As the world continues to shift towards the use of renewable energy, governments are under increasing pressure to look at greener alternatives to fossil fuels. One of the impacts of this has been significant investment in offshore wind generation, initiated from both the public and private sector alike.
A rapid growth of offshore wind farms has seen China, the UK, Germany, the Netherlands and Denmark at the forefront of this expansion. Anticipating opportunities on the horizon, several other countries such as the US, Norway, South Korea, and Poland have sought to accelerate their offshore wind capability, with multiple large construction projects either underway or recently completed.
Alongside this expansion and opportunity comes a more complex risk environment. Offshore wind farms present a dynamic and evolving risk landscape, with an emerging set of potential threats and challenges to consider.
An undercurrent of sabotage
Security threats facing offshore wind farms include sabotage of offshore facilities, hostile surveillance, the severing/damaging of undersea cables, and the potential exploitation of physical design vulnerabilities.
In February 2023, the Dutch military intelligence agency, MIVD, warned of Russian attempts to allegedly map offshore wind farms and sabotage key infrastructure in the North Sea. In a report published by the Dutch authorities, the MIVD stated that Russia had initiated “activities that indicate espionage as well as preparing operations for disturbance and sabotage” of wind farms, pipelines and cabling within the North Sea.
There has also been speculation of Russian interference as a possible explanation for the explosions that damaged both Nord Stream pipelines in 2022. Although one example is considered unfortunate; two similar incidents may indicate intent.
Subsea cables are a critical part of offshore wind infrastructure, and the tactic of sabotaging undersea cables appears to be emerging more prominently as a potential axis of disruption. As recently as March 2024, four fibre optic cables within the Red Sea appear to have been damaged, affecting connectivity within the region. Whilst the cause of the damage is still unknown, and may very well have been accidental, its occurrence against a backdrop of ongoing conflict and shipping disruption in the region have led to speculation of a potential attack by a state (or non-state) actor.
Geopolitical implications
Rising geopolitical tensions and an unstable threat environment is of a growing concern to stakeholders, not only for nations with interests in the sector, but also for those with investments in renewable energy supply chains globally. As reliance on renewable energy increases, so do business costs for both industry and the public sector.
In light of the shift towards a multipolar world order, these costs are compounded by the diverse range of nation state threats which require regular monitoring and mitigation. More so than ever, this underlines the importance of having robust business continuity plans and crisis management planning in place.
Companies within the sector also face heightened insurance fees. Historically, damage to cabling has more often occurred during the installation and construction phases. As the threat of subsea cable damage and sabotage by external actors increases, however, insurers are required to undertake additional levels of risk. in part due to difficulties with attributing attacks to specific actors, as well as concerns around accountability.
When assessing these risks and subsequent mitigation options, there are several elements that security and risk professionals should take into consideration. Three themes in particular stand out: the question of best practice, the division of security roles and responsibilities between companies and authorities, and the increased convergence between the physical and cyber security realms.
An evolving regulatory environment
Within the project development phase, one of the initial questions that risk and security professionals face is which industry standards to employ when it comes to the physical security of offshore wind farms. At present there is little consistency regarding physical security standards within the offshore wind sector; moreover, it is subsequently unclear what constitutes best practice within the field.
Some countries maintain a more mature approach and provide clearer guidelines than others. However, apart from traditionally well-known ISO 31000 risk management standards and the IEC 62443 standards (which primarily address cybersecurity for technology in automation and control systems) there is no dedicated international or leading physical security framework paving the way for the offshore wind sector.
Regulation around critical infrastructure appears to be evolving, however, with legislation such as the ‘Network and Information Security 2’ (NIS2) Directive as well as the EU’s ‘Directive on the Resilience of Critical Entities’ both coming into force last year. Regular risk assessments will form an important part of the latter directive in particular, and the evolution of the regulatory environment will be an important space to watch.
Best practice will also be shaped by specific threats within each region. The gold standard in terms of physical security procedures and controls will vary according to their location. For example, what might be considered best-practice security planning in the Gulf of Mexico may differ from that in the North Sea.
Whose wind farm, exactly?
Particularly as there is a move towards offshore wind farms increasingly being classed as critical national infrastructure, or otherwise retaining partial government investment, the second main issue that arises is that of where a company’s roles and responsibilities lie in terms of security.
Wind farms situated within a country’s exclusive economic zone (EEZ) often rely on the respective country’s naval forces or coast guard to provide the security response function. The question then remains: to what extent are companies responsible for threat identification and risk mitigation? How much of this falls to the authorities to take the lead, and what does this mean for organisations in terms of security planning and design? How is information shared between public- and private-sector organisations? These key questions significantly affect both the construction and operational phases of a wind farm project, as well as informing and influencing initial capital outlay, maintenance costs and resourcing requirements.
Convergence
The third element in need of consideration is the growing convergence between physical security and cyber threats. Although this phenomenon is not necessarily new, increasingly advanced security systems and technologies are being progressively employed to protect and monitor sites, blurring the lines between the cyber and physical domains and presenting additional challenges for security and risk professionals.
Unauthorised actors or insider threats may exploit physical design vulnerabilities, gaining access to sensitive areas or infrastructure, with the intent of carrying out a hybrid attack. For instance, it is well publicised that certain brands of CCTV cameras may be able to store and communicate information back to the manufacturer, which may be exploited by external state actors. Both physical and cyber security teams need to focus on establishing robust and aligned risk treatment plans, assessing their potential vulnerabilities and risks (including the nexus between domains) and continuously monitoring and reviewing their security controls.