The past several decades have seen a seismic shift in how the world thinks about energy. Concerns about climate change and global geopolitics have caused many nations to declare a goal of moving on from dependency on fossil fuels toward more renewable energy sources, such as wind power.
Russia’s current war against Ukraine is accelerating this shift. Russia is the world’s third largest producer of oil and gas. Countries seeking to disentangle their reliance on that oil are stepping up adoption of wind power. Now, cyber attacks on wind farms’ OT networks are increasing as well. The Wall Street Journal recently discussed this phenomenon suggesting that threat actors sympathetic to Russia may seek to cause “mayhem” for wind-energy companies.
As this shift in the way the world generates and consumes power continues, the physical infrastructure used to harness this renewable energy is also changing. It’s moving from a centralized collection to a distributed model. For wind energy wrangling specifically, the cost to manufacture, ship, deliver and install the necessary hardware is very high. Companies looking to keep projects under budget will unfortunately look to IT/OT Security infrastructure as a place to cut costs. To understand why this is a bad place to skimp on needed cyber security, it’s important to understand how wind energy is collected and stored.
When wind turbines are erected in large numbers, they are referred to as farms. Often from a network security scaling perspective these farms are grouped behind a single gateway. This gateway is where you will find the firewall set to protect the farm from attack. While this is not the ideal set up, it is a cheaper way to set up the infrastructure and therefore how it often gets done. Ideally, since each of these wind turbines are an isolated power production facility, they should each have their own dedicated security hardware installed such as firewalls, or Intrusion Detection Systems. But again, the price tag of this security set up can grow exponentially as the wind farm grows.
Next, these farms tend to be designed on a flat network whereby any wind turbine can communicate across the entire fleet of turbines. So from farm to farm and turbine to turbine they have connectivity, which means that if one turbine were compromised, all farms and turbines that rely on the same network could be compromised as well. The bulk of protocols used on the controlling architecture, such as Telnet, FTP, HTTP, Modbus, CAN Bus, OPC, DNP3, IEC-104,and MMS are known to be highly vulnerable. There are numerous known methods to exploit these protocols and obtain control over the HMI, operator workstation, SCADA server, SCADA client or the switching infrastructure.
As early as 2017, Security Researcher Jason Staggs, Ph.D of the University of Tulsa delivered a talk at black hat USA, called, “Adventures in Attacking Wind Farm Control Networks” (Watch Jason deliver a similar talk at Def Con 25) In the presentation he made reference to various attacks targeting wind farms, with names like Windshark, an OPC request attack; Windpoison, an ARP poison attack; Windworm, a CANopen shared data object message attack; and finally Wind Ransom. This last one is an attack whereby malware such as “NotPetya” which had spread to more than 60 countries in Europe, the US and beyond in 2017, can be used to lock companies out of the wind farm's controlling systems and then bait them into paying a fee for a crypto key to remove the lockout.
To emphasize how impactful these attacks could be, China generates close to 40% of all wind power produced on the planet followed by the United States which produces roughly 16% and Germany which produces almost 8%. This production equals roughly 5% of the total global electricity produced daily. With the increasing adoption of alternative energy sources, the risk profile changes dramatically and a concern for securing these power producers grows.
In order to protect a wind farm’s OT network from ransomware or other attacks, follow best practices such as isolating each turbine on the network, stay aware of known vulnerabilities for the controlling architecture, and patch where necessary, and install a passive OT network security platform, such as SCADAfence.
To learn more about how the SCADAfence Platform can protect your OT network from ransomware and other attacks, request a demo today.