Cybersecurity Resiliency of Marine Renewable Energy Systems Part 2: Cybersecurity Best Practices and Risk Management

Marine renewable energy (MRE) is an emerging source of power for marine applications, marine devices, and coastal communities. This energy source relies on industrial control systems and IT to support operations and maintenance activities, which create a pathway for an adversary to gain unauthorized access to systems and data and disrupt operations. Incorporating cybersecurity risk prevention measures and mitigation capabilities from inception, development, operation, to decommissioning of the MRE system and components is paramount to the protection of energy generation and the security of network architecture and infrastructure. To improve the resilience of MRE systems as a predictable, affordable, and reliable source of energy, cybersecurity guidance was developed to enable operators to assess cybersecurity risks and implement security measures commensurate with the risk. This publication is the second of a two-part series, with Part 1 addressing a framework to determine cybersecurity risk by assessing the vulnerability of an MRE system to potential cyber threats and the consequences a cyberattack would have on the end user. This Part 2 publication describes an approach to select appropriate cybersecurity best practices commensurate with the MRE system's cybersecurity risk. The guidance includes 86 cybersecurity best practices, which are associated with 36 cybersecurity domains and grouped into nine categories. The best practices follow the core functions of the National Institute of Science and Technology Cybersecurity Framework (e.g., identify, detect, protect, respond, and and recover) and insights from both maritime and energy industry guidance documents to identify security measures effective in protecting information and operational technology assets prevalent in MRE systems.