On 15 October 2020, a US court in Pennsylvania charged six individuals working for Russian intelligence for their role in “Sandworm”. In addition to hacking into chemical laboratories in the UK and the Netherlands, and targeting victims at the 2018 Winter Olympics in Korea, Sandworm stood accused of a cyber attack on Ukraine’s electricity grid in 2015.
Energy Monitor: Why Trump failed to derail the US energy transition Part of New Statesman Media Group
This attack – in the year after Russia’s annexation of Crimea – was the first known example of a successful cyber attack on a power grid. Thirty electrical substations were switched off and around 230,000 people were left without electricity for up to six hours.
Cyber attacks on energy companies and electricity systems are a substantial and growing threat, according to the International Energy Agency (IEA). German cloud security provider Hornet Security identified energy as the number one target for cyber attacks in 2019, attracting 16 per cent of all attacks worldwide.
He added: “During the pandemic, malicious actors have doubled down on their resolve to intrude into critical systems to advance their financial or geopolitical interests.”
The cyber threat to energy systems is increasing because attacks are becoming more sophisticated and energy systems are becoming more vulnerable.
“We see organised crime increasingly moving into the digital space, and we see strategic geopolitical interests playing out in the digital space,” says Kristian Ruby, secretary-general of the European electricity industry association Eurelectric. “AI brings a whole new threat,” he adds. Essentially, every time an AI-powered attack is fought off by the authorities, it can be followed by a new attack which learns from the first and takes account of any defence systems set up since.
Much of this growing threat comes from the digitalisation of energy systems as they decarbonise. “The security of the digital layer becomes as important as the security of the physical grid,” wrote European transmission grid operators in a 2019 report.
Following the 2015 attack in Ukraine, grid operators restored power by sending in employees to control breakers manually rather than working from a digital operating system. Such an intervention would no longer be possible in the increasingly digital grids in western Europe and the US, suggest some observers.
It is not only on a macro level that electricity systems are being digitalised: across the world, households are installing smart electricity meters and evermore complex Internet of Things (IoT) devices, all of which contain personal data that potential hackers would like to access. Ransomware attacks – such as the 2017 WannaCry attacks that compromised NHS data – are now a very real threat in the energy sector. Only here, as well as having private information held for ransom, there is the added threat of blackouts.
Energy Monitor: A decade after Fukushima, Japan still struggles with its energy future Part of New Statesman Media Group
Beyond digitalisation, grids are having to cope with the demands of a more renewables-intensive electricity system. In one sense, a distributed system is more secure. “There is an inherent resilience in a more decentralised system,” says Ruby. “If you take out one wind turbine, it is not as detrimental as if you take out one or two blocks at a power plant.”
But the mass deployment of wind, solar and electric vehicles (EVs), plus the power lines to connect them, also vastly expands the surface area of the energy system that is vulnerable to attacks.
“It is important that big capacity infrastructure, such as EV chargers and photovoltaic (PV) panels, are secured,” warns Anjos Nijk, managing director of the European Network for Cybersecurity (ENCS). In January 2021, a disturbance in the high-voltage European grid demonstrated that control over just 3GW – out of total EU capacity of 873GW in 2019 – would be enough to take out the entire European grid.
Policymakers are trying to keep up with the cyber security challenge. But it is not easy. Ultimately every system, service, product and component presents a potential threat. And components now come from all over the world. In 2019, data shows that Chinese companies – including Huawei – produced the largest share of electronic inverter parts that are crucial for the operation of solar PV panels.
“Politicians are worried about 5G suppliers, but those same suppliers are builders of the biggest share of PV inverters,” says Nijk. “Those systems are in people’s homes and a manufacturer has direct access to them, can switch them on and off. With so many devices, it could cause a blackout.” Huawei has repeatedly denied claims that it would interfere with its products on Beijing’s behalf.
Energy Monitor: Joe Biden faces up to the climate crisis Part of New Statesman Media Group
Studies have demonstrated that attacks on personal EVs and fast chargers, or high-wattage internet of things devices such as heaters, could disrupt power supplies. Paying insufficient attention to cyber security could trigger a public backlash. “We know how nervous a lot of people are about the digital industry and its impact,” said the European Commission’s director-general for climate action, Mauro Petriccione, earlier this month.
“You have to see security as an enabler for the energy transition,” Nijk says. “If you don’t do it well, it can block digitalisation.” In the Netherlands, voters abandoned electronic voting after it turned out the technology was not hacker-proof, he adds.
A decentralised, digitalised energy system is the inevitable outcome of the clean energy transition that the world needs to get to net zero greenhouse gas emissions. Cyber security is part of this package. Full prevention of cyber attacks is not possible, but electricity systems can be made more resilient, to withstand, adapt to and recover rapidly from an attack.