The cybersecurity requirements of companies will increase significantly in the coming year. An important aspect of the new NIS2 guideline is its impact throughout the supply chain. Cybersecurity still receives little urgent attention, even though it can be a major risk. Urgent action is required and legislation is moving too slowly, warns Roland van Rijswijk-Deij, professor of network security at the University of Twente. He advocates measures and the addition of safety requirements in the tender process.
Increasing risks in the wind industry
Since the war in Ukraine, the number of cyber attacks in the energy sector has increased ten to twenty times. Offshore wind farms are vulnerable due to their complex supply chains and the need to operate them remotely. Basic safety measures are often not taken, especially in older wind farms. This is stated by security experts from Fox-IT and DNV Cyber: Gennady Kreukniet and Christo Butcher in an interview.
Two wind turbine manufacturers have fallen victim to cyber attacks in recent years. As far as we know, the ransomware targeted office IT, not turbines directly. But to be sure, possible links between office IT and OT have been immediately closed.
“Wind farms are vulnerable to cyber attacks. Sophisticated criminals and nation states are resourceful and have all the means to strike digitally. Now that the Netherlands is becoming more dependent on offshore wind, urgent measures are needed to prevent disruptions,” says Roland van Rijswijk-Deij on the website of topsectorenergie.nl.
According to van Rijswijk-Deij, the Netherlands can currently effectively limit disruptions to the internet and the energy system. However, this will change as the Netherlands becomes more dependent on sustainable electricity. "As more electricity is generated decentrally, there are more opportunities to attack. This makes security more difficult. This is therefore the right time to take more countermeasures."
Not enough attention
The World Economic Forum (WEF) has identified cybercrime and cyber insecurity as major problems for the Netherlands and the world. The Cybersecurity Readiness Index 2024 from cybersecurity company Cisco shows that only 3% of all companies are ready for current cyber threats. 71% of organizations fall into the two least prepared categories.
Cybersecurity is now in the top 3 of business risks for companies. Cybersecurity is an absolute condition for keeping the Netherlands running and safe, the Cyber Security Council (CSR) notes.
As offshore wind farms become increasingly integrated into the energy system, the impact of a cyber attack increases. The potential impact of a successful cyber attack on an offshore wind farm could have far-reaching consequences, not only for the wind farm itself, but also for society.
"Cybersecurity still receives little urgent attention in offshore wind projects, while it can be a major risk that needs to be taken into account at the front."
This message was expressed during WindDay 2024, in the knowledge session 'Startups and SMEs for digitally resilient offshore energy', led by TKI Offshore Energy , with Michel Mulders, quartermaster at FLECS, the Center of Excellence for a digitally resilient offshore energy system, Gennady Kreukniet, and Hans van Beek, CEO, Tarucca.
The speakers point out the major risk that must be taken into account at the front. "The sector must invest in digital security, otherwise it will be a matter of waiting for the moment when it is too late and only taking action afterwards after an incident occurs before it is too late."
A number of issues and recommendations identify the challenges:
- Why is cybersecurity not a priority?
- The cost/investment question is often ignored: how much should safety cost?
- What regulations are there and what should be introduced?
- The Netherlands does not yet work with a set of rules/laws that have a preventive effect on what the minimum requirements should be and what the role of the government and industry is in this. Look at Belgium and Germany, which are further along in this regard.
- Standardize what should be needed
New cybersecurity law
Dutch legislation is now in the making that requires additional cyber resilience from companies that are important to our society and economy; the Cybersecurity Act .
This is made on the basis of the new European rules of theEuropean Network and Information Security Directive (NIS2 directive), which was completed in a European context in December 2022. About 10,000 companies will be affected by the upcoming law.
The new stricter rules will apply to all companies in specific sectors with at least fifty employees and a minimum turnover of €10 million. Micro and small businesses are not covered by NIS2. Medium and large companies do. The lower limit for medium-sized is an annual turnover of 10 million euros or 50 employees.
With the entry into force of NIS2, the government, including municipalities, will also face significant requirements in the field of cybersecurity and will have to meet stricter requirements.
Stricter supervision
In short, this means that the security requirements imposed will be tightened, the security of the entire supplier chain must be addressed, reporting obligations will be streamlined and, as an important final step, stricter supervision will be introduced. For some parties this will even be proactive: even if nothing has happened, they will still check whether they fulfill the duty of care.
New rules for the energy sector
The NIS2 directive includes new, stricter requirements for the cybersecurity and resilience of essential services, such as the energy sector.
As a result, wind farm operators will come under supervision, be required to carry out a risk assessment and be required to report incidents. Under the NIS2, directors are personally held accountable for cyber security. Also with their suppliers.
The NIS2 directive prescribes obligations for no fewer than 18 sectors. The energy sector is mentioned as the first sector and is divided into the following subsectors:
- Electricity
- District heating and cooling
- Petroleum
- Natural gas
- Hydrogen
Risks throughout the chain
An important aspect of the NIS2 directive is its impact throughout the supply chain. Although organizations may not operate in an essential or important sector, they may still be affected by the impact of NIS2 through their customers or suppliers. Now that companies are strongly connected digitally, a cybersecurity problem at a small supplier can have consequences for the entire chain.
The new rules therefore force large companies to take more responsibility for their suppliers. They must help them, for example by sharing their knowledge. It is precisely those smaller companies that are lagging behind when it comes to working cyber securely, says CSR member Claudia de Andrade , responsible for IT at the Port of Rotterdam Authority, in this article in the FD.
Supply chain overview
Operators are becoming more aware of safety with new wind farms, Butcher notes. "But that does not apply throughout the entire chain of suppliers. That chain is long and complex. Suppliers do not always know how to keep their devices safe. Small start-ups in particular are happy if their product works. That is a problem in the entire industry, not just offshore wind. You can only solve that together with suppliers."
Van Rijswijk-Deij explains that the vulnerability of sustainable companies increases if everyone starts using the same systems. "The market for wind turbines is more diverse than that for solar panels, but if everyone has the same supplier, an attack on a component can still have a major impact. A motivated attacker will look for this."
He therefore sees the first and most urgent action as properly mapping the chain dependencies for a sharp risk inventory.
“Wind farms involve many parties, from start-ups to venture capitalists, from steel suppliers to data analysts, and from ecologists to small maintenance ship companies. They are all connected, but no one has an overview of all the security measures.
You need to know where the vulnerabilities are and what the consequences are if something goes wrong. We really need to get a grip on this quickly. That picture is never complete. You have to keep updating it as you learn new things.”
Imposing security requirements
All suppliers must have their security in order. According to Van Rijswijk-Deij, security requirements must be imposed as a second step. However, according to him, this cannot be legally prescribed. "That is too slow. This must be included in the tender process for wind farms."
Given the significant scale-up of offshore wind energy in the Netherlands, he considers this to be the second urgent action.
Joint approach
An appropriate response should not only be about the technical barriers we have to erect, but also about a shared ambition, says Van Rijswijk-Deij. “Industry, government and scientific organizations all play a role in proactively defending our energy supply. Being attacked not only means losing the energy to keep our society functioning, but also losing your reputation. Wind farms can be repaired faster than a reputation.”
According to Van Rijswijk-Deij, more steps could already be taken in collaboration with each other. "Cyber attacks are a collective problem and everyone has an interest in a solution. That is why agreements must be made about the use of data. We need all parties in the sector."
The aim is to strive for a proactively resilient offshore energy system. This requires joining forces and expertise.
FLECS was initiated for this purpose.
FLECS stands for Fieldlab Energy Cyber Security . This is an expertise center where governments, knowledge institutions and market parties jointly develop and stimulate knowledge, innovation and testing to achieve a digitally resilient energy system in the North Sea.
NedZero
Industry specialist Safety & Health and IMVO at NedZero, Richard Brakenhoff closely follows the developments regarding NIS2. He is also a member of the meetings with Rijkswaterstaat and TKI Offshore about the FLECS knowledge and expertise center.
NedZero discusses the urgency of cybersecurity security with its members through committees and working groups.
More information can be found at:
- The National Cyber Center (NCSC). This center advises the national government on making the Netherlands digitally safer. The NCSC also offers analyses, (free) knowledge products and research.
- The Digital Trust Center offers a platform to exchange questions in the special NIS2 theme space on the DTC Community.
- Learn more about the upcoming Cybersecurity Act here.
- Read more about the government consultation on the new cyber security law here.
- More about reporting obligations and duty of care can be found here.
- Read also: New cybersecurity network code for the EU electricity sector - NedZero
The legislative process
At the end of January 2024, the Minister of Justice and Security announced in a letter to Parliament that the Dutch elaboration of the European NIS2 directive had been delayed. The implementation should have been completed on October 17, but that was not achieved.
The internet consultation for the bill is currently running until July 1, 2024. After the consultation period, all responses will be reviewed and the bill will be amended if necessary.
After the consultation responses have been processed, the legislative proposals will be submitted to the Advisory Division of the Council of State for advice. The minister aims to submit the bills to the House in the autumn of this year.
Due to the delay, the Cybersecurity Act, which must implement the European NIS2 directive in the Netherlands, is not expected to come into effect until the second or third quarter of 2025.
Bekijk al het nieuws