OSLO/LONDON/FRANKFURT. — Saboteurs target a nation leading the world in clean energy. They hack into vulnerable wind and solar power systems. They knock out digitalized energy grids. They wreak havoc.
It’s the stuff of nightmares for European power chiefs.
Henriette Borgund knows attackers can find weaknesses in the defenses of a big renewables power company — she’s found them herself. She joined Norway’s Hydro as an “ethical hacker” last April, bringing years of experience in military cyberdefense to bear at a time of war in Europe and chaos in energy markets.
“I am not sure I want to comment on how often we find holes in our system. But what I can say is that we have found holes in our system,” she told Reuters at Hydro’s Oslo HQ, declining to detail the nature of the vulnerabilities for security reasons.
Hydro is among several large power producers shoring up their cyberdefenses due in significant part to Russia’s invasion of Ukraine, which they say has ramped up the threat of hacker attacks on their operations, according to Reuters interviews with a dozen executives from seven of Europe’s biggest players.
“We established last year, after the start of the Ukraine war, that the risk of cyber sabotage has increased,” said Michael Ebner, information security chief at German utility EnBW, which is expanding its 200-strong cyber security team to protect operations ranging from wind and solar to grids.
The executives all said the sophistication of Russian cyberattacks against Ukraine had provided a wake-up call to how vulnerable digitalized and interconnected power systems could be to attackers. They’re nervously monitoring a hybrid war where physical energy infrastructure has already been targeted, from the Nord Stream gas pipelines to the Kakhovka dam.
“The cyber campaigns that Russia has been running against Ukraine have been very targeted at Ukraine. But we have been able to observe and learn from it,” said Torstein Gimnes Are, cybersecurity chief at Hydro, an aluminum producer as well as Norway’s fourth-largest power generator.
Gimnes Are said he feared a nation-state could work with hacker groups to infect a network with malicious software – though like the other executives declined to divulge details on specific attacks or threats, citing corporate confidentiality.
Ukraine’s SBU security service told Reuters that Russia launched more than 10 cyberattacks a day, on average, with the Ukrainian energy sector a priority target. It said Russia had tried to destroy digital networks and cause power cuts, and that missile attacks on facilities were often accompanied by cyberattacks.
Russian officials have said that the West repeatedly blames Moscow for cyberattacks without providing evidence and that the United States as well as its allies carry out offensive cyber operations against it. The Russian foreign ministry didn’t immediately respond to a request for comment on the views of the power companies or the Ukrainian SBU’s assertions.
The European power companies, as well as half a dozen independent tech security experts, stressed that the digitalized and interconnected technology of the thousands of renewable assets and energy grids springing up across Europe presented major – and growing – vulnerabilities to infiltration.
“The new energy world is decentralized. This means that we have many small units – such as wind and solar plants but also smart meters – which are connected in a digital way,” said Swantje Westpfahl, director at Germany’s Institute for Security and Safety.
“This networking increases the risks because there are significantly more possible entry points for attacks, with much greater potential impact.”
Triton virus shuts plant
The possible effects of a cyberattack range from the capture of sensitive data and power outages to the destruction of a physical asset, said James Forrest, executive vice president at Capgemini, which advises companies on security risks.
He cited, in particular, the risk of malware such as the Triton virus, which hackers used to remotely take over the safety systems of a Saudi petrochemical plant in 2017 and shut it down.
While malware packages like Triton might be exotic algorithmic weapons, the most common mode of entry used by hackers looking to deliver them is more familiar, according to the executives and experts interviewed: via phishing emails designed to elicit data from employees like network passwords.
Such attacks are “more or less constant”, according to Cem Gocgoren, information security chief at Svenska Kraftnaet. The Swedish grid operator has roughly quadrupled its cybersecurity team to about 60 over the last four years and is raising awareness among staff. “We have to make them understand that we are under attack all the time. It’s the new normal.”
Hydro’s ethical hacker Borgund echoed this sense of a relentless barrage via phishing, which she described as the “first initial vector” of cyberattackers.
Cyberattack on satellite
Traditional power plants like gas and nuclear typically operate on air-ped IT infrastructure that’s sealed off from the outside, making them less susceptible to cyberattacks than physical sabotage, said Stephan Gerling, senior researcher at Kasperky’s ICS CERT, which studies and detects cyber threats on industrial facilities.
By contrast, the ever-growing number of smaller renewable installations around Europe run on diverse third-party systems that are digitally hooked up to the power grid, and are below the power-generation monitoring threshold set by safety authorities, he added.
This kind of interconnectedness was demonstrated last February when a Russian cyberattack on a Ukrainian satellite communications network knocked out the remote monitoring of more than 5,800 wind turbines of Germany’s Enercon and shut them down, said Mathias Boeswetter, head of IT security at German energy industry group BDEW.
While the incident did not affect the electricity grid, it showed the escalating cyber vulnerabilities posed by the energy transition, he added.