The European Union’s Wind Energy: A Cybersecure Future
The European Union is contemplating a ban on foreign wind turbines due to cybersecurity concerns. Wind farms are increasingly integral to the European Union’s infrastructure, and the potential for foreign control to result in disruption, espionage, or sabotage is a serious security concern. The recent strain in EU-China relations serves as a stark reminder of the risks associated with foreign influence on energy security.
Wind turbines, which can be operated remotely, pose a significant vulnerability. If compromised, they could trigger subfrequency events, leading to electricity supply shortages and widespread power outages.
In addition, wind turbine data poses significant privacy and surveillance risks if transmitted to foreign countries. While integral to our push for renewable energy, wind turbines collect extensive data. Data relevant to national security, such as electricity grid analytics and environmental conditions, is collected. This collection of sensitive information raises significant concerns about data privacy and surveillance, primarily when foreign companies operate wind farms. The potential for this data to be transmitted to other countries is a threat to the cybersecurity of the European Union.
Supply chain disruptions pose another significant risk. Europe’s reliance on China for wind turbine components shows the dangers of dependence on foreign actors for critical infrastructure. Geopolitical tensions, sanctions, or trade disputes could jeopardise the security of the EU’s energy supply.
The European Union is now addressing this security concern. The Wind Power Package, unveiled in October 2023, suggests how Europe’s wind supply chain can stay competitive. It includes provisions to exclude foreign companies from public auctions due to cybersecurity concerns. Member States must implement stricter prequalification criteria to ensure secure turbine construction.
Regarding permitting, simplified rules as per the new Renewable Energy Directive will be implemented. Furthermore, an IT infrastructure will be created for digitalising permit processes.
The Net Zero Industry Act (NZIA), a vital piece of the EU’s new industrial policy law, will be adopted by EU lawmakers on 23 April. Starting in 2026, public auctions supporting renewable energy must include cybersecurity criteria, although this will be optional for public renewable energy companies. The cybersecurity requirements remain to be detailed. The Commission has committed to specifying these requirements in 2024.
To ensure cybersecurity in the wind energy sector, it is essential that the law mandate cybersecurity criteria be dynamic and rooted in process-based and risk-assessment strategies rather than checklists. Specifically, for asset developers to qualify for participation in wind energy auctions, they should have to provide evidence of their risk assessment strategies. These should detail how they integrated cybersecurity and data security considerations, including their supply chains and grid connections. Such assessments must meet internationally accepted standards like ISO, IEEE, and IEC, ensuring a good defence mechanism against potential cyber threats.
Additionally, it is crucial that these risk assessments show a tendency for technology suppliers who responsibly manage data within the EU or in third-party countries adhering to the General Procurement Agreement (GPA). To ensure this, a data classification system must be created. This system must specifically address the needs of the wind energy sector, enabling effective categorisation and protection of sensitive data.
Member States should be responsible for identifying national authorities that evaluate these comprehensive risk assessments during the auction bidding process. Recognising that evaluation methodologies may differ across boarders, the European Commission should lead efforts to provide standardised technical guidance and training. This initiative is necessary to ensure that the national authorities have the tools required to accurately assess the effectiveness of proposed cyber risk assessment and quantification methodologies. Through such efforts, the EU can ensure a high level of cybersecurity across all Member States, safeguarding the critical infrastructure of the EU energy sector.
By The World Forum on Peace and Security