Why Offshore Wind

Four factors make offshore wind a specific target:

• Strategic importance. A large offshore wind farm can supply more than a million homes. A successful attack that takes one offline is a measurable blow to national energy supply.
• Remote operations. Every operating farm runs largely unmanned, controlled from shore over networked systems. The attack surface is inherently larger than a traditional power station.
• Supply chain complexity. A typical farm has equipment and remote support from a dozen or more vendors, each with their own access, support tooling, and service personnel. Supply chain compromise has been a recurring feature of the most serious OT incidents in recent years.
• Visibility and symbolism. Offshore wind is politically visible in a way that a substation in an industrial estate is not. State actors looking to signal capability have obvious incentives to target it.

Publicly reported incidents include the 2022 attack on Enercon, which took thousands of onshore turbines offline via a satellite communications compromise, and the Deutsche Windtechnik attack the same year. Offshore-specific incidents are less commonly reported publicly, but several have occurred and been handled under non-disclosure.

The Threat Landscape

OT threats break down into three broad categories, each with different motivations and techniques:

Attack Vectors

Most OT incidents reach their target through a limited number of routes:

• Remote vendor access. Every major system on a wind farm has a vendor who logs in remotely for support. Compromising that vendor (or their credentials) is often the shortest path.
• Engineer laptops. A service engineer's laptop travels between sites, vendors, and home networks, and connects directly to OT equipment. A single infected laptop has been the root cause of several serious industrial incidents.
• USB and removable media. Used for firmware updates, log extraction, or transferring configurations. Notoriously hard to control in a distributed, remote-site environment.
• IT to OT lateral movement. Attackers compromise corporate IT first, then move across the IT/OT boundary through poorly segmented networks or shared credentials.
• Supply chain software. Compromised firmware, SCADA updates, or vendor support tooling, inserted at the vendor rather than the asset owner.
• Physical access. Rare but not impossible. An offshore substation is remote, but not inaccessible, and insider or physical intrusion is part of a credible threat model.

Regulatory Framework

UK and European OT security for offshore wind operates in a dense regulatory environment:

• NIS Regulations (UK): implementing the EU NIS Directive, these regulations designate energy sector operators as Operators of Essential Services (OES) and impose security, incident reporting, and audit requirements. Ofgem is the relevant competent authority for the electricity sector.
• NIS2 (EU): the successor directive, substantially broader and stricter than NIS1. Applies to EU operators and to UK operators with EU subsidiaries or operations. Raises fines, personal liability, and incident reporting deadlines.
• NCSC Cyber Assessment Framework (CAF): the UK's structured assessment approach used by competent authorities to evaluate OES compliance. Organised around four objectives and fourteen principles, with Indicators of Good Practice at three maturity levels.
• IEC 62443: the international standard family for industrial automation and control systems security. Used by vendors as a product security certification (62443-4) and by asset owners as an architectural framework (62443-3-3, 62443-2-1).
• ISO 27001 and ISO 27019: information security management system standards, with 27019 specifically addressing energy utility operations.

In addition to these, individual TSOs impose cybersecurity requirements through the grid connection agreement, and insurers increasingly require evidence of specific controls before offering or renewing cyber cover.

What Good Looks Like

Effective OT cybersecurity for an offshore wind operator involves several overlapping capabilities. None of them can be bought off the shelf as a single product, but together they form a credible defensive posture:

• Asset inventory. You cannot protect what you do not know you have. Accurate, live inventory of every OT asset, its firmware version, its network location, and its ownership is the foundation of everything else. This is harder than it sounds on a farm with multiple OEMs, decade-old equipment, and limited remote visibility.
• Network segmentation. Strict separation between IT and OT, and further segmentation within OT (Purdue levels, per-substation zones, per-turbine ring isolation). Enforced at firewall and switch configuration level, and monitored for drift.
• Continuous monitoring. Passive detection of changes and anomalies on the OT network. Signature-based, behavioural, and protocol-aware detection, integrated with a Security Operations Centre that understands OT as well as IT.
• Access control. Strong authentication for all remote access. Per-vendor, per-role, per-session accountability. Jump host architectures that prevent direct OT access.
• Patching and vulnerability management. Structured, vendor-coordinated, risk-assessed. Realistic about the limits of what can be patched on operating industrial equipment.
• Incident response planning. Tabletop exercises that include both cyber and operational staff, vendor engagement pathways, and offline communication channels for when the primary ones are compromised.
• Supply chain assurance. Vendor security requirements in contracts, evidence-based due diligence, and monitoring of vendor security posture over the life of the contract.

Incident Response at Sea

Responding to an OT incident on an offshore wind farm is materially harder than onshore. Personnel access is weather-dependent. Equipment replacement requires specialist vessels and long lead times. Forensic imaging of a live turbine controller is rarely viable without taking the turbine offline. Many standard IT incident response techniques, building an air-gapped analysis environment, isolating a compromised host, reimaging from known-good media, are operationally difficult or impossible in the offshore environment. Incident response plans have to be designed specifically for the offshore context, with the vendor support relationships, vessel logistics, and operational continuity arrangements built in from the start.

EOS Sentis

EOS Sentis is ODiGE's dedicated OT cybersecurity product, built specifically for the offshore wind environment. It provides continuous OT asset inventory and passive network monitoring, aligned to the NCSC CAF and designed for the communications, network topology, and vendor landscape of an operating offshore farm. It is priced for the economics of offshore wind rather than scaled down from enterprise IT tooling, which is the single most common failure mode of general-purpose OT security products when deployed on a renewables asset. Sentis is covered in detail on its own product page.