Abstract
The marine renewable energy (MRE) industry is an emerging source of power for marine applications, marine devices, and coastal communities. Developers of MRE systems rely on industrial control systems and information technology to support operations and maintenance activities. The advanced operational and information technology devices used in MRE systems create a pathway for a cyber-threat actor to gain unauthorized access to data or disrupt operation. To improve the resilience of MRE systems as predictable, affordable, and reliable sources of energy, the U.S. Department of Energy’s Water Power Technologies Office funded Pacific Northwest National Laboratory to develop a guidance document that will assist MRE developers and end users with integrating security and safety into the operational and enterprise networks of MRE systems. The cybersecurity guidance document was developed by assessing cyber threats and consequences of a cyberattack on typical MRE system assets (Focus 1) and identifying industry best practices to protect the MRE system and end user from those threats (Focus 2). The results of Focus 1 are documented in a supplement report, PNNL-29802, Framework for Identifying Cybersecurity Vulnerability and Determining Risk for Marine Renewable Energy Systems. This report provides the results of Focus 2 and describes cybersecurity best practices commensurate with the risk of affecting the business and mission objectives of the end user. The cybersecurity best practices implement the core functions of the National Institute of Science and Technology Cybersecurity Framework (e.g., identify, detect, protect, respond, and recover). The methods to protect MRE systems are based on recommended strategies to mitigate known threats to the energy sector and security measures to protect information technology and industrial control systems. The cybersecurity best practices were tailored to protect information and operational technology assets expected on MRE systems and their end use from a cyberattack. The best practices developed in this report are based on insights from security measures included in National Institute of Science and Technology guidance documents and other cybersecurity guidance documents developed for the maritime industry and energy industry (generation and distribution).