More than two-thirds of the Earth’s surface is covered by the oceans and seas.
Over the next decade, these vast waters are expected to add $3 trillion to the global economy by generating electricity using marine renewable energy (MRE) devices. These “blue economy” technologies harness power across waves, tides, and currents that could reduce the carbon footprint from energy production and provide grid stability to remote coastal communities.
As MRE developers prepare to deploy these technologies, efforts are underway to guard against cybersecurity threats that could threaten the function of a device and connected systems.
Pacific Northwest National Laboratory (PNNL) created the first-ever cybersecurity guidance report for MRE devices on behalf of the U.S. Department of Energy’s Water Power Technologies Office. The guidance is designed to help MRE developers consider risks in their design and operations. These cybersecurity measures also will help improve MRE’s resiliency as a predictable, affordable, and reliable source of renewable energy. The technical report is designed to protect the devices, as well as industrial control systems, energy delivery systems, and the maritime industry. The results of the project are available on Tethys Engineering. The report results have been broken into a two-part series in the Marine Technology Society Journal for the Nov/Dec 2020 issue and an upcoming Mar/April issue.
“In this nascent stage, developers can start thinking about how their systems will be used and deployed so they can incorporate cybersecurity controls or methods into their designs,” said Fleurdeliza de Peralta, a PNNL risk and environmental assessment advisor and one of the authors of the report.
Identifying and analyzing cybersecurity risks and threats
The PNNL team started with data gathering through a formal request for information document sent to developers, one-on-one discussions, and presentation to stakeholder members of the DOE Marine Energy Council. The researchers reviewed cyber threats and vulnerabilities of IT and operational technology (OT) devices used in wave-point absorbers, oscillating water columns, oscillating surge flaps, and current turbines, and examined the supply chain risks for potential security issues associated with firmware, hardware, and software that will be used in the IT/OT devices.
Through this fact gathering, the team created customized guidance for developers who will be working to deploy the devices and the end users of the technology. The guidance accounts for the variety of methods that threat actors could maliciously gain unauthorized access to an MRE device-through a satellite, Wi-Fi, or cloud computing-and threats to the actual physical device itself. Threats can include malware or phishing emails, a virus in vendor-controlled devices, or an attack that could cripple an organization’s network.
After the initial data gathering, the PNNL team identified different network architectures and configurations for a MRE device to determine different types of threats. The researchers then used two approaches for analyzing the threats: a system-based approach focusing on protecting information or digital assets that need to be protected; and a threat-based approach that focused on protecting control systems and network configurations.
The cybersecurity best practices guide implements the core functions of the National Institute of Standards and Technology Cybersecurity Framework, which is to identify, detect, protect, respond, and recover. The guidance is risk-based and describes security practices that protect the MRE system and its end user from cyber threat actors with malicious intent.
As the push toward a blue economy gains traction, the new guidance serves as a baseline for best practices in securing the MRE industry from cyber threats. The report will be updated as new threats are discovered and new technology on devices are deployed.