“A big risk is people just don’t understand the risks with these types of systems. I think that’s starting to change, as we have larger and larger energy companies that already understand cybersecurity jumping into wind. We have projects from Royal Dutch Shell and BP and other energy companies. They’re setting up huge wind farms, especially offshore. They understand cybersecurity because of their refineries and pipeline systems, better than a startup does. And we hope we see more of that bring some maturity to the industry.”

-Keith Mecham

Wind energy is one of the most rapidly growing energy generation sources in the US – how can these renewable systems stay resilient in the face of cyber attacks as the industry grows?

In this episode, we hear from Megan Culler and Keith Mecham of Idaho National Labs (or INL). Megan Culler is a Power Engineer and Researcher; Keith Mecham is a Critical Infrastructure Cybersecurity Engineer.

INL is a Federally funded research and development center (FFRDC): public-private partnerships which conduct research and development for the United States Government. They operate large infrastructure security programs that include wind, power, and telecommunication, as well as provide engineering and development support to the federal government.

How does wind fit into our broader energy infrastructure? What threats does cybersecurity present to renewable energy? How can industry work tougher for policymakers to keep our systems secure?

Join us as we discuss these questions, and more.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

I’m Bryson Bort and this is Hack the Plant.

For today’s episode, I’m joined by Megan Culler and Keith Mecham  of Idaho National Labs (or INL). INL is a Federally funded research and development center (FFRDC): public-private partnerships which conduct research and development for the United States Government. They operate large infrastructure security programs that include wind, power, and telecommunication, as well as provide engineering and development support to the federal government.

Megan Culler is a Power Engineer and Researcher at INL; Keith Mecham is a Critical Infrastructure Cybersecurity Engineer.

Today, we discuss how wind fits within our broader energy infrastructure.

Megan Culler

Wind energy is one of the most rapidly growing generation sources in the US. …. And it’s a critical part of being able to meet carbon neutral and clean energy goals that are being set by the government, that are being set by businesses. Wind energy resource potential is very high. If we were able to capture all of the wind in the US, we’d be able to power the US needs three times over.

Bryson Bort

We also explore the key challenges of keeping these energy systems secure.

Keith Mecham

Wind energy is also far more distributed and diverse than other forms of energy production. So because there are tens of different manufacturers of major wind systems and different types of installations are being put in all over the country. There’s going to be a considerable effort to make sure that all of these systems are up to standards and are safe and secure.

So I think we’re just in an evolutionary point. We’ve seen already the startup companies come in and build their wind farms and get a foothold in the door. We’ve seen large companies start to invest in large wind farms, and we’re getting significant amounts of our energy from wind now, but we didn’t even five or 10 years ago. The next step is that, wind and solar together become a much larger part of our energy portfolio and naturally increased requirements from regulating bodies are going to come into play. And the industry itself is learning a lot about how to operate and what the risks may be.

Bryson Bort

And just in the news, Vestas, a Danish wind energy company – was hit by ransomware to their IT systems on 19 November. But wind turbine and supply chain operations were unaffected.

An International Energy report last year noted that cyber attacks would be a key threat to wind power and other renewable power sources.

How can renewable energy systems stay resilient in the face of cyber attacks as the industry grows? What core challenges does the industry have in maintaining security? What regulatory shifts might need to be made?

Join us as we discuss these questions, and more.

Bryson Bort

Starting point, please tell me about what is Idaho National Labs?

Megan Culler  

Idaho National Laboratory is a department of Energy National Research Laboratory with a focus on nuclear and other energy for the most part. Also a lot of critical infrastructure security, and it’s really a wide variety of topics that are covered but the key part, I guess, is that it’s not industry and it’s not academia. And we focus on problems that can’t or are not solved by industry with the goal of helping industry get to those solutions faster.

Bryson Bort

Keith Mecham, anything you want to add?

Keith Mecham  

Yeah, INL is the premier research lab in the DOE complex for nuclear research and future nuclear technologies, but we are also extremely strong in cybersecurity research, as well as services. We service lot of DOE and the Department of Homeland Security programs to secure critical infrastructure. These include things like power plants and waste water treatment, even manufacturing and things we rely on every day that are important to the security of our nation and people’s livelihoods, is about a fourth of the focus of INL, about a fourth of the staff here are dedicated to that. So wind energies are becoming a big part of that as well.

Bryson Bort 

Yeah, so we heard nuclear twice and then wind energy there at the end. Tell us so what is wind energy?

Megan Culler 

Wind energy is a form of power generation, the blade spin, and they turn a generator. There are some converters on the inside that change the blade speed, which could be highly variable to the 60 Hertz power that you would get in your wall. Wind energy can in many sizes. So we can have individual turbines powering a farm or something like that, up to a multi gigawatt wind farms, both onshore and offshore. So one of the challenges with a wind energy is that it’s not specific to a particular size or technology. There’s a wide range of things to consider there.

Bryson Bort 

So why do we care about wind energy?

Megan Culler 

Wind energy is one of the most rapidly growing generation sources in the US. I don’t have the numbers in front of me and maybe I should have, but it’s being installed rapidly both at the distributed scale. So smaller projects that are powering individual communities up to as we’ve seen a lot recently in the news, big offshore farms. And it’s a critical part of being able to meet carbon neutral and clean energy goals that are being set by the government, that are being set by businesses. Wind energy resource potential is very high. If we were able to capture all of the wind in the US, we’d be able to power the US needs three times over. So really it’s trying to capture that energy and use it most effectively, get it from where the wind is blowing to where the power is consumed.

Keith Mecham 

I would add that wind energy is also far more distributed and diverse than other forms of energy production. So because there are tens of different manufacturers of major wind systems and different types of installations are being put in all over the country. There’s going to be a considerable effort to make sure that all of these systems are up to standards and are safe and secure.

Bryson Bort 

Your primary focus at INL is in cybersecurity. What is unique about the cybersecurity requirements with wind energy?

Keith Mecham 

So first of all, because wind farms are distributed you have hundreds of individual endpoints, the wind turbines themselves. And those endpoints have to connect to a management network which we associate with a plant or a wind plant or wind farm and all the different wind farms then have to connect to our electrical grid in order to get power to where it’s needed and service the load and the requirements. So instead of having one big nuclear plant or some massive hydroelectric dams serving a region or even large coal or natural gas plants, instead you’ll have thousands of windmills serving that load and coordinating thousands of endpoints is a lot more difficult than a couple of major power plants.

Keith Mecham 

And it offers a larger attack surface area for adversaries and is a lot more complex to manage and get them working. Especially where we’re not in control of the prime motivator, the wind itself, the control algorithms, the control effort is more difficult because we have to just take what’s there and utilize it. We can’t control how hard the wind’s blowing and where it’s blowing. So the infrastructure for controls to make a wind energy system efficient and effective, it’s a big deal. And because there’s more electronics, more control, the attack surface is greater. And we definitely need to focus on making sure that all the wind farms and even individual wind microgeneration make sure they’re secure.

Bryson Bort

What kind of projects are you working on at INL currently on that?

Megan Culler  

We have projects that are working with particular vendors and manufacturers to evaluate the security of those products individually. We have larger projects where we’re looking to provide guidance to the wind industry in the form of cybersecurity guides and resilience guides. We have a long history of work in resilient controls. And one of the things that we like to stress with power energy in particular is that, you’re not going to be a hundred percent secure. There’s just too many variables to control. So instead what we want do is make sure that we are resilient in the face of threats, that we have backup systems in place, that there are safety systems to make sure that the physical and safety impacts are minimal and try, yeah, we want to try to protect the power system. We want to protect the safety of the engineers who might be working on the system and we want to protect the equipment itself.

Megan Culler  

So with security, we’re not necessarily trying to say that we’re 100% secure. That’s just not possible. As Keith Mecham mentioned with the hundred of endpoints and the amount of controls and communications that’s required for that. But instead we want to make sure that we can monitor the systems that we know when something is happening and that we can fail gracefully or preside resilience so that in the face of these threats, the impact the system is low.

Bryson Bort 

Are there any particular projects or exercises that you can go into detail on?

Megan Culler

Sure. One of the projects that I’ve been working on for about a year is called MIRACL, that’s Microgrids Infrastructure Resilience, and Advanced Controls Launchpad. And the focus of that project is on distributed wind. So by that we mean wind that is producing power that is consumed locally. So as opposed to big wind farms in Texas that are up in the Northwest part of the state, but producing power for the major load centers in the Southeast part of the state. When we talk about distributed wind, we mean power that’s consumed more locally.

Megan Culler 

So for that project in particular, we’ve been working with other national labs, including Sandia National Labs, the National Renewable Energy Laboratory and the Pacific Northwest National Laboratory to develop resilience metrics, cybersecurity metrics, advanced controls that can be used to promote more adoption of distributed wind. So in particular INL’s focus there has been on producing the resilience and cybersecurity metrics, and we’ve produced guides that have been based on case studies that we’ve performed to identify which wind plant stakeholders are responsible for certain parts of security and resilience, and to help those groups monitor and improve their resilience.

Bryson Bort 

Keith, any projects or exercises that you can share detail on beyond MIRACL or your own work on MIRACL?

Keith Mecham 

I can generically share some of the types of work we do without naming a direct entity, but in contrast to projects like MIRACL at INL, we also work on evaluating the cyber security and quality of individual control devices all the way down to programmable controllers, such as PLCs or embedded devices that control aspects of the wind turbine. So we really take a holistic approach. We evaluate systems and the interconnection of systems across the power grid, but we also work with vendors and manufacturers to evaluate the systems that they’re putting into the field at a lower level. What kind of vulnerabilities might exist in them? What kind of software libraries are they using and do those inherit some risk because of things that they’ve built in or hardware that they perhaps are using that has some known vulnerabilities.

Keith Mecham  

We try to encompass that work as well. And that has been… Partly my focus is working on that lower level Steph, where you’ve got a hardware controller and you can understand how it communicates or what the parts are inside. Is it secure or would it be really easy for me to spoof communication to that if I could get onto the network and how would that device react? Could I take control of it? What harm could I do? So that’s really a big focus of our work here at the lab as well.

Bryson Bort  

Do we have any real world visibility on threats or actors that we’ve seen that have attempted to take advantage of things like this?

Megan Culler

Yeah. So there have been several academic studies that have evaluated the security of individual wind turbines and wind plants overall, but there have also been some real world examples of wind plants or wind systems either being hit or being targeted, which can be slightly different. But to give a couple examples, one of the most well known ones was attack on Cisco Firewalls on a renewable company that managed solar and wind is in Utah. And this attack caused the firewalls to reboot over and over again for about 12 hours. And while it didn’t impact the ability of the wind turbines to produce energy, it did block visibility for the operators into the system so they could not see what was going on real time or make changes.

Some other interesting examples, in 2018, there was an incident where a technician logged onto a laptop in a hotel, accidentally downloaded some malware, went to work the next day, plugged his maintenance comp computer into the wind turbine controls, and the wind plant became infected and the turbine stopped running. Now, there are other examples of attacks like that, and those aren’t necessarily things that have been targeted towards wind energy. It’s more likely that it was just malware that interfered with the systems so much that they couldn’t work. In particular there are many controllers that are windows based. So any windows vulnerabilities could potentially be exploited to make those controllers stop working.

But if we still had good security on all of these devices, we might not run into that. Just kind of these drive by attacks, if you want to call it that. There have been a few more targeted attacks. There was an example in 2014 of an unknown hacker using some masking software to get into a plant, they changed a setting on a single turbine, but there weren’t any widespread power effects from that change. And there was also an example of some Russian hackers getting into a particular wind plant. And again, their reach appeared to be fairly limited.

It didn’t have any widespread power effects, but I think the main takeaway from a lot of these incidences, just kind of, if you have good cyber hygiene, which is hard to find in the industrial control system world, that some of these could have been prevented. So we are interested and we care about the specific things that can be done to target wind controllers. But we also note that there probably aren’t many attackers out there that are specifically looking to disrupt wind energy. So really good cyber hygiene is one of the most important things that can be done to protect these plants.

Bryson Bort 

How do you know that it was Russian hackers in that example?

Megan Culler 

I did not perform the analysis on that event. I’m just quoting from the reports that we read about it.

Bryson Bort  

That’s fair. You mentioned that cyber hygiene is the solution and that that’s most commonly lacking and what we see in the industrial control system infrastructure. Why is that?

Keith Mecham 

So we see this type of challenge in many of the critical infrastructure areas. One example is municipal water and waste water systems. Those entities tend to be smaller and less well funded because they’re individual cities usually. And we see that with wind farms as well. They’re often smaller startup companies that they’re able to get a lease on land and they put some money in, they get investors to help them set up a wind farm and they haven’t done it before. They’re new to the game. They don’t understand all of the potential caveats and their motivations are different than investors in a large, natural gas plant would be.

So because their economic incentives are a little different, cyber security isn’t prioritized as highly much of the time. So they’ll have some things that they miss such as making sure they have physical security around all their turbines. They’ll miss things like setting up defense in depth for of their networks of OICS equipment, surrounded by OT networks of control equipment such as their control centers and substation interfaces and such. There are things that we’ve learned and we’ve implemented in other industries that are high priority, but it takes money and motivation of these private firms to improve their cybersecurity footprint. So wind isn’t [inaudible 00:17:41] in that, but it is significant.

Bryson Bort  

So money and motivation. Money being a small firm was already a challenge. Furthermore, tied to potential component of motivation is the resources to even understand and implement this correctly, too, correct?

Keith Mecham 

There’s a big factor there as well, because if you haven’t been in critical infrastructure and seeing how things need to be done in large facilities where the risks are really high and they would present a big target to either hackers, whether they’re ransomware or a nation state actor, they do things differently because they understand the risks because there have been more high profile attacks on large entities. But if you don’t know that, if your wind farm doesn’t have somebody on the inside that understands that, why would you spend hundreds of thousand or millions of extra dollars that come out of your bottom line on security?

So really I think a big risk is people just don’t understand the risks with these types of systems. I think that’s starting to change, as we have larger and larger energy companies that already understand cybersecurity jumping into wind. We have projects from Royal Dutch Shell and BP and other energy companies. They’re setting up huge wind farms, especially offshore. They understand cybersecurity because of their refineries and pipeline systems, better than a startup does. And we hope we see more of that bring some maturity to the industry.

Megan Culler 

I would add that, while there are some big players that do understand cybersecurity better, the information sharing for renewable energy, especially, but for wind energy as well is not very well established. So the knowledge that these big firms have about best practices may not be shared with the smaller firms or incidents that happen for anyone are difficult to find. INL has done a lot of research on publicly available information for wind cybersecurity events. And while we know that there are more out there, there’s very few publicly available details about some of these incidents.

And as Keith Mecham mentioned with a lot of the small firms, there’s a lot more focus on just making things work, to get the bottom lines to work out and there’s just not very much motivation, both for manufacturers and for operators to prioritize cyber security. A lot of the smaller plants will either keep their networks a little bit separate or they’re small enough as they are to avoid some of the cybersecurity requirements that will apply for large power generation sources.

So there are federal cybersecurity standards, but only for power generation sources of a certain size. So they may try to avoid having to meet those requirements. And then for the most part, their cybersecurity plans consist of meeting any requirements that apply to them, not really going above and beyond that, which may stem from the fact that most people are not going to sit there and go, oh yeah, I think that the hackers are going to target wind today. So until we see more evidence of impact from types of attacks, there’s not going to be as much motivation to do something about it.

Bryson Bort

So there is not an information sharing analysis center, an ISAC specifically set up for wind energy?

Megan Culler 

No, they would fall under the energy ISAC, the E-ISAC. But for the most part, that’s not going to be focused on wind energy threats in particular.

Bryson Bort  

So who else should have responsibility for supporting better information sharing for the most rapidly growing energy sector in the United States?

Megan Culler  

I think it’s likely that there will get to be more standards, both in terms of technical standards and government mandated standards. We’ve seen just this year that there’s been an increase in the reporting requirements for cybersecurity events, for entities like pipelines. There is some of that reporting requirements already in the energy industry, but I think we’ll see more of that. And I think that’s one of the gaps that entities like INL are also trying to fill. So, we are doing the work to analyze these different setups and provide guides with best practices. Now we have contact with industry that we can share some of these with, and we can publish them, but we can’t in our particular position, really force people to put into practice these best practices.

So I think what we’re trying to do is make sure that the information is readily available and easy to understand for the stakeholders that need it. And then as that becomes more available to them, hopefully we’ll see more adoption. And then from the standard side as well, as we get more general, I don’t know if general understanding is the right word, but more cohesive understanding on what the technical implementation requirements are for executing these best practices. We’ll see more technical standards that will help these companies do what they like to do, which is just manage compliance.

Bryson Bort 

Keith, do you want to weight on that at all or?

Keith Mecham 

So the way that wind energy is directed into, our grid is also a little different than some of the big multi gigawatts power plants that we’re used to seeing in the natural gas industry. And that’s why the regulations are different. Right now, wind is used to augment and when wind power’s available, it pushes out into the grid and things like frequency and voltages are regulated mostly by the big plants like the nuclear or the big hydroelectric DMs. And wind is just something that we add to the grid when it’s available or as it’s available somewhere, there’s always wind. But as this as our percentage of wind generation increases and solar along with it. I feel like naturally those things will become more regulated because they will actually have a bigger impact on grid security or grid stability.

So I think we’re just in an evolutionary point. We’ve seen already the startup companies come in and build their wind farms and get a foothold in the door. We’ve seen large companies start to invest in large wind farms, and we’re getting significant amounts of our energy from wind now, but we didn’t even five or 10 years ago. The next step is that, wind and solar together become a much larger part of our energy portfolio and naturally increased requirements from regulating bodies are going to come into play. And the industry itself is learning a lot about how to operate and what the risks may be.

So I think we’re an industry start from infancy and become effective and learn how to grow. Right now investment in wind is really attractive because for the amount of power that can be produced, it’s very cost effective versus building a new natural gas fired generating plant. So I think we’ll continue to see investment in wind, especially by big energy companies that are pivoting away from carbon producing energy, to carbon free options. They’re going to move their portfolios, but they’ll bring with them the expertise they have. And also they’ll be more on the radar of government entities and regulating entities that make sure that our power grid is stable and safe.

Bryson Bort 

All right, these are the final questions. Okay? So Megan Culler, we’ll start with you. If you could wave a magic air gap, of course, wand, what is one thing you would change?

Megan Culler 

I think what I would change is the perception in the industry towards compliance versus security. It’s been our experience that often compliance with requirements does not mean that you are secure. And I think there’s a lack of understanding about what truly being secure means. So I’m not saying that I would waive my wand to make everything secure, but just to kind of close that understanding gap about compliance versus security. I mean, we know that standards and the government process tends to be behind the curve of technology. So just trying to close that gap a little bit and help people understand how they can be secure and what steps they can take that aren’t necessarily very costly, but can add a lot of security to the system just by following some other best practices.

Keith Mecham  

Would you like me to answer the same question?

Bryson Bort  

Yep. Yep. These are the thinking questions we end with.

Keith Mecham 

Okay. So, Megan’s focus is so good. I really have to copy it and I apologize, but the point that she made about compliance versus security mindset and these entities desiring to set up systems that are secure and safe, and that are well managed versus them being forced to do so, I think is a big deal. We’re pivoting to renewables because we want to be good stewards of our planet. And we’re finding that it’s actually more cost effective in a lot of ways to do so, rather than continuing to use older technologies and older energy sources, such as coal, that is rapidly shrinking in our energy portfolio, but we need to embrace as a culture or as a society, especially our large corporations and corporate entities that are responsible for making these investments. We need to embrace the security mindset and it isn’t just renewables on wind and solar that need to adopt us better, we have the same challenges across all critical infrastructure. From water to natural gas distribution to gasoline and diesel pipelines.

Corporations have historically put profits first, and they’re starting to learn about the security risks, but until that hits critical mask and it starts to hit their bottom line like ransomware attacks, hitting the bottom line of entities. Luckily ransomware attacks they typically cause shortages, but they don’t damage our infrastructure permanently. They don’t harm people. Hopefully the ransomware attacks and everything that’s happening, change the equation. So people and corporations become more responsible seeing that, hey, my investment in security is going to not only protect my bottom line, but I would hope everyone gets to the point that we care about our bottom line, but we all also care about safety and security.

People’s lives and people’s livelihoods are important and we rely on these systems. So I think that naturally will come since renewables are getting bigger, but just as it take took decades for a desire to be a little better steward of the planet and consider renewables and get them into where they’re now a significant part of our energy portfolio, it’s going to take time to change the mindsets of companies and get them to be good security and stewards and make sure that they’re contributing to the safety of our grid.

Bryson Bort  

All right. You’ve waved your magic wand, now looking into the crystal ball for a five year prediction, one good and one bad thing.

Keith Mecham  

So one good thing that would come from changing the security mindset of our renewables and other critical infrastructure, would be that we would become more secure and we would be able to have the type of management and security operation centers and visibility into networks that we need to make sure our adversaries are at least in check and that we can prevent any catastrophic failures or damage to property equipment and even lives. But the bad thing that’ll happen is new challenges will be invented and discovered by adversaries. There’s always going to be a subset of society that wants to damage, destroy or make money off of fear.

So just magically waving a wand and having everything set up today and in an ideal fashion isn’t necessarily the answer. It’s the mindset that drives you to the put things into that situation. It’s the mindset thinking constantly about security, thinking constantly about safety. That mindset is what would really protect us long term because the threats will evolve, the threats will change, the targets will be different this year than they are next year. But the mindset and the culture of our companies and our people is what’s most important. So that kind is the good thing. And the bad thing. The hackers will evolve and change. We have to change with them.

Bryson Bort

Megan, you ready?

Megan Culler 

Yeah. I think Keith put it very nicely. I think my good thing would be that we will see faster and more widespread adoption of renewable technologies. We know that there are some aggressive, renewable portfolio standards out there that need wind energy and need solar energy to be a part of them if they’re going to be met. So the carbon neutral and net zero targets for 2030 and 2050, both the federally mandated ones and the smaller state run or business run standards, those need wind. And if we see security issues with these technologies for not staying up to date with the curve of technology, then I think it’s going to be a lot harder to adopt those technologies. There’s going to be a lot more policy barriers to that kind of technology. So if we can implement the best practices and use the security mindset to stay on top of that, I think we will have a lot more success with adoption of renewable technology.

I agree with Keith Mecham and entirely that our adversaries will continue to evolve with us. I think one thing that’s not going away is ransomware. We briefly mentioned I think that ransomware tends to not have a physical damage element to it as much, it’s usually more of an IT system compromise that sometimes compromises the ability of a organization to operate its assets correctly. So that’s what we saw with colonial pipeline earlier this year. It wasn’t that their OT systems were hacked. It was just that the IT systems were so heavily relied on for the company’s operation, particularly for their revenue streams, that shutting those down really forced the whole company to shut down.

So I don’t think we’re going to see huge nation state actors targeting wind portfolios directly or intentionally focusing on wind. But I do think that we will continue to see a lot of OT environments exploited for financial gain, particularly through ransomware. So again, it goes back to the good cyber hygiene and making sure that systems are patched and updated and that all the back doors are closed to try to prevent those types of ransomware attacks from having an impact on your system.

Bryson Bort  

All right. Anything we didn’t cover that you’d like to touch on?

Keith Mecham 

Just a main point I want to make sure that we get acrossed. There are unique challenges in wind and even solar and the renewables area of power generation, but they’re not all new challenges, they’re just a little bit different mix. Most of the challenges that we’re seeing in wind related to cybersecurity, we see in bits and pieces in other entities too. I’ve mentioned a few examples such as pipelines and water and even large scale natural gas fired power plants. There’s commonality in what they’re risks are. And there’s also a lot of commonality in how things are done across critical infrastructure. Wind isn’t more susceptible than any other type of energy. It’s not immune more than any other type of energy. We just need to be diligent about taking the lessons learned across the energy sector and others and implementing them systematically to make sure that the entire portfolio of technology supporting the grid are safe.

Bryson Bort  

All right. Well, I think that wraps it up then.