My first podcast comes out today! Okay, perhaps that sounds a bit presumptuous, like I will be featured in more podcasts in the future, but I'm very excited about this opportunity and I like the broader audience that it gives me, as a researcher, the opportunity to interact with.
Hack the Plan[e]t is a podcast of the R Street Institute, a free market think tank in Washington D.C., and ICS Village, a nonprofit that equips industry experts and policymakers with the tools to better defend our critical infrastructure. Hosted by Bryson Bort, founder and CEO at Scythe, the podcast discusses various challenges and topics in cybersecurity for critical infrastructure.
The episode I was interviewed for focuses on wind energy. I was joined by my coworker, Keith Mecham, and ICS Cybersecurity R&D Engineer at INL. Keith is an expert with years of experience in cybersecurity analysis for control systems, with particular expertise in the water industry. My background in distributed energy system cybersecurity and a year of experience running a wind-focused project made us a good pair to tackle this challenge for Hack the Plan[e]t.
Some of the key challenges I tried to highlight:
Wind is remotely operated. Remote monitoring and control is necessary for distributed wind and bulk wind plants, which differs from self-contained manufacturing or central generation facilities. This increases the potential attack surface. Because of the remote locations of turbines, local access is harder to access. It is easy to break physical locks and plug devices in to computers.
Many turbines may be serviced by travelling technicians who may serve more than one company. This introduces more potential "pollination" of threats.
Wind has more moving parts than other renewable resources like storage or solar. The cyber-physical aspect creates more potential consequences. Whereas solar panels can be hacked to stop or mismanage energy production, wind turbines can experience wear and tear, decreasing the lifetime of the asset, or in the worst case, even blade strikes causing immediate damage.
Cyber threats to wind are real and established. Academic work has demonstrated the propagation of worms, SCADA compromises, and known vulnerabilities in wind systems. Real world events have occurred and are highlighted in the DOE Roadmap for Wind Cybersecurity. There has also been a marked rise in ransomware and DoS attacks.
There is a lack of incentives for cybersecurity. Neither manufacturers nor customers are financially motivated to prioritize cybersecurity, especially if they view the likelihood of their particular installation being targeted as being low compared to other targets. Contracts for wind energy generation emphasize economic priorities, often resulting in generating as much energy as possible for as cheap as possible. Prices for wind generation going down is good to encourage more installation, but individual installations may end up getting paid less, making it even more difficult to build cybersecurity into cost-benefit analyses.
Now, given all those challenges for wind cybersecurity, it might seem like we are fighting an uphill battle. In some ways this is true. Renewable resources can be overlooked in the development of cybersecurity standards and regulation. Time is our biggest resource. We absolutely have the capabilities to protect wind plants, but we will always be trying stay just ahead of the next big threat, racing against someone who can spend more personnel and more money on it.
The good news is that basic cybersecurity best practices can largely reduce the threat surface. Whitelisting, encryption, authentication, software and hardware bills of materials... these are all tools that go a long way to reduce exposure and vulnerabilities.
Full description of our episode below:
Wind energy is one of the most rapidly growing energy generation sources in the United States - how can these renewable systems stay resilient in the face of cyber attacks as the industry grows?
In this episode, we hear from Megan Culler and Keith Mecham of Idaho National Labs (or INL). Megan Culler is a Power Engineer and Researcher; Keith Mecham is a Critical Infrastructure Cybersecurity Engineer.
INL is a Federally funded research and development center (FFRDC): public-private partnerships which conduct research and development for the United States Government. They operate large infrastructure security programs that include wind, power, and telecommunication, as well as provide engineering and development support to the federal government.
How does wind fit into our broader energy infrastructure? What threats does cybersecurity present to renewable energy? How can industry work tougher for policymakers to keep our systems secure? Join us as we discuss these questions, and more.
“A big risk is people just don't understand the risks with these types of systems. I think that's starting to change, as we have larger and larger energy companies that already understand cybersecurity jumping into wind. We have projects from Royal Dutch Shell and BP and other energy companies. They're setting up huge wind farms, especially offshore. They understand cybersecurity because of their refineries and pipeline systems, better than a startup does. And we hope we see more of that bring some maturity to the industry.”
-Keith Mecham