Having a full cyber security audit carried out on your renewable energy asset is a great idea, and depending on the size of your portfolio, may even be a legislative requirement. However, even without an external audit, there are some simple steps you can take to help increase the cyber security of your asset:
1. Create a clear communications infrastructure system map for your site.
Start with individual turbines or invertors and follow this through sequentially through park controllers and firewalls. Be sure to map connection links to all third parties, including:
Original Equipment Manufacturer (OEM)
Turbine Maintenance Supplier (if different)
High Voltage switching team, who may have remote access to switchgear
Traders
Owners, including historic owners
Operations Managers and control rooms
Transmission System Operator, Distribution Network Operator
Second level SCADA system operators
Any other service providers, such as condition monitoring specialists
2. Secure your communications system.
Once you’ve completed the communications infrastructure map, some immediate discrepancies and potential gaps will come to light. Address these one-by-one according to a prioritised risk assessment matrix. There are likely to be many “View Only” connections with only a few with potential system control, so the obvious priority is to lock down the latter group. Ensure connections are using Virtual Private Networks (VPNs), with dual firewall protection, creating a “DMZ” environment within the substation or control room.
3. Ensure SCADA software is up-to-date.
This is a particular consideration for non-OEM maintained assets.
If possible, ensure that there is continued software support, particularly for security updates and patches. If not, consider implementing additional security measures.
4. Ensure your people are trained regularly. `
It can be difficult to keep track of the new and evolving threat vectors. Regular (at least monthly) training of your staff and subcontractors is the best way to mitigate against the risks of phishing, spear-phishing, smishing and other targeted attacks. At EnergyPro, we use “Ninjio” continuous training for our staff (there are other very good training providers available, we just happen to find Ninjio excellent). The training consists of fun 5-minute videos illustrating recent industry cyber attacks, how they happened, and how extra awareness or changed habits could prevent such attacks being successful.
5. Prepare a Cyber Security Incident Response Plan. Test this regularly.
A comprehensive Cyber Security Incident Response Plan should include the agreed response to:
Ransomware attacks (perhaps including an alternative response plan depending on the system affected)
Independent system failures
Loss of data communications
Loss of intellectual property
Active vs Inactive intrusion detection
We’ve all historically been very familiar with physical Emergency Response Plans for operational projects, and regularly test these in either desktop drills or on-site tests including Blue Light responders. Use this same approach for cyber security, outlining a few typical scenarios and what your agreed response will be to each of them.
These tests can be supported by external specialists, particularly for carrying out system penetration tests.
Contact us in EnergyPro to find out more.
Comments