Bringing together the offshore wind industry to mature cybersecurity

Offshore wind power capacity is expanding rapidly as countries across the world seek to meet their clean energy targets with a critical and dependable resource – but as the sector grows, so do the cyber threats against it.

Installed wind capacity globally will double to around 2 terawatts (TW) by 2030 and increase to around 6TW by 2050, according to DNV’s Energy Transition Outlook forecasts. Unlocking access to strong, abundant wind resources gets easier when the industry can demonstrate increasing reliability, decreasing operational costs and additional revenue streams like ancillary services.

Digital devices play central roles in ever-improving reliability, efficiency, and remote diagnostics. To function, these systems will need to be networked and continuously in communication with onshore control centres – and will need protection from cyber threats.

DNV and Siemens Energy recently took an important step on cybersecurity for offshore wind by launching a joint industry project that aims to make it easier to continue and accelerate offshore wind’s contribution to global clean energy production.

The OT Cyber Security for Offshore Wind joint industry project will provide practical guidelines to help offshore wind developers, regulators and operators build and operate systems that meet recognized cybersecurity standards.

Cyber threats against critical infrastructure have escalated. Energy producers make appealing targets for a wide range of attackers, including criminal enterprises seeking immediate financial gain to countries seeking future disruption of rival economies.

More than half (59%) of the 600 energy professionals surveyed by DNV for its Energy Cyber Priority 2023 research said their organization would invest more in cybersecurity during 2023–24, with this rising to 71% among power and renewables professionals. Two thirds (64%) of energy professionals said their organization’s infrastructure was more vulnerable to cyber threats than ever.

Wind power is affected by this escalating cyber threat environment. Its growth as a backbone of major economies – and its reliance on networked digital devices – make it a target. In 2022 alone, three different cyberattacks affected wind power production in Germany – including disrupting communication with offshore wind facilities.

These attacks highlighted the importance of having a cyber resilient supply chain, where developers, operators, original equipment manufacturers (OEMs), wind turbine and component manufacturers, digital infrastructure providers (such as ISPs) and network operators (such as transmission system operators) work together to develop and maintain cyber resilient offshore wind parks.

Several entities develop and publish cybersecurity standards for industrial networks, but none to date articulate how to implement these systems. For example, the IEC 62443 family of standards is often used to assess wind facilities, and the EU’s new NIS2 regulations will apply to wind power.

Although in each case it is clear what the final product must achieve, there is no standard set of procedures that shows companies how to achieve it. As a result, the approach to offshore wind cybersecurity worldwide is fragmented and non-standardized, both in terms of regulation and in terms of practice.

We believe the time is right for clear, actionable guidance for securing offshore wind against cyber threats across the offshore wind supply chain. Our joint industry project will collect wisdom and insights from across the industry to produce a recommended practice.

The recommended practice will help organizations around the world standardize the approaches taken to create cybersecurity for offshore wind. It will reduce uncertainty about how to proceed and whether a given approach will produce strong security. We hope that it will reduce the fragmentation of regulatory approaches across markets and unlock supply chain benefits that come with greater standardization.

Creating a broadly applicable, clear, and widely adopted set of practices will require insights and contributions from offshore wind practitioners around the world and across the supply chain.

DNV brings more than 40 years of experience in wind energy and industrial cybersecurity to the joint industry project. The company publishes a broad range of standards and recommended practices to advance safety, security and efficiency in the energy industry and other industrial sectors. Meanwhile, Siemens Energy brings its expertise as an original equipment manufacturer and a leader in energy sector cybersecurity.

Based on the enthusiastic response to our joint industry project’s announcement at the Hamburg Wind Energy Conference in September, we look forward to drawing on the expertise and global reach of many more partners – the invitation to join remains open.

As the offshore wind industry builds out the technologies, strategies and infrastructure used to manage wind power production, storage and distribution, cybersecurity can and should be among the design considerations.

Done well, cybersecurity can protect the systems that reduce costs and unlock new revenue streams. It can build trust in offshore wind – and accelerate the growth of this vast clean energy resource.