In Search of Suitable Methods for Cost-Benefit Analysis of Cyber Risk Mitigation in Offshore Wind: A Survey
Main Article Content
Abstract
In recent years, notable incidents have highlighted the vulnerability of wind energy infrastructure, making cybersecurity crucial for the offshore wind industry. However, justifying the costs of cybersecurity measures is essential. A cost benefit analysis (CBA) is commonly utilised to support decision-making for risk mitigation. With a cost benefit analysis, risk mitigation strategies that strike an optimal balance between the costs of mitigation measures and the resulting risk reduction can be identified. This survey of literature was carried out to identify the existing proposed solutions for cost benefit analysis on cyber risk mitigation measures for offshore wind cyber physical systems. After narrowing the area scope, a systematic search across Scopus and Web of Science, yielded 18 articles, of which six met the selection criteria. It was found that the there was a lack of cost benefit analysis of cybersecurity solutions for, or set in, the area of offshore wind directly. From the analysis of the surveyed works, suggestions on future directions were given. The existing literature found lacks detailed cost modelling for offshore wind, beyond general breakdowns encompassing capital, maintenance, and labour/installation expenses, risk and scenario loss. Some of the literature used contextual factors such as compatibility and effectiveness of mitigation measures, effects on OT performance, geographical location, geopolitical context, and installed rated power which could be adapted to suit offshore wind. Since offshore operations contribute significantly to costs, cost modelling and consideration of other relevant factors pertaining to this area would be beneficial if explored. As an emerging area, in the future we expect this research to be a basis and a methodology that can be expanded with a larger data set from other publications in the field. Thus, it represents an opportunity to advance knowledge in offshore wind cyber-physical systems.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
All articles published in JIWE are licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License. Readers are allowed to
- Share — copy and redistribute the material in any medium or format under the following conditions:
- Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use;
- NonCommercial — You may not use the material for commercial purposes;
- NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.
References
R. A. Coveney, "Energy executives expect more extreme cyber-attacks but defensive action is lagging, new DNV research reveals," DNV, 2023. [Online]. Available: https://www.dnv.com/news/energy-executives-expect-more-extreme-cyber-attacks-but-defensive-action-is-lagging-new-dnv-research-reveals-224890
St. John, "Cybersecurity stats: Facts and figures you should know," Forbes Advisor. 2024. [Online]. Available: https://www.forbes.com/advisor/education/it-and-tech/cybersecurity-statistics/
S. G. Freeman, M. A. Kress-Weitenhagen, J. P. Gentle, M. J. Culler, M. M. Egan, and R. V. Stolworthy, "Attack surface of wind energy technologies in the United States," Idaho National Laboratory (INL), Idaho Falls, ID, INL/RPT-24-76133-Rev000, 2024, doi: 10.2172/2297403.
"Denial of Service (DoS) guidance," NCSC, 2024. [Online]. Available: https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection
L. Falk, "Power grid operators attacked via DDoS - The H Security: News and Features," heise. 2023. [Online]. Available: http://www.h-online.com/security/news/item/Power-grid-operators-attacked-via-DDoS-1767170.html
P. Paganini, "sPower it the first renewable energy provider hit by a cyber attack that caused communications outages," Security Affairs, 2023. [Online]. Available: https://securityaffairs.com/93271/hacking/spower-cyber-attack.html
S. Jacobsen, "Hackers make some Vestas’ data public after ransomware attack," Reuters, 2021. Online]. Available: https://www.reuters.com/business/energy/hackers-make-some-vestas-data-public-after-ransomware-attack-2021-12-09
M. Sheahan, C. Steitz, and A. Rinke, "Satellite outage knocks out thousands of Enercon’s wind turbines," Reuters, 2022. [Online]. Available: https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28
B. Radowitz, "Nordex becomes second German OEM wind turbine maker to suffer cyberattack since Russian invasion began," Recharge | Latest renewable energy news. 2023. [Online]. Available: https://www.rechargenews.com/wind/nordex-becomes-second-german-oem-wind-turbine-maker-to-suffer-cyberattack-since-russian-invasion-began/2-1-1195698
Petkauskas, "Deutsche Windtechnik hit with a cyberattack, a third on Germany’s wind energy sector," Cybernews. [Online]. Available: https://cybernews.com/news/deutsche-windtechnik-hit-with-a-cyberattack-a-third-on-germanys-wind-energy-sector/
J. Staggs, D. Ferlemann, and S. Shenoi, "Wind farm security: attack surface, targets, scenarios and mitigation," International Journal of Critical Infrastructure Protection, vol. 17, pp. 3–14, 2017, doi: 10.1016/j.ijcip.2017.03.001.
A. Knack, Y. K. H. Syn, and K. Tam, "Enhancing the cyber resilience of offshore wind," 2024, doi: 10.13140/RG.2.2.33041.24162.
K. Tam, "How cyberattacks on offshore wind farms could create huge problems," east anglia bylines, 2024. [Online]. Available: https://eastangliabylines.co.uk/technology/how-cyberattacks-on-offshore-wind-farms-could-create-huge-problems/
Gartner, "Gartner Forecasts Global Security and Risk Management Spending to Grow 14% in 2024," 2024. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2023-09-28-gartner-forecasts-global-security-and-risk-management-spending-to-grow-14-percent-in-2024
S. Freeman, J. Gentle, and T. Conway, "Cyber Resiliency Within Offshore Wind Applications," Marine Technology Society Journal, vol. 54, no. 6, pp. 108–113, 2020, doi: 10.4031/MTSJ.54.6.10.
O. Spackova and D. Straub, "Cost-Benefit Analysis for Optimization of Risk Protection Under Budget Constraints," Risk Analysis, vol. 35, no. 5, pp. 941–959, 2015, doi: 10.1111/risa.12310.
M. Mesbah, M. S. Elsayed, A. D. Jurcut, and M. Azer, "Analysis of ICS and SCADA Systems Attacks Using Honeypots," Future Internet, vol. 15, no. 7, 2023, doi: 10.3390/fi15070241.
G. Murino, M. Ribaudo, S. P. Romano, and A. Tacchella, "OT Cyber Security Frameworks Comparison Tool (CSFCTool)," The Italian Conference on Cybersecurity (ITASEC 2021), A. Armando and M. Colajanni, Eds., in CEUR Workshop Proceedings, vol. 2940, 2021, pp. 9–22. [Online]. Available: https://ceur-ws.org/Vol-2940/#paper2
F. Sechi, "Critical Convergence for enhanced safety: A Literature Review on Integrated Cybersecurity Strategies for Information Technology and Operational Technology Systems within Critical Infrastructure," European Safety and Reliability Conference, 2023, pp. 3414–3421, doi: 10.3850/978-981-18-8071-1_P539-cd.
Cimpanu, "Cyber-security incident at US power grid entity linked to unpatched firewalls," ZDNET. 2023. [Online]. Available: https://www.zdnet.com/article/cyber-security-incident-at-us-power-grid-entity-linked-to-unpatched-firewalls/
R. Grubbs, J. Stoddard, S. Freeman, and R. Fisher, "Evolution and Trends of Industrial Control System Cyber Incidents since 2017," Journal of Critical Infrastructure Policy, vol. 2, no. 2, pp. 45–79, 2021, doi: 10.18278/jcip.2.2.4.
M. Mccarty et al., "Cybersecurity Resilience Demonstration for Wind Energy Sites in Co-Simulation Environment," IEEE Access, vol. 11, pp. 15297–15313, 2023, doi: 10.1109/ACCESS.2023.3244778.
Hayes, "What Is Cost-Benefit Analysis, How Is it Used, What Are its Pros and Cons?," Investopedia. 2024. [Online]. Available: https://www.investopedia.com/terms/c/cost-benefitanalysis.asp
Y. Kam, K. Jones, R. Rawlinson-Smith, and K. Tam, "Taxonomy of Cyber Risk Mitigation Cost Benefit Analysis Methods for Energy Infrastructure," IEEE International Conference on Cyber Security and Resilience (CSR), 2024, pp. 771-776, doi: 10.1109/CSR61664.2024.10679375.
S. Britland, "LibGuides: Literature reviews: Starting your literature review," University of Reading. 2024. [Online]. Available: https://libguides.reading.ac.uk/literaturereview/starting
C. C. CSRC NIST, "cyber risk - Glossary | CSRC," 2024. [Online]. Available: https://csrc.nist.gov/glossary/term/cyber_risk
J. Merisalu, J. Sundell, and L. Rosen, "A Framework for Risk-Based Cost–Benefit Analysis for Decision Support on Hydrogeological Risks in Underground Construction," Geosciences, vol. 11, no. 2, 2021, doi: 10.3390/geosciences11020082.
K. Makka and K. Kampova, "Use of the cost-benefit analysis method in the risk management process of SMEs," SHS Web of Conferences, vol. 129, 2021, doi: 10.1051/shsconf/202112903019.
K. Kampova, K. Makka, and K. Zvarikova, "Cost benefit analysis within organization security management," SHS Web of Conferences, vol. 74, 2020, doi: 10.1051/shsconf/20207401010.
S. Basnet, A. BahooToroody, J. Montewka, M. Chaal, and O. A. Valdez Banda, "Selecting cost-effective risk control option for advanced maritime operations; Integration of STPA-BN-Influence diagram," Ocean Engineering, vol. 280, no. 114631, 2023, doi: 10.1016/j.oceaneng.2023.114631.
M. S. Rahman, B. Colbourne, and F. Khan, "Risk-Based Cost Benefit Analysis of Offshore Resource Centre to Support Remote Offshore Operations in Harsh Environment," Reliability Engineering & System Safety, vol. 207, 2021, doi: 10.1016/j.ress.2020.107340.
Y. Dalgic, I. Lazakis, I. Dinwoodie, D. McMillan, M. Revie, and J. Majumder, "Cost Benefit Analysis of Mothership Concept and Investigation of Optimum Chartering Strategy for Offshore Wind Farms," Energy Procedia, vol. 80, pp. 63–71, 2015, doi: 10.1016/j.egypro.2015.11.407.
O. Netland, I. B. Sperstad, M. Hofmann, and A. Skavhaug, "Cost-benefit Evaluation of Remote Inspection of Offshore Wind Farms by Simulating the Operation and Maintenance Phase," Energy Procedia, vol. 53, pp. 239–247, 2014, doi: 10.1016/j.egypro.2014.07.233.
G. Uuganbayar, A. Yautsiukhin, F. Martinelli, and F. Massacci, "Optimisation of cyber insurance coverage with selection of cost effective security controls," Computers & Security, vol. 101, 2021, doi: 10.1016/j.cose.2020.102121.
M. N. Alsaleh and E. Al-Shaer, "Automated Cyber Risk Mitigation: Making Informed Cost-Effective Decisions," in Adaptive Autonomous Secure Cyber Systems, S. Jajodia, G. Cybenko, V. S. Subrahmanian, V. Swarup, C. Wang, and M. Wellman, Springer International Publishing, 2020, pp. 131–157, doi: 10.1007/978-3-030-33432-1_7.
A. Dutta and E. Al-Shaer, "‘What’, ‘Where’, and ‘Why’ cybersecurity controls to enforce for optimal risk mitigation," in IEEE Conference on Communications and Network Security (CNS), 2019, pp. 160–168, doi: 10.1109/CNS.2019.8802745.
M. N. Alsaleh, "ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration," Journal of Network and Systems Management. 2024. [Online]. Available: https://link.springer.com/article/10.1007/s10922-017-9428-x
A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, "Decision support approaches for cyber security investment," Decision Support Systems, vol. 86, pp. 13–23, 2016, doi: 10.1016/j.dss.2016.02.012.
M. N. Alsaleh, G. Husari, and E. Al-Shaer, "Optimizing the RoI of cyber risk mitigation," in 2016 12th International Conference on Network and Service Management (CNSM), 2016, pp. 223–227, doi: 10.1109/CNSM.2016.7818421.
A. B. Kayode and A. O. Ajoke, "Cost-Benefit Analysis of Cyber-Security Systems," 2016.
S. Moore, "Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024," Gartner. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2020-09-01-gartner-predicts-75--of-ceos-will-be-personally-liabl
D. Moher, A. Liberati, J. Tetzlaff, and D. G. Altman, "Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement," BMJ, vol. 339, 2009, doi: 10.1136/bmj.b2535.
J. D. Bewley, R. Zhang, T. Charton, and R. Wilson, "Prioritisation and cost / benefit analysis of cyber security controls within existing operational technology environments," International Conference on Developments in Power System Protection (DPSP 2020), 2020, pp. 1–6, doi: 10.1049/cp.2020.0033.
P. Zebrowski, A. Couce-Vieira, and A. Mancuso, "A Bayesian Framework for the Analysis and Optimal Mitigation of Cyber Threats to Cyber-Physical Systems," Risk Analysis, vol. 42, no. 10, pp. 2275–2290, 2022, doi: 10.1111/risa.13900.
"SUPPLEMENTARY TABLES Table A1: NESCOR impact criteria with scoring system (EPRI, 2015b)," 2024. [Online]. Available: https://onlinelibrary.wiley.com/action/downloadSupplement?doi=10.1111%2Frisa.13900&file=risa13900-sup-0001-TableS1.pdf
P. J. Hueros-Barrios, F. J. Rodríguez Sanchez, P. Martín, C. Jimenez, and I. Fernandez, "Addressing the cybersecurity vulnerabilities of advanced nanogrids: A practical framework," Internet of Things (Netherlands), vol. 20, 2022, doi: 10.1016/j.iot.2022.100620.
J. Wang, D. Shi, Y. Li, J. Chen, and X. Duan, "Realistic measurement protection schemes against false data injection attacks on state estimators," IEEE Power and Energy Society General Meeting, 2017, pp. 1–5. doi: 10.1109/PESGM.2017.8274291.
S. Papa, W. Casper, and T. Moore, "Securing wastewater facilities from accidental and intentional harm: A cost-benefit analysis," International Journal of Critical Infrastructure Protection, vol. 6, no. 2, pp. 96–106, 2013, doi: 10.1016/j.ijcip.2013.05.002.
S. Reardon, "The digital evolution: how cybersecurity is key to a successful energy transition," Offshore. [Online]. Available: https://www.offshore-mag.com/energy-transition/article/14301999/dnv-the-digital-evolution-how-cybersecurity-is-key-to-a-successful-energy-transition
R. L. Perez, F. Adamsky, R. Soua, and T. Engel, "Forget the Myth of the Air Gap: Machine Learning for Reliable Intrusion Detection in SCADA Systems," EAI Endorsed Transactions on Security and Safety, vol. 6, no. 19, 2019, doi: 10.4108/eai.25-1-2019.159348.
I. Charles and Jr. Christopher, "Protecting the Industrial Control System Environment: Implementing Active Cyber Defense to Aid Mitigation of Threat Intrusions," Proquest. 2024. [Online]. Available: https://www.proquest.com/docview/2445948723?pq-origsite=gscholar&fromopenview=true&sourcetype=Dissertations%20&%20Theses
V. Jesus and M. Josephs, "Challenges in Cybersecurity for Industry 4.0," Innovation in manufacturing through digital technologies and applications: Thoughts and Reflections on Industry 4.0., 2018. [Online]. Available: https://core.ac.uk/download/pdf/334461848.pdf#page=74
R. Gray, "Empty systematic reviews: Identifying gaps in knowledge or a waste of time and effort?," Nurse Author & Editor, vol. 31, no. 2, pp. 42–44, 2021, doi: 10.1111/nae2.23.
M. I. H. Tusar and B. R. Sarker, "Maintenance cost minimization models for offshore wind farms: A systematic and critical review," International Journal of Energy Research, vol. 46, no. 4, pp. 3739–3765, 2022, doi: 10.1002/er.7425.