Support 100 years of independent journalism.

  1. World
  2. Americas
  3. North America
  4. US
11 March 2021updated 07 Sep 2021 11:10am

Energy companies face a rising tide of cybercrime

The increasingly digital power grids of western Europe and the US may be especially vulnerable to hacking-related blackouts.

By Sonja van Renssen and Nick Ferris

On 15 October 2020, a US court in Pennsylvania charged six individuals working for Russian intelligence for their role in “Sandworm”. In addition to hacking into chemical laboratories in the UK and the Netherlands, and targeting victims at the 2018 Winter Olympics in Korea, Sandworm stood accused of a cyber attack on Ukraine’s electricity grid in 2015. 

Energy Monitor: Why Trump failed to derail the US energy transition Part of New Statesman Media Group

This attack – in the year after Russia’s annexation of Crimea – was the first known example of a successful cyber attack on a power grid. Thirty electrical substations were switched off and around 230,000 people were left without electricity for up to six hours.

Cyber attacks on energy companies and electricity systems are a substantial and growing threat, according to the International Energy Agency (IEA). German cloud security provider Hornet Security identified energy as the number one target for cyber attacks in 2019, attracting 16 per cent of all attacks worldwide.

Energy was the most targeted industry for cyber attacks worldwide in 2019
Top ten industries targeted by cyber attacks, by share of attacks
A US Department of Energy spokesperson told the New Statesman that cyber security in the energy sector is “one of the nation’s most important and complex national security challenges” with energy infrastructure “a key target for adversaries”.

He added: “During the pandemic, malicious actors have doubled down on their resolve to intrude into critical systems to advance their financial or geopolitical interests.” 

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

The cyber threat to energy systems is increasing because attacks are becoming more sophisticated and energy systems are becoming more vulnerable.  

“We see organised crime increasingly moving into the digital space, and we see strategic geopolitical interests playing out in the digital space,” says Kristian Ruby, secretary-general of the European electricity industry association Eurelectric. “AI brings a whole new threat,” he adds. Essentially, every time an AI-powered attack is fought off by the authorities, it can be followed by a new attack which learns from the first and takes account of any defence systems set up since. 

Content from our partners
How do we secure the hybrid office?
How materials innovation can help achieve net zero and level-up the UK
Fantastic mental well-being strategies and where to find them
Hacks in the energy sector are becoming increasingly expensive
% change in average data breach cost by industry, 2019–20

Much of this growing threat comes from the digitalisation of energy systems as they decarbonise. “The security of the digital layer becomes as important as the security of the physical grid,” wrote European transmission grid operators in a 2019 report.

Following the 2015 attack in Ukraine, grid operators restored power by sending in employees to control breakers manually rather than working from a digital operating system. Such an intervention would no longer be possible in the increasingly digital grids in western Europe and the US, suggest some observers. 

It is not only on a macro level that electricity systems are being digitalised: across the world, households are installing smart electricity meters and evermore complex Internet of Things (IoT) devices, all of which contain personal data that potential hackers would like to access. Ransomware attacks – such as the 2017 WannaCry attacks that compromised NHS data – are now a very real threat in the energy sector. Only here, as well as having private information held for ransom, there is the added threat of blackouts.  

Energy Monitor: A decade after Fukushima, Japan still struggles with its energy future Part of New Statesman Media Group

Beyond digitalisation, grids are having to cope with the demands of a more renewables-intensive electricity system. In one sense, a distributed system is more secure. “There is an inherent resilience in a more decentralised system,” says Ruby. “If you take out one wind turbine, it is not as detrimental as if you take out one or two blocks at a power plant.”  

But the mass deployment of wind, solar and electric vehicles (EVs), plus the power lines to connect them, also vastly expands the surface area of the energy system that is vulnerable to attacks.

“It is important that big capacity infrastructure, such as EV chargers and photovoltaic (PV) panels, are secured,” warns Anjos Nijk, managing director of the European Network for Cybersecurity (ENCS). In January 2021, a disturbance in the high-voltage European grid demonstrated that control over just 3GW – out of total EU capacity of 873GW in 2019 – would be enough to take out the entire European grid.

Policymakers are trying to keep up with the cyber security challenge. But it is not easy. Ultimately every system, service, product and component presents a potential threat. And components now come from all over the world. In 2019, data shows that Chinese companies – including Huawei – produced the largest share of electronic inverter parts that are crucial for the operation of solar PV panels. 

Renewables infrastructure relies on technology from all over the world
2019 global solar PV inverter market share by shipments (%)

“Politicians are worried about 5G suppliers, but those same suppliers are builders of the biggest share of PV inverters,” says Nijk. “Those systems are in people’s homes and a manufacturer has direct access to them, can switch them on and off. With so many devices, it could cause a blackout.” Huawei has repeatedly denied claims that it would interfere with its products on Beijing’s behalf.

Energy Monitor: Joe Biden faces up to the climate crisis Part of New Statesman Media Group

Studies have demonstrated that attacks on personal EVs and fast chargers, or high-wattage internet of things devices such as heaters, could disrupt power supplies. Paying insufficient attention to cyber security could trigger a public backlash. “We know how nervous a lot of people are about the digital industry and its impact,” said the European Commission’s director-general for climate action, Mauro Petriccione, earlier this month.  

“You have to see security as an enabler for the energy transition,” Nijk says. “If you don’t do it well, it can block digitalisation.” In the Netherlands, voters abandoned electronic voting after it turned out the technology was not hacker-proof, he adds. 

A decentralised, digitalised energy system is the inevitable outcome of the clean energy transition that the world needs to get to net zero greenhouse gas emissions. Cyber security is part of this package. Full prevention of cyber attacks is not possible, but electricity systems can be made more resilient, to withstand, adapt to and recover rapidly from an attack.