Exercise Windshield: A Cyber Crisis Exercise for Offshore Wind

What if a nation-state–backed threat actor could shut down the Netherlands’ offshore wind sector with a sophisticated cyberattack? How would the sector respond?

This was the challenge posed to the Bureau Veritas Cybersecurity team. To understand the answer to this question and to help build the resilience of the sector, Bureau Veritas designed a challenging crisis simulation. 

The Simulation

On Wednesday 3rd December, in a unique location in Utrecht, Bureau Veritas Cybersecurity hosted a full day live cyber crisis simulation, simulating a major cyberattack on the offshore wind sector. This was designed and facilitated in cooperation with the FLECS Program of TKI Offshore Energy, the Ministry of Economic Affairs, the Ministry of the Interior and Kingdom Relations, TKI Offshore Energy and the National Cyber Security Centre. Participants attended as representatives of the Offshore Wind Supply Chain in the Netherlands with participation from Tennet, Eneco, RWE, Gemini Windpark, Orsted and Siemens Energy. 

After months of planning, participants began the day with some presentations from FLECS, Bureau Veritas and the NCSC before diving into 2 x 90-minute live simulation rounds. A team of role players from Bureau Veritas positioned themselves in a role-playing room, armed with laptops and mobile phones ready to deliver crisis updates to the participants. In separate rooms, the participants gathered their crisis teams, ready to coordinate a response to the unfolding crisis. Luke Fletcher, Frank Ruedisueli, Willem Westerhof, and Sjoerd Peerlkamp from Bureau Veritas Cybersecurity led the design and delivery of the project.

The simulation then began with calls from operators noticing that wind park monitoring platforms were down. This was quickly followed by several reports of issues at multiple windfarms ultimately leading to a major cyber attack that brought the offshore wind sector to a halt.

The Scenario

A nation state sponsored cyber criminal gang were able to embed an insider into one of the offshore wind’s Original Equipment Manufactures (OEMS). They were also able to compromise a key third-party network service provider. Access to these two organisations allowed them to manipulate offshore wind assets and cause major disruption to operations.

What was it like?

From the perspective of participants, the exercise felt realistic, demanding, and closely aligned with the pressures of a real cyber crisis. The scenario design, pacing, and flow of injects were intentionally challenging, mirroring the complexity and uncertainty that organizations would face during a large-scale disruption to offshore wind operations. 

Participants highlighted the strong design and realistic pressure of the exercise.

“Regarding the setup of the exercise, I want to give my compliments. Well prepared and well executed. It was all working very well, although the injects came sometimes all at once, which was difficult to handle. But that’s inevitable in a crisis.”

What next?

Lessons learned will be written up and distributed amongst participants with actions taken to improve resilience. Further work remains ongoing to understand key threats in the sector and improve resilience.

Interested in knowing more? Get in touch.