I n May 2021, the Colonial oil pipeline, an 8,850km piece of energy infrastructure that supplies 45 per cent of all fuel consumed on the US east coast, was held to ransom in a cyber attack. DarkSide, a hacker group, broke into the Colonial Pipeline Company’s IT network and demanded money. The operator shut the pipeline down and panic ensued as millions of Americans rushed to hoard fuel, pushing prices up across the eastern seaboard. Desperate to solve the crisis, the company immediately paid off a $4.4m ransom, but it took six days for the pipeline to be restarted.
The attack is just one example of the cyber threat to energy infrastructure that data shows is escalating. The sector has become a leading target for cyber criminals, now accounting for 16 per cent of officially known attacks, according to systems-protection firm Hornetsecurity. Meanwhile, data from another security company, Check Point, suggests that the energy industry is the second most cyber-attacked sector after research and education.
The company records hundreds of attacks each week on the utilities that its security systems protect in the UK. But these attacks are not only relentless; they occur on multiple fronts. In early February this year, for instance, a cyber attack hit the major Amsterdam-Rotterdam-Antwerp oil-refining hub, disrupting the loading of refined product cargoes in the midst of an energy supply crisis that was already causing headaches across Europe. And in November 2021, leading Danish wind turbine manufacturer Vestas had its internal IT infrastructure hacked. Cyber criminals were able to publish employees’ contact information, pictures, medical information and bank account details.
“The cyber threat to energy is real and growing,” says Deryck Mitchelson, chief information security officer at Check Point. “Energy systems are constantly being attacked by cyber criminals, and there are a number of instances where the utility sector has been compromised in a serious way.”
Why are hackers so interested in energy? In part, such attacks have the potential for high impact. “If you are an adversary state, there is the possibility of bringing a country to a standstill by cutting off its energy,” says Sneha Dawda, from the Royal United Services Institute (Rusi), a defence think tank. “Another way you could cause mass disruption at the moment, with current high energy prices, would be to hack electricity meters to make them spiral even further out of control.”
Jamie MacColl, Dawda’s colleague at Rusi, adds that energy companies hold a lot of consumer data, which can be held to ransom by criminal organisations. “There has also been significant cyber espionage reported against companies that specialise in green technology,” says MacColl. “These can once again be ransomware attacks, or there have been instances of companies, often in China, looking to steal other companies’ intellectual property.”
Recorded incidents of cyber attacks have increased in general since Russia’s invasion of Ukraine, according to those in the industry. “Our data shows us that there has been a large increase in cyber attacks since the start of the war,” says Mitchelson. As an example, he says that Avanan, an email security solution provided by Check Point, has seen phishing attacks increase by 800 per cent since the start of the war. Russian hackers were also able to temporarily disrupt internet services in Ukraine by disabling satellite communications, Reuters reported in March.
The war in Ukraine has brought energy cyber security into focus, but concerns long pre-date the current crisis. As the energy sector begins its long and complicated transition towards net zero carbon emissions, the rapid roll-out of renewables and the digitalisation of energy supply networks leave the system more vulnerable.
A low-carbon future means electrifying heating, transport and industrial processes. Areas of the economy once powered by fossil fuels are now being linked to electrical grid systems that are controlled digitally. This makes them accessible to hackers.
A net zero future also means a more decentralised electricity generation system. With solar panels and wind turbines dotted around the country, national power will come from a number of widely dispersed locations, as opposed to a few high-capacity coal- or gas-fired power stations. These facilities – along with the extensive power cables, substations and electricity storage units that they will require – vastly increase the surface area of the energy system that is open to attack.
“Services are now more interconnected than ever – and that’s not just within national energy systems and utilities, but also in more complicated supply chains,” says Mitchelson. “All of this creates a really complex landscape to manage, and massively increases the cyber risk.”
If defence mechanisms are not up to scratch on the consumer side of the business, and IT systems are not appropriately segmented, then there is also a risk that weak points such as domestic appliances could be hacked, providing an entry point to the wider energy system. One recent study demonstrates how a targeted attack on personal electric vehicles and fast chargers could cause significant disruption to local power supply. Another study from 2018 shows how high-wattage internet of things devices such as air conditioners and heaters could be used to launch large-scale coordinated attacks on the power grid, leading to local power outages.
While it can be tempting to fixate on worst-case scenarios, the industry is aware of cyber threats, and regulations do exist to ensure companies install effective defence solutions. In the UK, for instance, Network and Information Systems (NIS) regulations were introduced in 2018 to ensure critical infrastructure remains well protected. But, says Mitchelson, there’s only so much that regulation can cover. Ultimately, it is down to companies to put the best technological solutions in place to ensure that they are protected.
“NIS regulations mean there is a competent authority to go around and audit organisations, but these assessments are effectively like a car MOT: they only happen at an appointed time,” he says. “Organisations have to understand that they are all constantly at risk, and they need to be running simulations and checking on vulnerabilities to ensure they are protected.
“We now have some very smart solutions, but there are a lot of very intelligent ‘threat actors’ out there as well. Whoever is ahead can switch like a seesaw: the trick is to make sure you are always the one at the top.”