Signature Projects are intended to bring focus to a selection of the U.S. Departments of Energy's Water Power Technology Office (WPTO) projects. By designating a Signature Project, the project reports, data sets, and associated papers can be easily discoverable. By bringing together all aspects of a project, whether a completed legacy project or an ongoing investigation, the MRE community can be informed of what investigations have been undertaken, which have succeeded, what tools are available, and where gaps in information persist.

MRE Cybersecurity

Project Information

Status:	Ongoing
Start Date:	2020/01/01
End Date:	2021/04/01
Organization:	Pacific Northwest National Laboratory (PNNL)
Contact:	Fleurdeliza De Peralta






Project Purpose

The purpose of the project is to provide guidance to secure marine renewable energy (MRE) systems from cyberattacks and improve the resiliency of MRE systems as a predictable, affordable, and reliable source of energy from oceans and rivers.

Project Description

The advanced operational and information technology used in MRE system designs creates the potential for a cyberattack. Cyber threat actors with malicious intent could target vulnerable MRE systems to gain unauthorized access to data or disrupt operation. In order to increase cybersecurity awareness within the MRE industry, the U.S. Department of Energy’s Water Power Technologies Office (WPTO) funded Pacific Northwest National Laboratory (PNNL) to develop guidance documents that describes a cybersecurity risk framework for MRE developers and end users to integrate security best practices into the MRE system lifecycle (e.g., design, construction, operation, and decommissioning). The guidance documents provided an approach to determine the MRE system’s cybersecurity risk (Low, Moderate, or High) and identified risk-based best practices to secure the Information Technology and Operational Technology components.

Methods

The research involved identifying different network architectures and configurations for an MRE system in order to determine the types of cyber threats to evaluate. Information on MRE system designs is obtained from open source and formal request for information from MRE stakeholders (e.g., system developers and end-users).



The project activities included two focus areas: (1) Identify Cybersecurity Vulnerabilities and (2) Develop Cybersecurity Guidance. The Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) was followed to generate best practice security controls that were included in the MRE Cybersecurity Guidance. The guidance documents developed from this project were based on initial engagements with MRE stakeholders and knowledge of components used in MRE systems. As MRE system technology evolves and cyber threats increase, the best practice security measures developed from this project could be used, in conjunction with other industry developed guidance.

Findings

de Peralta et al. 2020a provides the results of Focus 1 and describes a framework for determining the cybersecurity risk of an MRE system and its end use. The framework was based on MRE system assets, network architecture, and operational configurations; the vulnerabilities that the assets will have to a cyberattack based on known threats to industrial control systems in the energy sector; and the consequences of a cyberattack on the end user. The resultant framework can be used by MRE developers and end users to determine their cybersecurity risk posture.



de Peralta et al. 2020b provides the results of Focus 2 and describes cybersecurity best practices commensurate with the risk of affecting the business and mission objectives of the end user. The cybersecurity best practices implement the controls of NIST CSF (e.g., identify, detect, protect, respond, and recover). The methods to protect MRE systems were based on recommended strategies to mitigate known threats to the energy sector and security measures to protect IT/OT systems. The cybersecurity best practices were tailored to protect MRE systems and their end use from a cyberattack.

Additional Resources

National Institute of Standards and Technology (NIST) Resources

• Technical Note 2051: Cybersecurity Framework Smart Grid Profile
• NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security
  
  
• NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Energy Sector Control Systems Working Group (ESCSWG) Resources

• Cybersecurity Procurement Language for Energy Delivery Systems
  
  

International Resources

• The Guidelines on Cyber Security Onboard Ships
• Guidance Notes on the Application of Cybersecurity Principles to Marine and Offshore Operations
• Cyber security resilience management for ships and mobile offshore units in operation
• Guidelines on Maritime Cyber Risk Management
• Code of Practice: Cyber Security for Ships
  
  

This table lists documents associated with the MRE Cybersecurity project, including reports written by the project team and/or papers that have used the project outputs or are closely associated with them.