As marine renewable energy (MRE) developers prepare to deploy these technologies, efforts are underway to guard against cybersecurity threats that could threaten the function of a device and connected systems. Pacific Northwest National Laboratory (PNNL) created the first-ever cybersecurity guidance report for MRE devices on behalf of the U.S. Department of Energy’s Water Power Technologies Office. The guidance is designed to help MRE developers consider risks in their design and operations, which will be crucial as the blue economy technologies harness power across waves, tides, and currents in an effort to reduce the overall carbon footprint.
These cybersecurity measures also will help improve MRE’s resiliency as a predictable, affordable, and reliable source of renewable energy. The technical report is designed to protect the devices, as well as industrial control systems, energy delivery systems and the maritime industry.
“In this nascent stage, developers can start thinking about how their systems will be used and deployed so they can incorporate cybersecurity controls or methods into their designs,” said Fleurdeliza de Peralta, a PNNL risk and environmental assessment advisor and one of the authors of the report.
Identifying and analyzing cybersecurity risks and threats
The PNNL team started with data gathering through a formal request for information document sent to developers, one-on-one discussions, and presentation to stakeholder members of the DOE Marine Energy Council. The researchers reviewed cyber threats and vulnerabilities of information technology (IT) and operational technology (OT) devices used in wave-point absorbers, oscillating water columns, oscillating surge flaps, and current turbines, and examined the supply chain risks for potential security issues associated with firmware, hardware, and software that will be used in IT/OT devices.
Through this fact gathering, the team created customized guidance for developers who will be working to deploy the devices and the end users of the technology. The guidance accounts for the variety of methods that threat actors could maliciously gain unauthorized access to an MRE device – through a satellite, Wi-Fi, or cloud computing – and threats to the actual physical device itself. Threats can include malware or phishing emails, a virus in vendor-controlled devices, or an attack that could cripple an organization’s network.
After the initial data gathering, the PNNL team identified different network architectures and configurations for a MRE device to determine different types of threats. The researchers then used two approaches for analyzing the threats: a system-based approach focusing on protecting information or digital assets that need to be protected; and a threat-based approach that focused on protecting control systems and network configurations.
The cybersecurity best practices guide implements the core functions of the National Institute of Standards and Technology Cybersecurity Framework, which is to identify, detect, protect, respond, and recover. The guidance is risk-based and describes security practices that protect the MRE system and its end user from cyber threat actors with malicious intent.
As the push toward a blue economy gains traction, the new guidance serves as a baseline for best practices in securing the MRE industry from cyber threats. The report will be updated as new threats are discovered and new technology on devices are deployed.
– Edited by Chris Vavra, web content manager, CFE Media and Technology, firstname.lastname@example.org.