The risks of cyberattacks for wind companies


June 30, 2017

This content is from our archive. Some formatting or links may be broken.

This week, a second major cyberattack in as many months has hit businesses and others globally. Firms in wind must be aware of the risks and costs of such attacks.

Last month’s ransomware attack, called WannaCry, hit 230,000 companies in over 150 countries, and this week’s, called Petya, is still spreading around the world. ‘Ransomware’ is software that online criminals can use to lock up the data stored in a computer until the victim pays a ransom to unlock the information again.

No sector is safe. Russia’s biggest oil company, Ukrainian banks, advertising agency WPP, and ports operator Maersk are just some of the firms affected by Petya. And we have seen incidents like this seriously affect the energy sector in the past.

For example, in December 2015 an attack on a major media group caused a power blackout in Ukraine over Christmas; and a second power cut in Ukraine, also caused by a cyberattack, followed in December 2016. Politicians in the US and Europe and becoming increasing aware of how such attacks threaten the energy sector, and the potentially deadly knock-on impacts of blackouts on sectors like healthcare.

In January 2017, the US Energy Department in its Quadrennial Energy Review said the electricity system “faces imminent danger” from cyberattacks as “cyber threats to the electricity system are increasing in sophistication, magnitude, and frequency”. It said the threats were evolving faster than the defenses against them.

The European Parliament also acknowledged the threat and last year started work on its cybersecurity strategy for the energy sector. A plan of action should be unveiled this year. Cyberattacks are becoming a routine risk of doing business – and we find it strange that we never hear anyone in wind discussing it.

There are two factors that could cause cyber risks for wind farms.

The first is that the move from a centralised energy network to a distributed system of wind farms and other smaller developments increases the number of points where attackers could get into the system. And the second is that increasingly-sophisticated digital systems, including in turbines and the grid, also adds more points to attack. This is on top of the risks all businesses face from using computers and the internet.

Wind farm owners need to be aware that the consequences of cyber threats is not limited to loss of data. A study by Deloitte last year analysed the financial impacts of a cyber-attack to businesses: cybersecurity improvements, attorney fees, technical investigation, higher insurance premiums, operational disruption, and the value of lost contract revenue are just some of the costs that wind companies could face.

Deloitte estimates that for big companies, with up to $40bn of revenue, these costs could reach up to $3bn with consequences for the business which could last up to five years.

How can wind companies protect themselves? One example is the deal signed by GE Renewable Energy with US developer Invenergy this year to protect Invenergy’s entire fleet of US wind farms. The $13m deal covers cybersecurity and protection over operational technology from GE’s subsidiary Wurltech, which it bought in 2014.

But we don’t hear about deals like this very often, or even much talk about the topic. We think there needs to be more awareness and discussion from developers and investors about how they can face this threat. Cyberattacks are unpredictable but also inevitable. There will be more, and the financial risks are all too real.

Investment expertise. High-quality events. Exclusive content. Lead generation.

Talk to the Tamarindo team today to find out how membership would benefit your business.

Related content