What is WindESCO's cyber security policy?
WindESCo's network security for a Customer Site project:
The Swarm system relies on continuous communication over the wind plant local area network (LAN) between the Swarm Edge devices in each turbine (WeAdapt), the Swarm Server ( WeEdge), and the SCADA server(s). This communication is not encrypted; maintaining the security of the LAN against external penetration remains the responsibility of the Customer Company . In addition, the WeEdge must communicate with the WindESCo Cloud Servers to upload data and provide remote access for maintenance and monitoring. This communication is handled through outbound traffic only. This traffic outside of the wind-plant is encrypted and password protected using HTTPS.
The Swarm Cloud based remote monitoring, data collection/storage and offline model maintenance/optimization resides inside AWS Cloud Services and is protected by AWS cyber security features.
The wind plant is responsible for maintaining the firewall to prevent inbound traffic hacking the plant network.
Ownership, responsibility and notifications for vulnerability and breaches
WindESCo will be the system integrator of the Swarm hardware and software. WindESCo will not take any action that will interfere or affect the existing the Customer Company cyber security infrastructure such as firewall, log-on and other protections. If WindESCo is aware of a hardware, software or network vulnerability originated from the Customer Company hardware or firmware, WindESCo is responsible to notify all parties and work together with the Customer Company to patch it and make necessary updates in WindESCo software if necessary.
If WindESCo is aware of a server vulnerability issue at site from the Swarm Server(WeEdge), it’s WindESCo’s responsibility to notify all parties and work with the Customer Company to patch the issue with necessary Windows software upgrades or Customer Company firmware upgrades to patch the issue.
If either WindESCo or the Customer Company becomes aware of a security breach or other compromise of their network at the wind plant or cloud systems that has potential to impact the systems running at the wind plant, they should immediately make the other party aware of said breach, including the timing, what systems are believed to be impacted, and potential repercussions. The parties involved will then work together to mitigate any real or potential repercussions of this breach.