Six individuals working for Russian intelligence were charged in Pennsylvania in October 2020 for their role in ‘Sandworm’. In addition to hacking into chemical laboratories in the UK and the Netherlands, and targeting victims at the 2018 Winter Olympics in Korea, they stood accused of a cyberattack on Ukraine’s electricity grid in 2015. A year after Russia’s annexation of Crimea, this was the first known example of a successful cyberattack on a power grid. A total of 30 electrical substations were switched off and around 230,000 people were left without electricity for up to six hours.
The event is one of just a few memos relating to the energy sector in the record of global cyberthreats kept by the EU’s Computer Emergency Response Team since July 2019. While this might suggest cyberattacks on energy companies and electricity systems are few and far between, the threat is substantial and growing, warns the International Energy Agency (IEA).
Security concerns mean details of specific threats are rarely released by grid operators. Some may go entirely undetected. However, research from Hornet Security, a German cloud security provider, identifies energy as the number one target for cyberattacks in 2019, attracting 16% of all attacks worldwide.
The US Department of Energy deems cybersecurity in the energy sector “one of the nation’s most important and complex national security challenges” with energy infrastructure “a key target for adversaries”. A spokesman says: “We know from the 2019 Worldwide Threat Assessment that China and Russia possess the ability to temporarily disrupt critical energy infrastructure. During the pandemic, malicious actors have doubled down on their resolve to intrude into critical systems to advance their financial or geopolitical interests.”
In traditional military action, the first target is airports; the second is the energy system, points out Anjos Nijk, managing director of the European Network for Cybersecurity (ENCS).
Greater risk surface
As the energy system electrifies and digitalises, power grids are increasingly vulnerable. In 2018, the US Department of Homeland Security reported the issuance of 223 “security vulnerability advisories” for industrial control systems that support power grid operations, up from 17 in 2010.
The mass deployment of distributed infrastructure – wind and solar on the supply side, and electric vehicles (EVs) on the demand side – plus the power lines and smart meters that connect them, vastly increases the surface area of the energy system open to cyberattacks.
“There is a growing risk of electricity systems being compromised,” says Kristian Ruby, secretary-general of Brussels-based trade association Eurelectric. “It is part of a broader pattern: we see organised crime increasingly moving into the digital space, and we see strategic geopolitical interests playing out in the digital space. Network operators are making digital resilience a top strategic priority.”
The damage so far has been manageable, with disruptions to electricity systems because of cyberattacks “small compared to other causes, such as power outages from storms, equipment failure or operational errors”, reports the IEA.
EU officials say the energy sector is “relatively aware” of cyberthreats; not as much as the finance sector, but more so than water management or health. One of their biggest fears is a Mirai-like attack where a botnet – or group of devices that are each running automated cyberscripts – brings together various connected objects to cause a major, potentially cross-border disruption, says one official.
In the US, cybersecurity is “a huge issue”, says Mark Dyson at think tank the Rocky Mountain Institute. Debate in the energy sector has, until now, focused on the enterprise level and devices, such as wind turbines, that utilities operate where breaches have occurred. Distribution grid management and smart meter vulnerabilities have received little attention, he says.
AI systems, AI threats
The EU Agency for Cybersecurity keeps tabs on some of the most infamous cyber-attackers. The Lazarus Group, for example, allegedly sponsored by North Korea, is believed to be behind multiple attacks, including the hack of an Indian nuclear power plant in 2019, according to its 2020 Threat Landscape report.
The threats are relentless, and becoming more effective with the development of artificial intelligence. “AI brings a whole new threat,” says Ruby. Essentially, every time an AI-powered attack is fought off by the authorities, it can be followed by a new attack which learns from the first and takes account of any defence systems set up since.
[Keep up with Energy Monitor: Subscribe to our weekly newsletter]
“Cybersecurity has not changed with the advent of digitalisation,” wrote European transmission grid operators in a 2019 report, “However, the challenge has been exacerbated. The security of the digital layer becomes as important as the security of the physical grid.”
Following the 2015 attack in Ukraine, grid operators restored power by sending in employees to control breakers manually rather than working from a remote operating system. Such a response would no longer be possible in the increasingly digital grids in western Europe and the US, suggest some observers.
Yet some argue a more distributed energy system can help thwart would-be attackers. “Smart” devices, or “adding intelligence at the edge” of the system, benefits rather than compromises security because the data never has to leave the premises, argues Jon Lindén, co-founder and CEO of Ekkono, a Swedish machine learning start-up.
Tech companies such as Microsoft also maintain that new technologies can enhance security. “It is not safer to have a server in your basement than to go into the cloud,” says the company’s Casper Klynge. ”Some of the most vicious cyberattacks in recent years… have hit companies or government agencies running on technology that was not state-of-the-art.”
Bermudes at Marsh agrees: “Large public cloud providers have a significantly better record in resisting data breach and ransomware attacks than any of the traditional on-premise or managed and owned data centre implementations.”
Utilities are investing in new security techniques to meet the growing threat, but they face obstacles. Key federal and non-federal entities had “difficulties hiring a sufficient cybersecurity workforce” and suffered from “limited resources to invest in cybersecurity protections”, states a 2019 report from the US Department of Homeland Security. “Talent in the cybersecurity field is scarce and the intersection of skill sets in the context of industrial cybersecurity is even scarcer,” says Marsh’s Monica Tigleanu.
The skills gap is one of the main reasons the ENCS was set up in 2012, when distribution system operators (DSOs) were starting to perceive the threats of a more distributed energy system and preparing for big smart meter roll-outs. It aims to bring together different kinds of expertise. “To get a good picture of security, you need to understand how a hacker works but also how the grid works,” says managing director Nijk.
Smart meters are not new, but the evermore integrated management of energy systems using their data is. “In the past, utilities had different systems for different jobs; for example, one for power control and dispatch and another for outage management,“ explains William Low from consultancy DNV GL. “Now more are looking for a single system to manage all aspects of the grid, using smart meter data.”
Technologies from 5G to edge computing to IoT push for integration, a process necessary to realise the full potential of digitalisation, says Low. However, cybersecurity threats push in the opposite direction, towards separation and isolation. If security requirements become too rigid, they can hinder innovation, Nijk warns, citing how overzealous demands in Germany pushed up the price of smart meters, leaving the country trailing in its roll-out of the technology.
In practice, different utilities are striking a different balance between integration and cybersecurity, depending on where they operate. In Singapore, where Low is based, strict cybersecurity laws, including punitive measures against critical information infrastructure owners, mean that this is priority number one. DNV GL is exploring how to protect platforms which facilitate integration by studying technologies such as data diodes, used to secure data by the military.
In a survey of power and renewables professionals on digital technologies, DNV GL found a quarter of respondents named cybersecurity risks as one of their top three barriers to digitalisation.
Avoiding a blackout
Beyond digitalisation, the major system change facing grids is their rapid expansion to meet the demands of a more distributed electricity supply system. A decentralised system can be more secure. “There is an inherent resilience in a more decentralised system,” says Ruby. “If you take out one wind turbine, it is not as detrimental [as if you take out one or two blocks at a power plant].” But at the same time, “the system is only as strong as its weakest link”, he adds.
As the stability of the electricity grid becomes increasingly dependent on distributed resources, security incidents could lead to large disruptions, warns Nijk, even to the extent of a European blackout. The system separation triggered by a disturbance in the high-voltage European grid in January 2021 demonstrated that control over 3GW is enough to take out the entire European grid. “It is important that big capacity infrastructure, such as EV chargers and photovoltaic (PV) panels, are secured,” he says.
Comprehensive cybersecurity measures are needed in more locations than ever before and all component manufacturers, system operators and politicians must be aware of the threat, Ruby says. However, in an increasingly globalised power technology market, with components coming from all over the world, this is complicated.
During the pandemic, malicious actors have doubled down on their resolve to intrude into critical systems to advance their financial or geopolitical interests. Spokesman, US Department of Energy
PV inverter parts imported into the EU in 2019 came from a huge number of companies, with Chinese company Huawei owning the largest market share, shows data from Wood Mackenzie. “Politicians are worried about 5G suppliers, but those same suppliers are builders of the biggest share of PV inverters,” says Nijk. “Those systems are in people’s homes and a manufacturer has direct access to them, can switch them on and off. With so many devices, it could cause a blackout.”
The IEA reports on a recent study demonstrating that a targeted attack on personal EVs and fast chargers, using publicly available data, could cause significant disruptions to local power supply. Another study shows how high-wattage IoT devices such as air conditioners and heaters, could be used to launch large-scale coordinated attacks on the power grid, resulting in local outages and, in the worst cases, large-scale blackouts.
Protecting distributed assets becomes more important the more connected they are. In California, new solar and storage installations are required to use smart inverters with remote connectivity, says the IEA. California’s main grid operator, the California Independent System Operator, says its cybersecurity team “operates under the assumption attackers are continuously searching for vulnerabilities”.
Supply chain certification
Policymakers are trying to keep up. EU officials identified energy as a critical sector when drawing up the bloc’s first cybersecurity law in 2013. The directive on security of network and information systems (NIS) identifies electricity transmission system operators, DSOs and suppliers as providers of essential services, and requires EU member states to take appropriate measures to cyber-secure them. Today the NIS directive is under review with at least three big changes on the horizon.
First, the Commission wants to harmonise implementation, which has been highly divergent across member states. Second, the directive’s scope will be extended beyond traditional grid operators to new players, such as EV charging station operators.
Politicians are worried about 5G suppliers, but those same suppliers are builders of the biggest share of PV inverters. Anjos Nijk, ENCS
“It is important the owners of risk all do something,” Nijk says. “Now, if an EV charger is installed by a network provider, it is required to cyber-secure it, but if a local government does it, there is no such requirement.”
The third change is a growing emphasis on supply chains. As well as extending responsibility for cybersecurity horizontally, the Commission wants to extend it vertically to ensure “supply chain resilience”. For trade association DigitalEurope this would ultimately entail requirements on services and systems as well as products. The traditional focus on products “gives a false sense of security”, says its director-general Cecilia Bonefeld-Dahl. “We need to look at the whole value chain.”
The concept of system-wide certification is laid out in the EU Cybersecurity Act and a network code for cybersecurity is being developed.
National security and public acceptance
Cybersecurity is also crucial for public acceptance. “We know how nervous a lot of people are about the digital industry and its impact,” said the Commission’s director-general for climate action, Mauro Petriccione, earlier this month. ”We can’t afford to risk rejection. We have to make sure people feel safe… industry has a bigger role to play than it has so far.”
Paying insufficient attention to cybersecurity could trigger a public backlash, agrees Nijk. “You have to see security as an enabler for the energy transition,” he says. “If you don’t do it well, it can block digitalisation.” In the Netherlands, voters abandoned electronic voting after it turned out the technology was not hacker-proof, he says.
A more decentralised, digitalised energy system is part and parcel of the clean energy transition and the global ambition to get to net zero. Cybersecurity is also part of this package. Full prevention of cyberattacks is not possible, but electricity systems can be made more resilient, to withstand, adapt to and recover rapidly from an attack.