Cybersecurity in the era of offshore energy

Picture this: It’s 2030 and a wind farm off Australia’s east coast has just suffered a cyber attack by a hostile nation state. Exploiting a vulnerability in the wind farm’s network, the attackers have gained access to critical operational systems. Having remotely seized control of these systems, they can now connect to the larger electrical grid and proceed to shut it down systematically, switching off substations, corrupting files and disabling emergency backup power. Millions of homes and businesses are affected. Trains grind to a halt. There are tragic consequences for some people who rely on electrically powered medical devices.

It’s not exactly news that all types of electrical utilities are a target for cybercriminals. Bring down a network and, as the hypothetical scenario above shows, you can disable a city for hours or even days. Examples from recent years include multiple attacks on the Ukrainian grid, starting with the 2015 attack by the Russian ‘Sandworm’ group which left about 230,000 people without power; two 2021 ransomware attacks on Brazilian utilities; and a 2022 ransomware attack on Energy Australia resulting in the theft of online customer details.

In its 2024 report, ‘Attack Surface of Wind Energy Technologies in the United States’, Idaho National Laboratory notes that, with multiple cyber attacks and intrusions targeting wind energy in the US in 2022, cybersecurity for the sector is becoming urgently important. The paper references ransomware attacks on Germany’s Nordex and Deutsche Windtechnik control centres, the disabling of SATCOM modems serving ENERCON wind turbines and an espionage campaign against wind-energy companies working in the South China Sea.¹

Offshore challenges

There are two major factors that make offshore wind farms uniquely vulnerable: their remoteness, which creates a necessity for more cyber infrastructure; and the newness of the sector, which means many risk factors haven’t been addressed yet. This state of affairs is steadily drawing the attention of researchers, who warn that serious action needs to be taken in order to protect these complex assets from malicious attacks.

The huge turbines on an offshore wind farm are connected to an offshore substation by cables that run down the turbine tower and under the seabed. At this subsea substation, the voltage is increased to minimise transmission losses. The energy is then conveyed to an onshore substation via high-voltage underwater cables. Here, electricity undergoes further adjustments so that it can make its way into the electrical grid.

As highlighted in a recent study from Concordia University and Hydro-Quebec, these wind farms require a significant amount of cyber infrastructure in order to connect and coordinate their many moving parts — both offshore and onshore. This “complex, hybrid-communication architecture presents multiple access points for cyber attacks”.²

Unlike the established onshore wind market, offshore wind farms are still in the nascent stages of expansion, but this is set to change, according to RMIT research. In June 2023, RMIT’s Centre for Cyber Security Research and Innovation (CCSRI) put together a comprehensive review of the marine renewable energy sector and its cybersecurity issues, with an emphasis on offshore wind farms in the APAC region.³  While Europe has long been a leader in offshore wind technology and capacity, APAC has recently become a contender, with China driving most of the development.

Rapid development of more powerful technology combined with the push towards decarbonisation has led to a significant increase in investment for larger offshore wind farm projects in recent years.

Across Australia, there are currently 50 offshore wind farms planned, but none of these has even reached the construction phase, according to RMIT.

An intensifying threat

Referring to sobering statistics from the International Association of Ports and Harbors (2021), RMIT notes that there has been a surge in cyberthreats towards the marine industry sector as a whole, especially since the start of the COVID-19 pandemic. The Association reported a fourfold increase in cyber attacks from February to May 2020, with attacks against operational technology (OT) systems rising by a whopping 900% since 2017.⁴

Cyber attacks are multifarious, often appearing in the form of malware — malicious software that can invade a system when a user clicks on a dangerous link or email attachment. Popular sub-categories of malware include ransomware (which encrypts the victim’s files and demands payment to decrypt them), viruses, worms and spyware.

An attacker initially might use a phishing approach, sending an email to a target that pretends to be from a trustworthy source in order to gain sensitive information or to install malware. Denial of service (DoS) attacks are also effective, making a computer or resource network unusable by inundating it with traffic from multiple sources.

Yet more attack techniques include man-in-the-middle (attacker intercepts data between two parties without their knowledge), structured query language attack (malicious code inserted into SQL server to obtain confidential information), zero-day (where an attacker exploits an as yet undetected software flaw) and living off the land (using tools that are already present in the victim’s system).

A feast for cybercriminals?

When it comes to offshore wind farms, attackers have an almost staggering array of choices as to which components they can target — assuming robust protections have not been put in place, that is. Turbines, substations, sensors and control centres, SCADA (supervisory control and data acquisition) systems, subsea cables — all of these are subject to potential breaches with very damaging consequences.

In addition to ensuring staff are comprehensively trained in cybersecurity awareness, RMIT advocates a combination of physical and cyber measures to protect assets. Substations should be protected by perimeter fencing, remote surveillance, infrared lighting and smart video analytics; while subsea cables should be buried or sleeved, in addition to being remotely monitored.

All-important SCADA systems should be shielded by protocols based on the latest and most secure standards, and sensors and control centres require a robust built-in data diagnostics (BDD) mechanism that will collect reliable data while proactively identifying and mitigating potential issues such as data corruption.

RMIT also recommends the adoption and adaptation of various theoretical frameworks that have been developed for protection of the IT sector, such as the NIST Cybersecurity Framework (CSF) devised by the United States’ National Institute of Standards and Technology; the international information security standard ISO/IEC 27001; and the “practical, actionable” CIS controls designed by the Centre for Internet Security.⁵

Time is of the essence

Concordia Institute for Information Systems Engineering (CIISE) Associate Professor Jun Yan, a contributor to the Concordia University study, has emphasised the need to strengthen the security of operational technologies.

He said that Concordia was advocating for international standardisation efforts but that the work was just beginning.

“There are regulatory standards for the US and Canada, but they often only state what is required without specifying how it should be done,” he said. “Researchers and operators are aware of the need to protect our energy security, but there remain many directions to pursue and open questions to answer.”⁶

Here in Australia, the government’s offshore electricity infrastructure framework, managed by the Department of Climate Change, Energy, the Environment and Water, is in the early stages of implementation. The only licences currently open for application are feasibility licences, which allow a developer to assess the potential for a proposed wind farm project but do not allow the commercial generation of energy.

The DCCEEW is currently consulting with industry on the draft guidelines for its guidance around the transmission and infrastructure licences that permit undersea cables to be installed. Its guidelines for 40-year commercial licences — allowing a developer to construct, operate and commercially generate electricity from an offshore energy project — are still under development. There might be approximately 50 offshore wind projects on the cards, but nothing is going to happen in a hurry.

It’s a situation that, you would hope, leaves enough time to plan in detail how these assets are secured.

<sub>1. p 5, ‘Attack Surface of Wind Energy Technologies in the United States’, Idaho National Laboratory (2024). https://inl.gov/content/uploads/2024/02/INL-Wind-Threat-Assessment-v5.0.pdf?
2, 6. https://www.concordia.ca/news/stories/2024/01/24/offshore-wind-farms-are-vulnerable-to-cyberattacks-new-concordia-study-shows.html
3. RMIT University – Centre for Cyber Security Research and Innovation (CCSRI), ‘Identifying Cybersecurity Best Practices for the Marine Renewable Energy Sector’ (2023).
4. p 47, CCSRI report
5. p 72, CCSRI report</sub>

Image credit: iStock.com/MikeMareen