Designing OT cybersecurity into an offshore wind farm to provide 800,000+ homes with clean energy

DNV Cyber provided and oversaw implementation of operational technology (OT) cybersecurity for a 750 MW offshore wind farm in the Netherlands.

• The OT system was delivered on time and within budget.
• The solution supported compliance with national law based on the EU NIS Directive.
• Assuring compliant cybersecurity prepared the wind farm to dispatch renewable energy for more than 825,000 households.

A renewable energy consortium with one of the largest offshore wind farms in the Netherlands, building and operating the windfarm, decided to follow the ‘security by design’ principle. They sought a partner to provide a comprehensive operational technology (OT) cybersecurity solution and manage all parties involved from design to handover to operations.

The customer operated in a highly integrated IT/OT environment, with OT in the cloud, and utilizing outsourced contractors connected remotely to monitor generator and civil structure conditions. Therefore, robust cybersecurity controls were required to protect the ongoing generation of renewable energy within their OT environment.

Additionally, cyber risk was a top priority for the customer to ensure the grid’s integrity and preserve the company’s reputation, especially for such flagship project. Furthermore, as part of national critical infrastructure, the wind farm operator needed to comply with the EU NIS Directive’s requirements.

Designing an OT security solution from the start 

A comprehensive methodology which engineered a secure-by-design OT security solution from the ground up was applied. 

First and foremost, DNV Cyber was asked to act as the OT cybersecurity technical authority, with the main responsibility to provide quality assurance on all project aspects and during all phases of the project’s lifecycle.

DNV Cyber also acted as the single point of contact for the project, managing in scope suppliers, integrated packages, technical interfaces, systems, and project communication to all parties involved. DNV Cyber leveraged its knowledge of cybersecurity principles, international standards, power generation, transmission and distribution, market solutions and individual vendors’ solutions to ensure efficient project execution and close the customer’s expertise gap.

Positive outcomes from the OT cybersecurity programme

The system was delivered on time and within budget. Early availability of the OT System ensured that vendors had remote access in time for the project-critical pre-commissioning activities. This simplified matters and limited the amount of travel.

No physical or cybersecurity incidents occurred during development and deployment of the project.

Close to commissioning, a change in the system was required which, thanks to the unified vendor approach, could be implemented immediately, resulting in successfully achieving the target commissioning date.

The unified vendor approach allowed for a simple and effective onboarding process for the organization responsible for maintaining the project. Only a limited number of sessions were needed, reducing the cost and pressure on operations teams.

A high level of security was implemented through segmentation at various levels. More than half the OT systems’ services had cloud-based connectivity and therefore needed to meet the IEC 62443 standard regarding zones and conduits. This ensured secure utilization of such systems and further migration of services when necessary.

With DNV Cyber’s proven methodology and flawless delivery of the framework, the customer fulfilled business and functional requirements in accordance with project design to future-proof the infrastructure and provide security assurance.