IT Security of Wind Farms

4 April 2018

There is scarcely an area which has grown as strongly as IT in the last few years. We have only been using mobile internet for a good decade. We now manage our entire daily process via mobile apps – from our purchases, transfers all the way to the heating or freshly brewed coffee from the coffee machine.

Neither does digitization stop short of wind power. Nowadays, every turbine can be connected to the internet. “However, with a planned operating life of around 20 years, many turbines – especially the older ones – are still in the Stone Age when it comes to IT”, says Michael Tenten, Managing Director of wpd IT GmbH which among other things looks after the portfolio of around 2,000 turbines, acting as IT service provider to wpd windmanager GmbH & Co. KG.

Turbines as a target for hackers

“Most operators neglect the subject of information technology. Many farms have a need for retrofits”, Tenten explains. Wind farms are being targeted by hackers ever more frequently. In the hackers’ sights: weak links resulting from obsolete systems or missing updates. For the operator, this can bring the turbine or the entire farm to a standstill. This leads to loss of revenues. But even companies’ own operating IT infrastructure is at risk from hacker attacks.

The focus is usually on financial interests. Hackers employ different methods in the process. Here is one version. The wind farm’s system is encrypted via malware and only released again in return for a payment. “We are increasingly confronted with attacks from the sphere of white collar crime”, Tenten says. A further alternative is the so-called CEO fraud. “Here, employees are deliberately deceived by orders instructing them, e.g. through forged emails or calls
from superiors, to make a transfer to a criminal organisation”, Tenten explains.

Technical, physical and organisational security

The rule in all cases is that the best protection comes from being careful. Hackers normally look for the path of least resistance. Purely technical protection is therefore not sufficient. The physical security of a turbine is also important. “What use is the best firewall if an attacker can easily gain access to the turbine?”, says Tenten with a word of warning.

“It is also essential that operators pay attention to organisational security.” For example, this includes identifying potential risks or planning specific processes
in the event of an attack. Due to the complexity of the subject, it is definitely advisable to look for professional partners for all IT and security questions. The Federal Office for Information Security (BSI) in IT now lists 1,500 measures for reducing security risks in its basic IT protection catalogue. Operators quickly reach the limit of their abilities without professional support. Here they should definitely seek options for solutions from their operations manager.