Jul 16, 2018

Tackling turbine security

Turbine hardware and software aren’t made in a bubble, which sparks the need to tackle security vulnerabilities.


One wind turbine can create 18 full-time jobs in the U.S., and so even detractors are having a hard time ignoring wind power’s momentum. The challenge for the coming years, however, is plant security. The industry is looking at a challenge from grid operators and regulators: How can the wind industry support efforts leading to more security?

For the past year, independent security researcher Maxim Rupp has been in great demand, particularly in the wind-power sector. It was about a year ago when this Germany-based security specialist published a document on the security vulnerabilities of wind turbines in the United States.

Rupp discovered many risks including: He could change the administrator password using a so-called cross site request forgery, so that he could then make changes to the turbine blade or the network settings. He also found a security breach on the web connections of the plants. The results of Rupp’s work were disturbing for operators and the entire industry. Forbes magazine published a major report on the discoveries.

Where problems start

The problem begins when an application is developed. Suppliers still start from the premise that devices will be implemented in a secure network, Rupp told Forbes. The German security expert said this was an assumption that arose in the ’90s. For Rupp, there is no difference between a web page or a wind turbine. Both systems are susceptible to attack and must be protected.

According to Forbes, Rupp said wind turbines were operating in Europe without protection. Case in point: Not only in Europe, but also in the U.S., many turbines are still using Windows 95 computers. A simple search using the shodan.io search machine revealed security risks such as modifying the turbine operation and accessing the grid. However, PLC suppliers have responded to this with a solution that involves updated controls and software. Rupp has also noticed this. Companies are beginning to understand the situation and are making more effort to protect their products, Rupp reports.

However, the issue seems initially limited to the U.S. In Germany, there are only a few publications over the last several years that have addressed attacks or security breaches on wind turbines.

Image 1

In the U.S., Brian Hill from Bachmann electronic talks frequently to his customers about security. The importance of wind-farm security has increased and is at the top of the agenda for many customers. U.S. authorities set high standards with regard to security, since failures in infrastructure must be prevented. The government is working on more stringent regulations and requirements for the operators.

Regulations in play

There are many new regulations coming from the NERC. The Energy Policy Act of 2005 (Energy Policy Act) gave the Federal Energy Regulatory Commission (FERC) authority to oversee the reliability of the bulk power system, commonly referred to as the bulk electric system or the power grid. This includes authority to approve mandatory cybersecurity reliability standards.

The North American Electric Reliability Corporation (NERC), which FERC has certified as the nation’s Electric Reliability Organization, developed Critical Infrastructure Protection (CIP) cyber security reliability standards. On January 18, 2008, the Commission issued Order No. 706, the final rule approving the CIP reliability standards, while concurrently directing NERC to develop significant modifications addressing specific concerns.

Additionally, the electric industry is incorporating information technology (IT) systems into its operations — commonly referred to as smart grid — as part of nationwide efforts to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of service. To address this concern, the Energy Independence and Security Act of 2007 (EISA) gave FERC and the National Institute of Standards and Technology (NIST) responsibilities related to coordinating the development and adoption of smart grid guidelines and standards.

Secure infrastructures

Bachmann is ready to create secure infrastructures for its customers, according to Hill. Bachmann electronic provides its customers worldwide with new hardware and regularly supplies new software updates to address ongoing security concerns. Customers only have to install the software patches on their own or have their service provider do it for them.

Hardware and software are critical for the secure and economical operation of wind turbines. For this reason, Bachmann electronic is involved in the retrofitting of existing systems. Hill and his colleagues are working together with a variety of owner/operators. Their goal is to retrofit wind turbines with state-of-the-art Bachmann electronic technology in order to modify the various wind-turbine fleets, bring them into compliance with current regulations, and have the flexibility to meet the unforeseen regulations of the future.

Retrofit goals

Bachmann electronic is working with one of the U.S. national labs on one such retrofit where researchers will be able to carry out tests on wind turbines, change parameters, and adapt them to actual conditions. They can use the results for more efficient systems laboratory tests that will ultimately help improve turbine operation. The plan is to help them through the application of a new controller system, replacing the original wind-turbine controls’ hardware and software, according to Hill, who is expecting new orders in the U.S. resulting from the collaboration with the lab and the test results.

In North America, Bachmann is concentrating on existing systems, Hill said. In the world’s largest wind-power market, condition monitoring systems from Bachmann electronic are also in demand and are likely to be coupled with a controls retrofit solution.

Image 2

A lot of new wind-energy capacity is moving forward this year and next through the benefit of continued momentum of clean-energy initiatives. Federal, state, and local governments, along with large corporations such as Google and Amazon, will continue to invest in renewable energy, Hill said.

These investments in wind power in the U.S. are creating new jobs. The U.S. Department of Energy estimates there will be about 250,000 Americans working in the wind-power sector by 2020, and even up to 600,000 by 2050. The sector continues to be optimistic about the future in spite of some opposition and in spite of the U.S. withdrawal from the Paris Climate Accord.

Hill said he still has some concerns.

“We have a lot of space in North America for land-based wind projects, but one of the biggest challenges is moving the energy from wind turbines to the population/load centers,” Hill said. “Our U.S. colleagues also understand the issues around the power grid. It’s been my experience that it is easier to build power stations than power lines.”

The grid is overloaded in some regions; however, new lines are planned, and this will help wind power in the United States.

In the meantime, Rupp continues to highlight the security features of the controller suppliers and is eagerly publishing security breaches in wind turbines in the U.S., Europe, and elsewhere in the world. There was one disturbing fact that arose from his discovery of security risks in June 2015: When it comes to hacking the computers of a wind farm, it’s not that difficult. 


About The Author
Robert Weber

is a technology journalist and founder. Until May 2015, he was responsible for the German-language trade journal Elektrotechnik. Instead of concentrating on his journalistic career, Weber now focuses on his start-up Industrial Newsgames, which develops communication solutions for the challenges of IIoT.

Comments

You must Log In to comment.

Be the first to comment!