Abstract
Technology innovation, market demand, and the potential impacts of a changing climate are driving the marine renewable energy (MRE) industry to develop market-ready systems to provide low-carbon electricity for emerging, off-grid markets. The advanced operational and information technology devices used in MRE systems create a pathway for a cyber-threat actor to gain unauthorized access to data or disrupt operation. To improve the resilience of MRE systems as a predictable, affordable, and reliable source of energy from oceans and rivers, the U.S. Department of Energy’s Water Power Technologies Office funded Pacific Northwest National Laboratory to develop a guidance document that will assist MRE developers and end users with integrating security controls into the operational and enterprise networks of MRE systems. The cybersecurity guidance document was developed by assessing cyber threats and consequences of a cyberattack on typical MRE system assets (Focus 1) and determining industry best practices to protect from those threats (Focus 2). This report provides the results of Focus 1 and describes a framework for determining the cybersecurity risk of an MRE system and its end use. The framework involves knowing the MRE system assets, network architecture, and operational configurations; the vulnerabilities that the assets will have to a cyberattack based on known threats to industrial control systems in the energy sector; and the consequences of a cyberattack on the end user. The resultant framework can be used by MRE developers and end users to determine their cybersecurity risk posture and implement appropriate security controls to mitigate impact and minimize the risk of a cyberattack on MRE systems. The results of Focus 2 are included in a supplement report, PNNL-30256, Cybersecurity Best Practice Guidance for Marine Renewable Energy Systems, which identifies cybersecurity best practices commensurate with the risk level.