The Uptime Wind Energy Podcast

The Uptime Wind Energy Podcast


Cyber Security Threats on Wind Turbines with Everpoint Services and Idaho National Laboratory

May 10, 2024

Candace Wood, COO of Everpoint Services, along with Michael McCarty and Megan Culler from Idaho National Lab, discuss their collaboration at Little Pringle Wind Farm to conduct cybersecurity research and testing. The episode delves into the critical importance of addressing cybersecurity vulnerabilities in wind energy infrastructure to ensure grid resiliency and energy security.


Sign up now for Uptime Tech News, our weekly email update on all things wind technology. This episode is sponsored by Weather Guard Lightning Tech. Learn more about Weather Guard’s StrikeTape Wind Turbine LPS retrofit. Follow the show on FacebookYouTubeTwitterLinkedin and visit Weather Guard on the web. And subscribe to Rosemary Barnes’ YouTube channel here. Have a question we can answer on the show? Email us!


Pardalote Consulting – https://www.pardaloteconsulting.com
Weather Guard Lightning Tech – www.weatherguardwind.com
Intelstor – https://www.intelstor.com


Allen Hall: Welcome to the special edition of the Uptime Wind Energy Podcast. I’m your host, Allen Hall, along with my co host, Joel Saxum. This podcast has an interesting story behind it. Our first guest today is Candace Wood, Chief Operating Officer at Everpoint Services, which is based in Texas. Candace purchased the Little Pringle Wind Farm at an auction.


Little Pringle Wind Farm is outside of Texas. Amarillo, Texas, and buying a wind farm at auction doesn’t happen very often. And this is where the story takes an interesting turn. Candace and Everpoint made a decision about how to use this wind farm. Everpoint connected with the Idaho National Laboratory, cybersecurity experts, to use a portion of the turbines for cybersecurity.


Research and testing. So from the Idaho National Lab is Michael McCarty, who is a cybersecurity research specialist and Megan Culler, who is a power engineer specializing in cybersecurity and resiliency, also from the Idaho National Laboratory. Megan, Michael, and Candice, welcome to the show.


Candace Wood: Thank you. Thanks for having us.


Michael McCarty: Thank you.


Allen Hall: Alright, so let’s start off with a little prequel and figure out how Candace ended up buying a wind farm. So you were at an auction Candace? Can you describe what happened where you decided to put down some money on a wind farm?


Candace Wood: Everpoint Services, we are a end of life services company for renewables.


So we primarily focus on decommissioning and demolition of wind turbines as well as solar assets. And we’d heard about this wind farm that had been abandoned since about So I was at the auction in August of 2017. Small farm, 10 units originally 2 megawatts each and heard that it was going up for auction.


The county had seized the asset to try and recover some back taxes. I tuned into the option really with the intention of finding out who was going to purchase it and then pitching our services to them. Hey, we can come in and help you cut these things down. So I’m listening to the auction and the price point is going once going twice and I’m thinking gosh, that’s Really not a lot of money.


I mean we’re talking, five figures and I thought well, let me just throw out a bid there and see what happens so I threw out a bid that was just slightly above what was about to be the winning bid and on behold I One, I bought the wind farm, so it was somewhat impulsive decision, which was both terrifying and exciting.


In the immediate aftermath, what was interesting was once we looked into it a little bit more, we discovered that the interconnection agreement at the site was still in good standing. And once I actually finally got out there to look at it, because I did purchase the site unseen, I Never actually looked at it before.


Once we got out there and looked at it, I thought, these turbines, they’re not in such terrible condition, all things considered. And so we started looking into, okay what could we do? Maybe did we want to repower it? And that led us down the path of looking for funding sources, which led us to the government a lending program within the government.


They say if you don’t want to borrow 100 million or more, we really aren’t interested. But we know these guys over at Idaho National Labs who’ve been looking for a wind farm to do some cyber security testing on. They might be interested in what you have going on there. So that was how we ended up getting linked up with Idaho National Labs.


Allen Hall: Candace, when you get to the site, you’ve taken a look at these wind turbines. They are functional still?


Candace Wood: No. Several towers had blades that were broken off. One of the first. My 1st order is a business was to actually get out there and clean up some of the blade debris that had fallen down into the landowner’s fields so that they could plant in the spring.


And no, it was not functioning, but having a background in construction and when, I, I. Climbed one of the towers and said the bolts seem to be holding together pretty well. And the towers that had the blades on them, seem to be mostly intact aside from a lot of dust.


The other primary issue was that, the copper pirates had gotten in there and cut out most of the cabling, the voltage cabling. And so that was the, that’s the main hurdle and getting the site back up and running. And so that’s what we’ve been working with on is to secure some funding so that we can actually go in rewire several of the towers, get them back up and running so that they can try and pack into them.


Joel Saxum: My mind switches to a bunch of things, right? So you stumbled upon this auction. The interconnection agreement, unbeknownst to you at the time, is still in place. Great, right? I’m thinking, man, could it be, could it be repurposed? Could it be behind the meter green hydrogen? Could it be, could we put energy back into the grid?


However, to my understanding, these are de wind turbines, right?


Candace Wood: They are a de wind, which is no longer in existence.


Joel Saxum: Yeah. And tough to, spare parts, anything’s going to have to be custom built. It’s not like you just walk, it’s not like it’s a GE one five and you call your neighbor wind farm and say Hey, do you got some breaks or you got some bearings or apparently do you have some medium voltage cabling that we can borrow?


You guys don’t have that capability. Joining up with the Idaho national labs, that is a, there’s two really cool things about that to me. So it’s someone that they needed to have a project, right? They have something that they want to do. They want to do something that will better the wind industry as a whole.


You have the assets. So it seems like it’s a a good, really good marriage of someone who needs something, someone who has something right. So when you first engage with the Idaho National Lab, how did that conversation go? Was it like, Hey, we’ve have these things. What do you guys want to do?


Or did you guys have a plan in mind? And then it switched? Or how does that process look like?


Candace Wood: And maybe Michael can elaborate more, but my understanding was they had tried to pursue this project topic At a different wind farm asset site but ran into some issues with the ownership. And as you can imagine, probably most owner operators are not too keen to have somebody come in and try and hack into their, functioning winter and so we were in a unique position where, we own the site outright.


We’re not overly concerned about running them because they’re not currently running. And so I think in our initial conversation, we both realized, hey this might actually work.


Joel Saxum: So Michael, then you guys get engaged with Everpoint. You now have these assets, these 10 turbines. that are in various states of disrepair.


We got to get them up and running and stuff. But to so immediately you guys are thinking, Hey, this is the project that we want to do, let’s go and attack it. So what is that project? What is it that you guys are working on?


Michael McCarty: So the project that we’re working on here, the Idaho national laboratory is.


We’re basically taking the wind turbines and we’re going to get them operational or, as close to operational as we can. So the blade spin and that sort of thing, maybe they’re not producing energy at 100%, but we’re going to get them operational. And then we want to assess the whole security stance the security posture of the wind turbine and see, you where and how we could poke that to cause possible physical damage.


A bit similar to the Aurora experiment. If you’re familiar with that, so we want to see basically the places that cyber can interface with the physical portions of the nacelle, the tower the inverter, if there’s an inverter, connecting back to the grid and. Then see can we actually do that?


And if we can do that, what sort of mitigations could we put in place to Stop that from happening in real life.


Joel Saxum: So can you walk us through that Aurora generator? I think it was a diesel generator test, right? Just so that the listeners know what that is.


Michael McCarty: Yeah, it’s So it’s it’s on the internet quite a bit.


I think there’s like a Wikipedia page about it. But basically they, it was a destructive test. So they wanted to see if the safety measures had been removed from some electronic component in a large diesel generator what would happen, would it smoke, would it blow up, would it catch fire?


And it pretty much did those things. So you remove the safety measures, right? From the electronic components. And so when it’s supposed to fail and fail safe, it doesn’t fail safe. It fails the worst way possible because of specifically a cyber component.


Megan Culler: If I can add, I would just say that the, with that diesel generator test, what they did was through digital means connected and disconnected it from the grid rapidly.


So that it was out of sync with the actual grid. So if you think about two things that are typically spitting together, we made the generator spend, or they made the generator spend differently, which of course is, does not make the generator components very happy. And so that’s where the actual smoking and physical damage came from.


Joel Saxum: That makes absolute sense. And this is so this is becoming more and more of something that’s very important to our society in general for grid resiliency. Energy security in general, right? So it makes sense that Idaho National Labs has a bit of a budget to explore these things. I was at an insurance conference last year and one of the big new topics was cyber insurance, right?


So it was basically pandering to wind farm owners and insurance brokers. Hey, you guys need to have these policies in place because these things can happen. They have, right? In the news, I think it was last year, Allen, correct me if I’m wrong where there was like a cyber attack and they shut down a pipe, one of the pipelines going towards the over on the east coast.


Allen Hall: Yeah, down in North Carolina.


Joel Saxum: Yeah and it like changed fuel delivery, fuel prices, all kinds of stuff. That was an, that’s one incident. If more and more of these incidents are happening, or if you have Megan, like you said, the, such, you have a hundred turbine wind farm and they start, you start cycling on these turbines on and off and on and off.


As opposed to how, the grid frequencies that they’re supposed to run at. You can damage inverters, you can do things. I know a really cheesy, simple one when you talk about damage is, if you could get into a turbine and hit the emergency stop remotely, you can do, irreparable damage to the blades just by doing that.


Megan Culler: There’ve been several notable incidents that have affected wind organizations as well. Several ransomware events against wind companies in Europe as well as an attack on satellite infrastructure in Europe. That was not targeted at wind infrastructure, but happened to take out the remote communications for 5800 Enercon wind turbines.


And because of the method of that attack it, they actually had to physically go out and replace the modems and all of those turbines, which took almost two months for them to do not a physical impact in that case. The wind turbines were still producing energy. But no remote monitoring was possible during that time.


Allen Hall: Michael, what are some of the things that you’re going to try to attack on a wind turbine in particular, and what would be the simple way to prevent them? Because right now we’re talking about DeWind wind turbines which are an older wind turbine. But the technology internal to those wind turbines hasn’t changed a lot, probably until


People started, the OEM started paying attention to cybersecurity. I know they’re going to not like me saying that, but that’s pretty much the case. What are those weak points and not to give out national security risk, but what should we be looking for here?


Michael McCarty: The weak points that we’re looking for specifically are, any sort of remote connectivity is normally part of your attack surface.


And so you want to go in and. If there’s something like basically a VPN connection, a cellular modem or some other way to connect in from remotely that’s your first point of contact with them. And then once you go in the. There’s some servers, there’s some computers connected in on the other side of the turbine.


And from there you can control the PLCs which control the, the pitch of the blades and things like that. Specifically some of the scenarios that we were looking at to cause physical damage were things like a tower strike. If the blades if you, If they’re spinning fast enough and they get caught in the wind just the right way, they can actually strike the tower.


We’re looking at that basic overheating sort of scenarios where something is just overused or used to the point to which it starts to break down, but whatever sort of safety systems or monitoring systems that are in place don’t relay that information back. Maybe we just tell a piston to just go, in and out for, over and over again, but we don’t relay that information back anywhere.


And so nobody knows it’s happening. And that piston uses 10 years of its lifetime overnight or something like that. And ultimately, we don’t really know. So we’ve got some scenarios that we’ve. We’ve laid out, but this is the experiment is to actually get down there and try and do it, because sometimes you tabletop specific scenarios, and then Turns out they’re not really that big of a deal, so you want to actually test it


Joel Saxum: One of the things that pops in my mind here is a kind of I think probably that angle Allen was going down is this Is a DeWind turbine.


So if you were to be successful or not However, this however these experiments is, roll out over these tests go people may say ah it’s cool But you did it on a DeWin turbine try to do that to a GE or a Vestas or try to do that through XYZ company’s controller or XYZ company’s security mechanisms of sorts.


Will you be testing other things From the marketplace or retrofit materials or anything like that.


Michael McCarty: Yes, absolutely. So we, one of the large parts of the experiment is we’re going to test what we can do, and then we’re going to modernize a few of the components or at least, put it like a different aggregator, different PLCs company XYZ newer components, because these are older DE wind components that have, they do have security.


I’ve looked at it already and they do have firewalls and stuff like that. But as we add newer components, we’ll see. how those newer components actually stop this attack from happening. And the idea is we’ll have multiple different topologies. So the topology where it’s your old 2017 architecture, and then a topology where it’s.


Slightly modified, slightly better, with a few things removed to make it more secure, and then we’ll have a topology where it’s completely secured 100 percent with our, our partners, our security partners, and those sorts of things implemented in the environment. And so this will be the more secure environment that.


an attacker wouldn’t be able to penetrate without setting off lots of bells and alarms. And then we’ll compare all three topologies so that wind farms can use that documentation and use that report to see if I added this, how much would it help my security posture?


Allen Hall: There’s a number of terms the United States are reaching through that 10 year Time span we’re going to be repowered.


And while they’re going through that repowering effort now’s the time to update their cybersecurity for sure. What simple things should they be doing when they’re if they’re upgrading an existing turbine or replacing it? What should they be looking for from a security a cyber security perspective?


Michael McCarty: It’s always good to have some sort of alarm system. There’s newer technologies, I hate to mention specific vendor names and that sort of thing, but there’s newer technologies out that help to take out the security that the need for security personnel and offset that to other services where basically you just install their device and they will monitor your system and let you know if something goes wrong.


So there’s not really that much of a requirement of standing up a whole the security team or, training everyone as, as far as how to secure their wind site. But some basic things are just network intrusion detection systems. So you want something on your network that will alert if anything bad happens.


Generally, even this 2017 system is pretty locked down. It’s got firewalls and stuff, but if anything goes wrong, there’s nothing to tell you. There’s nothing to tell you if somebody’s poking around. But the basics are network intrusion detection systems and host intrusion detection systems. Which the host intrusion detection systems are what runs on the actual any servers, any windows machines, any HMI is running on the wind turbine.


It has its own kind of built in. If you poke at it, it will set off an alarm. And then you have the network intrusion detection systems, where if there’s somebody new on the network, it automatically sends out an alarm. Those are some basic measures that they could add.


Allen Hall: Do we have a sense of how many networks have been intruded in the wind industry at the moment?


Let’s just say the United States, do you have a general sense of that?


Megan Culler: I can speak to a couple of specific incidents. For the most part, what we’re seeing is that wind farms are being affected and in some cases have actually been physically affected by cyberattacks, but they’re usually not the primary target or maybe not a target at all.


One example is a incident that was reported where a technician, like a traveling technician, maintenance person who worked on multiple wind farms, stayed in a hotel overnight downloaded malware onto his laptop by accident through that hotel Wi Fi went to work the next day, plugged his laptop into.


start doing maintenance on the turbines and they started shutting down one by one. I don’t know the exact details of that, but if I had to make a guess, it would be something that it was like a an operating system type of malware. And if those turbines happens to be using windows controllers or something like that, that it was an aggressive malware that spread through that and shut down the operating systems.


So something that’s targeting wind? No, but potential impact? Yes. Same thing with the denial of service attack that happened in Utah, where a known vulnerability in a Cisco firewall was exploited that caused that firewall to reboot repeatedly over a 12 hour period, and each reboot took about five minutes and so communications were lost during each one of those reboot periods.


And that network, that firewall was sitting on a network that included some wind assets and solar assets. But, I don’t want to spread fear I still don’t think that most attackers are going after wind because it’s wind yet.


Joel Saxum: Yeah, that’s why we’re doing this, right? We have the, Everpoint’s got these assets.


We’re utilizing them as a, as a, as an industry to test against this stuff so we can be resilient against stuff that may happen in the future. So that, I guess that brings me to another question, Candice, this one for you. Right now the idea with Idaho National Labs is we’re going to test a bunch of cyber security protocols, equipment.


See what could happen, but could you use or are you going to use these assets at little Pringle for anything else? Like I know we had talked a little bit about testing some other equipment out there.


Candace Wood: Yeah. We, we do actually get a lot of inquiries from folks who are interested in testing, their new, their prototype for, the blade inspections, or, X, Y, Z, we’re also starting to look into potentially adding some battery storage out there.


And then, there’s also follow on potential for also testing some grid resilience, the actual interconnection to the grid. Little Pringle is our R& D playground and I, welcome opportunities to, to do this type of testing out there because I do think it is unique.


situation that we have and it will help the industry overall as a whole. So even though our point primarily focuses on decommissioning and demolition, we are still interested in making sure that the industry is robust and moving in the right direction.


Michael McCarty: We plan on setting up this experiment as something that multiple people can use.


So your network intrusion detection, Companies your host intrusion detection companies if they want to showcase their software or their abilities This would be like a playground for them to come in and test because nothing like this exists anywhere else you know nowhere else can you go and get a real turbine and install your software and collect your data and see what’s going on.


Allen Hall: That makes infinite sense and I’m just, I was just thinking about and Joel and I were talking about conditioning monitoring systems and things that plug into the turbine as maybe being that vulnerability point so if you do have those systems. There’s a lot of companies making these systems today that do plug into SCADA.


Yeah, it would make sense to work with Idaho national labs to find out if your system is as robust as you think that it is, because it does matter, right? You’d hate to get 10, 000. systems and service and realize you have a cyber security defect that needs to be addressed. Now’s the time to deal with it.


And that’s why Idaho National Lab exists, right?


Michael McCarty: I would point out too, we’re working with several other labs this is a multi lab effort. So a lot of the data that we’re collecting from the site is the first of its kind. Like there, there isn’t really a site that has had this happen that we have data from.


So once we. cause and event, and then we collect the actual data. We could use that at other labs for training and other purposes. But we are working with NREL. We’re working with Sandia National Laboratory and in multiple projects that are stemming from this effort. And we’re of course open to any other labs if they want to run their experiments or companies that want to come in and run their experiments on our system we’re hoping it’s a research environment for them.


Allen Hall: All right. So how do we reach out to Everpoint? We’ve got to talk to Candace first because those are her turbines because she won them at an auction. Candace, how do they reach out to you to connect with you and then and connect with Get on these turbines if needed.


Candace Wood: Sure. Yeah. You can connect with me via email or our website everpointservices.


com. And there’s should be a link in there just to submit a general inquiry. That’ll come to my business partner, Tyler Goodell or myself, and we’ll Follow up and see what opportunities we can pursue.


Allen Hall: And Megan, how do they get a hold of the cybersecurity experts at the Idaho National Laboratory?


Megan Culler: You can certainly connect with us via email or LinkedIn or any one of our websites as well.


Allen Hall: Okay, we will. Put those in the show notes for sure. I know this is going to drum up a lot of interest in the United States. Obviously, cybersecurity is a big item. We look at wind turbines today as national assets.


And when you actually walk on a wind farm now, the training is not the little safety briefing you get. It’s not about putting your hard hat on and having steel toed boots. It’s also about not plugging into their network. And stop screwing around so you could introduce some malware, right? So it is really escalated in the last couple of years.


And I’m glad that the Idaho National Laboratory is involved with this in Canada. So we really thank you so much for making this possible because you’re going to make wind turbines even more resilient. It’s brilliant.


Candace Wood: Great. Thanks guys.