Cybersecurity for Distributed Hydrogen Energy Systems
Cyber Security
Semester programme:Cyber Security
Client company:Power to Power (energystoragenl.nl)
Project group members:Tiutenko Artem
Peeters Jordi
Litvinaitis Faustas
Erens Twan
Yahia Chahid
Project description
Main research question: How can distributed energy installations (such as hydrogen production and green gas storage) be protected against modern cyber threats? Recent incidents in the energy sector have shown that cyber threats can cause loss of availability, safety risks, financial damage, and environmental consequences. Traditional industrial control systems (ICS) and security measures are often not sufficient to handle the new risks introduced by modern attack techniques.
The challenge for CyDES is to understand how today’s cyber threats can affect these systems and to define effective ways to protect them. To do so, we first need a structured threat analysis to map out the possible attacks that can be used on the network. Next, it is important to demonstrate attacks and defenses in a controlled, realistic, small-scale setup to better understand the risks and test the implemented defenses.
This project arises from the need to bridge the gap between innovative energy technologies and cybersecurity, ensuring that distributed energy installations can operate safely, reliably, and resiliently.
Context
This project is part of the CyDES (Cybersecurity for Distributed Energy Systems) initiative, which focuses on protecting distributed energy installations such as hydrogen production from solar energy and seasonal storage in green gas. As these systems grow in importance for the energy transition, they also face increasing cyber risks due to their distributed and digitalized nature.
Power to power went on to collaboration with Fontys. Students will take part in researching possible solutions to decrease the chances of compromise. Our project is seen as an exploration project. Where it is expected that students explore protective measures and look for new or possible ways to make the network resilient against attacks.
Results
The most important outcomes of Project CyDES are a working lab setup, clear attack/defense demonstrations, and practical lessons about what matters most for securing a distributed hydrogen energy network.
First, we delivered a small-scale simulation of a hydrogen facility and a remote monitoring site. It includes pfSense firewalls, a site-to-site VPN (OpenVPN and IPsec were tested), Suricata intrusion detection, a SCADA server (Node-RED), PLC simulators, and a data retriever server.
Second, we produced validated findings from penetration tests. When the VPN was disabled and systems were exposed with port forwarding, we could capture SCADA traffic in clear text and even send requests from outside to shut down a PLC simulator. When the VPN was enabled, the traffic was still visible on the network but the contents were encrypted and unreadable, and internal systems were not directly reachable from the internet. This clearly shows why VPNs are important.
Third, we proved that outdated key components can break the whole security setup. By downgrading pfSense to an old version (2.5.2), we could exploit a known vulnerability (CVE-2021-41282) and get root access on the firewall. That means other protections become much less effective. Once the firewall was compromised, an attacker could potentially change firewall rules and monitor traffic, capture packets from PfSense and escalate it to encryption of the whole system.
Based on this, our project fits TRL 4: we validated the technology in a lab environment. The results are strong enough to guide real system design, but more work would be needed to test in a real operational facility with real devices
About the project group
We are group of 5 members. Each of us has background of doing Infrastructure and Cybersecurity semesters. Each week we were organising group meetings at least once, and once per two weeks with our stakeholder (Semester coordinator). There we were discussing the way we are working, our direction towards answering research questions, sprint goals and task division. We worked on project during 5 sprints (Sprint 0 until Sprint 4) and 15-16 weeks.