[110] Author interview with government participant, 8 November 2023; Author interview with academic participant, 9 November 2023; Author interview with government participant, 13 November 2023; Author interview (2) with industry participant, 15 December 2023; Author interview with industry participant, 9 February 2024.
[111] Author interview with industry participant, 16 February 2024.
[112] “Software Security in Supply Chains: Software Bill of Materials (SBOM),” Executive order 14028, Improving the Nation’s Cybersecurity, National Institute of Standards and Technology (NIST), https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1; “CISA and CESER Releases Software Bill of Materials (SBOM) Sharing Lifecycle Report,” Cybersecurity & Infrastructure Security Agency, 17 April 2023, https://www.cisa.gov/news-events/alerts/2023/04/17/cisa-and-ceser-releases-software-bill-materials-sbom-sharing-lifecycle-report; “CESER Partners with CISA to Release New Framework for Software Bill of Materials Sharing” Office of Cybersecurity, Energy Security and Emergency Response, 19 April 2023, https://www.energy.gov/ceser/articles/ceser-partners-cisa-release-new-framework-software-bill-materials-sharing-0.
[113] “Software Security in Supply Chains: Software Bill of Materials (SBOM),” Executive order 14028, Improving the Nation’s Cybersecurity, National Institute of Standards and Technology (NIST), https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1.
[114] “Biden-Harris Administration Launches New Effort to Advance Cyber Labeling and Security Transparency for Energy Products and Systems” Office of Cybersecurity, Energy Security and Emergency Response, 18 July 2023, https://www.energy.gov/ceser/articles/biden-harris-administration-launches-new-effort-advance-cyber-labeling-and-security.
[115] Author interview with academic participant, 22 November 2023.
[116] Author interview (2) with industry participant, 15 December 2023.
[117] “The world’s only consensus-based automation and control systems cybersecurity standards,” International Society of Automation, https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards.
[118] Charlotte Wilkinson, “Stepping Up Cybersecurity in Offshore Wind: How to Protect Against an Unseen Enemy,” ORE Catapult Blog, 28 April 2020, https://ore.catapult.org.uk/blog/cybersecurity-in-offshore-wind/.
[119] Author interview with industry participant, 16 February 2024.
[120] Author interview with industry participant, 12 March 2024.
[121] Andrew Kay, “Improving the Cyber Resilience of Australia’s Energy Sector,” ESD News, 1 February 2024, https://esdnews.com.au/improving-the-cyber-resilience-of-australias-energy-sector/.
[122] Author interview with industry participant, 9 February 2024.
[123] CERTREC Corporation, “Recent NERC Penalties,” https://www.certrec.com/resources/nerc-penalties/.
[124] Author interview with industry participant, 9 February 2024; Author interview with industry participant, 16 February 2024
[125] Author interview with academic participant, 9 November 2023.
[126] Megan Jordan Culler et al., Cybersecurity Guide for Distributed Wind (Idaho National Lab: August 2021), https://www.osti.gov/biblio/1826578.
[127] Author interview with academic participant, 16 November 2023; Author interview with academic participant, 23 November 2023; Author interview with academic participant, 24 November 2023.
[128] “Grid services: Innovative solutions to stabilise our electricity system,” Statkraft, https://www.statkraft.co.uk/newsroom/2023/grid-services-innovative-solutions-to-stabilise-the-power-grid/.
[129] Author interview with academic participant, 16 November 2023.
[130] Author interview with academic participant, 9 November 2023.
[131] Author interview with industry participant, 21 March 2024.
[132] Author interview with academic participant, 24 November 2023; Author interview with industry participant, 9 February 2024; Author interview with industry participant, 10 November 2023; Charlotte Wilkinson, “Stepping Up Cybersecurity in Offshore Wind: How to Protect Against an Unseen Enemy,” ORE Catapult Blog, 28 April 2020, https://ore.catapult.org.uk/blog/cybersecurity-in-offshore-wind/.
[133] Author interview with industry participant, 9 February 2024.
[134] Author interview with academic participant, 24 November 2023.
[135] Author interview with industry participant, 9 February 2024.
[136] Author interview with industry participant, 16 February 2024; Author interview with government participant, 13 November 2023.
[137] Author interview with industry participant, 8 March 2024; Author interview with government participant, 8 November 2023.
[138] Author interview with government participant, 8 November 2023; Author interview with academic participant, 9 November 2023.
[139] Author interview with government participant, 8 November 2023.
[140] Federal Government of the United States, Roadmap for Wind Cybersecurity (US Department of Energy Office of Energy Efficiency and Renewable Energy: 2020), 15, https://www.energy.gov/sites/prod/files/2020/07/f76/wind-energy-cybersecurity-roadmap-2020v2.pdf.
[141] “DOE CESER Helps Fortify the Energy Sector’s Digital Supply Chain with GE Gas Power” Office of Cybersecurity, Energy Security and Emergency Response, 9 May 2023, https://www.energy.gov/ceser/articles/doe-ceser-helps-fortify-energy-sectors-digital-supply-chain-ge-gas-power.
[142] “EU-Japan Strategic Partnership,” European Commission, May 2011, https://www.consilium.europa.eu/media/49921/eu-japan-2021-05-final.pdf.
[143] Author interview with industry participant, 12 March 2024.
[144] Author interview with academic participant, 23 November 2023; Author interview with academic participant, 24 November 2023; Author interview with industry participant, 12 March 2024.
[145] Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj.
[146] Author interview with industry participant, 12 March 2024; Megan Egan, A Retrospective on 2022 Cyber Incidents in the Wind Energy Sector and Building Future Cyber Resilience (Boise State University: December 2022), https://scholarworks.boisestate.edu/cgi/viewcontent.cgi?article=1002&context=cyber_gradproj.
[147] Author interview with industry participant, 9 February 2024.
[148] Federal Government of the United States, National Cyber-Informed Engineering Strategy (US Department of Energy Office of Cybersecurity, Energy Security and Emergency Response: 2022), https://www.energy.gov/sites/default/files/2022-06/FINAL%20DOE%20National%20CIE%20Strategy%20-%20June%202022_0.pdf.
[149] Author interview with academic participant, 9 November 2023.
[150] Author interview with (4) academic participant, 16 November 2023; Jennifer Mielniczek et al., “Cyber-Physical Security and Resilience for Offshore Wind,” in MARESEC 2021: Proceedings of the first European Workshop on Maritime Systems Resilience and Security (Bremerhaven: MARESEC, 2021), https://zenodo.org/records/5603368, 1-6.
[151] Author interview with industry participant, 10 November 2023.
[152] “WETO-Funded Research Focuses on Reducing Cybersecurity Threats to Nation’s Wind Fleet,” Office of Energy Efficiency and Renewable Energy, 9 February 2023, https://www.energy.gov/eere/wind/articles/weto-funded-research-focuses-reducing-cybersecurity-threats-nations-wind-fleet.
[153] Ibid.
[154] Jennifer Mielniczek et al., “Cyber-Physical Security and Resilience for Offshore Wind,” in MARESEC 2021: Proceedings of the first European Workshop on Maritime Systems Resilience and Security (Bremerhaven: MARESEC, 2021), https://zenodo.org/records/5603368, 1-6; Evi Elisa Ambarita et al., “On Cyber-Attacks Against Wind Farms,” in IECON 2023: Proceedings of the 49th Annual Conference of the IEEE Industrial Electronics Society (Singapore: IEEE Industrial Electronics Society, 2023), 1.
[155] “The Security Lab Energy (SecLabE),” KIT Energy Lab 2.0, https://www.elab2.kit.edu/english/securitylab.php.
[156] Alan Williams, “Project Aims to Ensure Offshore Renewable Innovations Remain Cyber-Secure,” University of Plymouth, 5 September 2023, https://www.plymouth.ac.uk/news/project-aims-to-ensure-offshore-renewable-innovations-remain-cyber-secure; Author interview with government participant, 13 November 2023.
[157] Alan Williams, “Project Aims to Ensure Offshore Renewable Innovations Remain Cyber-Secure,” University of Plymouth, 5 September 2023, https://www.plymouth.ac.uk/news/project-aims-to-ensure-offshore-renewable-innovations-remain-cyber-secure.
[158] “The US DOE National Cyber-Informed Engineering (CIE) Strategy Document,” Office of Cybersecurity, Energy Security and Emergency Response, https://www.energy.gov/ceser/articles/us-department-energys-doe-national-cyber-informed-engineering-cie-strategy-document.
Authors
Citation information
Anna Knack, Yvonne Kam Hwei Syn and Kimberly Tam, “Enhancing the Cyber Resilience of Offshore Wind,” CETaS Research Reports (June 2024).