WPNL 202202

Digitalisation
Q/A with Harold Veldkamp, Director Digitalisation Programme at Topsector Energie
Protecting our power
plants
Sustainable energy production should contribute to the Dutch government’s
ambition to achieve a fully CO2-neutral energy system by 2050. Large-scale wind
energy, particularly at sea, will make a major contribution and large investments
are therefore being made in this area. But with this capital intensification, the
power plants are also becoming more financially attractive to hackers.
Windpowernl spoke with Harold Veldkamp from
Energy Innovation NL (Topsector Energie) about
this topic. Since September 2020, Veldkamp has
been Director of the Digitalisation Programme
within Energy Innovation NL, the driving force behind
innovations that are necessary for the transition to an affordable,
reliable and sustainable energy system.
Digitalisation is a theme that cuts across all Top Consortia for
Knowledge & Innovation (TKI) within Energy Innovation NL.
Together with TKI Wind op Zee, part of Energy Innovation NL,
Veldkamp is investigating the role of digitalisation within the
offshore wind community and what digital innovations are
possible or desirable here. Cyber security is an important subject.
Is cyber security on the agenda of the wind
sector?
‘The wind sector is relatively young, certainly in the size and
application as we know it today. For years, the focus has been on
the actual realisation of wind farms; how they could be built and
financed. Issues such as cyber security, as well as circularity and
recycling, have only recently become important. When there were
not yet so many wind turbines, there was also much less a
necessity to focus on this. Now that sustainable decentralised
energy is growing and will continue to increase, cyber security has
become an important factor within the Dutch energy mix. Wind
farms, but also solar parks, are increasing in size, involving much
larger investments. This makes these energy projects increasingly
more interesting for hackers. After all, the effort has become much
more rewarding.
At the moment, new legislation in this field is being prepared on a
European level. The Ministry of Economic Affairs is responsible
for the national translation. The wind sector already falls partly
under the supervision of the Dutch Radiocommunications Agency,
which is the supervisory authority for cyber security for the entire
energy sector. This means that, for the first time, the wind sector
must prepare itself for everything that has to do with cyber
security risks.’
What are the main cyber security risks?
‘Most cyber-attacks can be roughly divided into four categories.
At the top is ransomware. With this type of cyber-attack, the
hacker is not out to destroy the system itself but purely to realise
financial gain - by temporarily blocking access to the system and
only making it accessible again to the owner in exchange for a
large sum of money. For now, the danger comes mainly from
North Korea and some Eastern European countries. Not everyone
is aware of this, but ransomware is the world’s third largest
economy after China and the US. A country like North Korea
runs almost its entire budget on this income. So this is definitely
something to take seriously.
The second form is industrial espionage. Again, no damage is
done to a system. The system is only observed to gain knowledge.
This is mainly done on a nation level and used to influence the
competitive position of a country favourably, for example in the
case of large contracts or if a country is lagging behind in a
particular area of innovation. It should be noted that this is not
only used by traditional enemy nations.
In a third form, damage is actually caused deliberately to an
(energy) system for various reasons. This involves not only direct
financial damage but also production damage. We have recently
seen examples of this in the conflict between Russia and Ukraine.
In a fourth situation a system is hacked in order to manipulate
production figures. An example is manipulation of meteorological
data which is used to predict the algorithms of wind farms. The
ultimate goal is to take advantage of the energy trading market - in
effect, so-called insider trading.’
What are the main risks for wind farm owners?
‘If a hack brings a wind farm to a standstill, this obviously has
financial consequences for the wind farm owner. However, it can
also have a wider impact, especially if the hack brings down several
wind farms. If a large amount of wind production is suddenly
withdrawn and then fed back into the grid, this could cause a
complete blackout in the Netherlands. However, because this is
caused at a high voltage level, it can also effect the grid at
European level. TenneT, the Dutch manager of the high-voltage
grid, has interconnectors with the countries around us. The grid
managers in the Netherlands are very active in the field of cyber
security but they have no influence over the parties that supply the
grid.’
Are the risks similar for on and offshore wind?
‘The technical risks are comparable; the same applies to solar
parks. But there is an additional risk dimension for offshore wind
as there is no permanent control with human presence. Therefore
you are less likely to realise immediately that something is going
on. As a result, it will take much longer before you can take the
necessary steps.’
Is the wind sector well aware of the risks?
‘As with all new things, this requires time and adaptation.
Unfortunately, cyber security risks can sometimes have a long
incubation period and only become visible later. We notice that
awareness in this area can still be improved significantly. For
example, there are still companies that connect their Operational
Technology (OT) directly to the Internet. An OT system is the
interface to the wind turbine, which allows you to switch a wind
turbine off and on again. We also come across examples where
some systems are still programmed on Windows XP, which has not
been supported for years and therefore entails major security risks.
This is also why Energy Innovation NL is initially focusing on
creating awareness. This applies to the wider energy sector.
For the wind sector, we want to make an assessment tool available
together with TKI Wind op Zee. This tool should help companies
to assess for themselves which cyber security risks they are
running, whether they are properly prepared, and what they need
to take into account. Of course it is not a complete cyber security
assessment, but compare it to a COVID home test. If the result is
not good, you start taking measures.’
How can companies protect themselves?
‘The natural reaction is to prevent being hacked. However,
hacking tactics are constantly evolving. It may be impossible for a
company to completely prevent attacks. The consensus among
cyber security experts is: you don’t have to ask yourself
WHETHER you will be hacked, but WHEN. It will happen one
way or the other.
Be well prepared and make sure you have the basics in order. I
sometimes compare it to a burglary. Once the burglar gets through
the front door, he has immediate access to the whole house. This is
also often the case with companies. You can prevent this by means
of compartmentalisation. Instead of just implementing a large
security wall around your entire system, you should also secure
internal parts seperately. This has two major advantages. First of
all, it will more likely discourage hackers. After all, they need much
more time to get through the various protections. Secondly, you
limit the damage. By compartmentalising, hackers will need much
more time to achieve their goal. While the rest of the company
keeps on running, you can already start taking measures.
What can be done across the wind sector?
Knowledge sharing in this area is sensitive. Those who are hacked
often feel enormous shame and prefer to keep this silent. However,
some sectors did prefer to bundle knowledge from multiple parties
because they found it impossible to keep up with cyber security
knowledge on an individual level. This is where the Information
Sharing and Analysis Centres (ISACs) originated. In the ISACS,
experts from various companies exchange knowledge about these
types of vulnerabilities, with warnings but also solutions for new
vulnerabilities. The National Cyber Security Centre advises the
government in this respect. We also want to set up this kind of
knowledge exchange for the mobility, solar and wind industries.
It is finally up to each company to do something with it or not.’
What about start-ups that provide softwarebased
products and services?
‘The dilemma with innovations is that innovative companies like
to bring their idea to the market as quickly as possible, to make
sure they are first. Here, cyber security may receive less attention.
I would definitely like to give them the “security by design” advice:
make sure you include cyber security in your design process. If you
don’t have time to build it in now, you certainly won’t have time to
correct it later. As a company, ask yourself the question: can you
afford, if your solution proves successful, to be hacked later and
have a bigger problem?’
Do we in the Netherlands have sufficient
knowledge in the field of cyber security?
The Netherlands has a good cyber security knowledge industry.
Do we have enough people? No, absolutely not. That’s why we’re
working with the ten top sectors to develop a broad-based
programme. This is a knowledge development programme for all
levels. We are going to finance all kinds of knowledge projects on
cyber security on the basis of knowledge questions that we are
receiving and are now collecting.
Part of that programme is the human capital agenda. We want to
ensure that we train enough people to do this work. This is not an
easy task. It turns out to be quite difficult to reach these people.
There is also quite a bit of knowledge involved. It’s not just about
having the practical knowledge of hacking, but you also need to
have background knowledge, including system and legal
knowledge. The National Cyber Security Strategy will contribute
to this, just as the major EU projects in the field of cyber security
will contribute to the further development of product cyber
security (minimum requirements such as 2-factor authentication,
patch management etcetera). In addition, important entities in the
vital energy sectors will soon be subject to compulsory legislation.
Fortunately, there are training courses in this area that will also
guarantee knowledge in the future. This happens at all educational
levels. With this broadly supported programme, we are trying to
give an extra impetus to further development in this area as well. •
10 | 02-2022
02-2022 | 11