Holistic protection of wind turbines
Wind turbines are not only exposed to the forces of nature nonstop, they are also often located in remote locations – making it necessary to secure the equipment against manipulation. Siemens offers a tailor-made concept, which is based on a holistic approach with several lines of defense. Our solution portfolio, specially designed to safeguard wind turbines, makes this complex topic easy to manage for you.
Improve your security – with defense in depthNothing is left to chance in our security concept. To comprehensively protect your wind turbines against internal and external cyberattacks, our security concept is simultaneously applied to all levels and all relevant functions – from the operating level to the field level, from access control to copy protection for e.g. PLC programs. To this end, we utilize defense in depth – a layered defense – as overarching protection concept in accordance with the recommendations of IEC 62443, the leading standard for security in industrial automation.
Our cybersecurity concept accompanies you as a turbine manufacturer over the entire life cycle of your turbines, from engineering to operation and maintenance. For this purpose, it is necessary to carry out the PDCA cycle (plan, do, check, act) on a regular basis, as prescribed by the standard IEC 62443 for "Plan-Do-Check-Act". During the specification, design, and development phases, you focus on possible points of attack and implement appropriate protective mechanisms. In the operational phase, you proactively provide information and updates to maintain the protection of your wind turbines.
Integrated security concept
The interplay of different levels and functions creates a high degree of security against attacks from the inside and outside. For example, you can secure the doors to your equipment not only with locks, but also electronically via RFID tag detection against improper access. Should this protection be overcome, then network security comes into play, as even physical access to the network still does not allow accessing the system or parts of it because the communication is encrypted. Manually intervening with the system control is likewise not possible because displays and operation of the installed controllers are accessible only via password and user approval. Also, copying the PLC code from the (locked up) SD card is of no use to a potential intruder, because the programming only functions with a single turbine.
Defense in depth works in three areas
Physical protection and security management for turbine automation
The security of your wind turbines begins with the classic access control and extends to safeguarding sensitive areas with code cards. The tailor-made Industrial Security services from Siemens include processes and policies for a comprehensive protection of your turbines. These, for example, range from the risk analysis, the implementation of suitable measures and their monitoring to regular updates.
Plant security begins with the protection of wind farms and wind turbines against unauthorized access and extends to securing sensitive areas using code cards. In addition, through Industrial Security services, Siemens offers risk analyses, the implementation of suitable measures and their monitoring, as well as regular updates.
Secure communication in your networks
End-to-end communication from the wind turbine to the control room is one of the prerequisites for successful operation, especially in the case of geographically distributed systems. An adequate protection of the systems is the challenge – requiring professional planning, dimensioning and implementation of the network infrastructures. In this way, we realize optimally available and protected networks through network access protection, network segmentation (e.g. demilitarized zones (DMZ)), and secure communication with SCALANCE S Industrial Security Appliances, SCALANCE M industrial routers, and security communicatios processors for the SIMATIC controllers.
Implementation of a demilitarized zone (DMZ) – with SCALANCE S
In order to regulate external access to a wind farm network, firewalls are used for safeguarding at the farm perimeter (transition between public network and farm network). To access the farm network from external networks, a demilitarized zone (DMZ) is implemented using a SCALANCE S Industrial Security Appliance. It provides for a decoupling of external and internal networks. Direct access from an external network is thereby avoided.
For extended security, a DMZ is also used when remote clients (operator stations or even mobile devices) want to gain access. This ensures that increased security and stability are maintained during communication within the system, and flexible processing – from the control room to the service technician on site – is made possible.
Secured remote access for remote maintenance – with SINEMA Remote Connect
SINEMA Remote Connect is a management platform for remote networks. It provides for an easy, secured remote access to remote wind turbines – e.g. for remote maintenance. The management platform manages secure VPN connections (IPsec / OpenVPN) between the service technicians and the wind turbines. The service technician and the wind turbine each establish a connection to a SINEMA Remote Connect server. There, the participants are identified by certificate exchange. Only then will the connection be enabled. SINEMA Remote Connect also offers user rights management. Thus, only authorized service technicians will be granted access to certain wind turbines.
Safeguarding of automation systems and control components
Whether you want to protect existing know-how or rule out unauthorized access to your automation processes from the outset – and thus prevent disruptions in power generation: As part of our comprehensive cybersecurity product range for wind turbines, we support you in the targeted implementation of measures against various threat scenarios – and design complete solutions for maximum protection. This begins with unauthorized configuration changes at the control level and does not end with unauthorized network access: Our integrated security functions prevent the duplication of configuration data, make manipulation attempts to such files easier to recognize, and much more.
As the name Multilevel Wind SCADA Center suggests, this framework operates at different levels. The basic idea behind it is the division between local controllers and higher-level places all the way to the central control room – the Control Center. In general, wind farms tend to be difficult to reach, in particular when it comes to optimal connections. Therefore, in designing the MWSC, care was taken to keep the main load local. This means that each local level works basically autonomously. The Control Center is docked to the local units, which can then be controlled centrally, and through preset synchronization cycles and effective data compression, the archives are also transmitted to the central location. Thus, this solution already takes into account the not always stable connection on site and enables trouble-free working and transmission to the next level.
Since the local bases work independently of the central control, the continuation is possible locally if the connection is interrupted. Thus, for the individual wind farm or the turbine used, a corresponding scenario can be worked out and there is no immediate harm due to the loss of the central control – be it economically or related to supply technology. This concept therefore contributes significantly to your security and reliability of supply.