Abstract
Technology innovation, market demand, and the potential impacts of a changing climate are driving the marine renewable energy (MRE) industry to develop market-ready systems to provide low-carbon electricity for emerging, off-grid markets. The advanced operational and information technology devices used in MRE systems create a pathway for a cyber threat actor to gain unauthorized access to data or disrupt operation. To improve the resiliency of MRE systems as a predictable, affordable, and reliable source of energy from oceans and rivers, guidance was developed for an end users' organization that describes a framework for identifying and managing cybersecurity risk. The development of the cybersecurity guidance is based on standards described in the Risk Management Framework and Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). This paper is the first of a two-part series that describes an approach to determine the cybersecurity risk for MRE systems based on assessing potential cyber threats, identifying vulnerabilities (people, processes, and technology, including physical and operational environment), and evaluating the consequences a cyberattack would have on operation of the MRE system and impact on end users' mission and business objectives. MRE developers and stakeholders can use this approach to assess their current cybersecurity risk posture to incorporate appropriate cybersecurity controls to reduce the consequences and impacts from a cyberattack on MRE systems. This approach can be refined further as MRE systems are deployed and operational configurations are available.