I participated in the “Assessing the Impact of Cybersecurity on the Nation’s Wind Farms” workshop at the National Renewable Energy Laboratory (NREL) Wind Technology Center July 16-17th in Boulder CO. There were approximately 50 participants from wind turbine and control system suppliers, utilities, national laboratories, regulators, wind farm standards organizations, and a credit rating agency - https://twitter.com/NREL/status/1151959882536542208.
Salient points were:
- Attendees were unaware that wind farm turbines already have been compromised. There have been cyber attacks against wind farm SCADA networks and wind turbine gear boxes but the disclosures were not well-known. The lack of public awareness of wind farm cyber incidents has negatively affected the industry’s focus on addressing cyber security. Consequently, it may take a real test to demonstrate that wind turbine cyber vulnerabilities can cause physical damage to critical equipment such as gear boxes.
- There is a need for information sharing about control system cyber vulnerabilities and incidents though it will be difficult because of commercial sensitivities.
- There is a need to assure that wind farm standards such as IEC TC88 and control system standards such as ISA IEC62443 standards are coordinated. Because the appropriate people attended, I think this coordination has been started.
- The Moody’s presentation was very well-received as it demonstrated that control system cyber issues are important to credit rating agencies. This may be the door into the “C-suite” needed to get attention on real control system cyber security, not just compliance or IT issues
- Sensor cyber security issues were new to the attendees. There was interest because of the reliability and safety implications and the need for Engineering and networking organizations to work together. Some form of hybrid monitoring of OT networks and sensors coupled with state estimation techniques may be valuable.
- There is a need to have the security and engineering organizations collaborate because their monitoring capabilities (Security Operating Centers vs control rooms) currently do not overlap. I think this need was evident to the attendees.
- The turbine system designers need to understand the implications of cyber security – design features can be cyber vulnerabilities.
- There were concerns about NERC classifications that could change some turbines from being classified as low impact to medium impact.
- There were 4 breakout sessions: Lifecycle Security Control, Sensor Integrity, Security Risk Management, and Cybersecurity Strategy and Automated Response. Priorities were established for each group.
NREL will be issuing a report on the Workshop.