The energy sector, characterised by growing digitalisation, is clearly a favoured target for cyberattackers, whose motivations are as manifold as they are vague. Economic and industrial espionage, sabotage and various kinds of dysfunction are reflected in attack, deterrent or reprisal strategies, some orchestrated by states, which we must be ready to face.
Energy: a tempting target
After the high-profile BlackEnergy attack that struck a power grid in Ukraine in December 2015, causing huge outages that deprived 800,000 to 1.4 million people of electricity for several hours in the middle of winter, the news has gone full circle. In the grip of war, the country nicknamed the breadbasket of Europe has just suffered massive cyberattacks affecting its energy supplies. A recent study by DNV, a Norwegian insurance and risk consultancy company, shows that “The energy industry is waking up to the operational technology security threat, but swifter action must be taken to combat it,” as Trond Solberg, DNV’s head of cybersecurity, emphasises in a press release.
The sector is clearly a target for cybercriminals, but, beyond the financial temptation, the ground is being laid for battle, and has been for some time. This situation has been reinforced by the case of Ukraine. In May, for example, the European Union attributed to Russia an attack on communication satellites that took place an hour before the invasion began, preparing the ground for its assault.
The report highlights growing anxiety among energy companies. They anticipate that cyberattacks targeting the sector could cause personal injury and damage to assets and the environment over the next two years. Over 80% of energy professionals expect damage to physical assets and 57% expect losses of human lives. In Europe, 29% of people surveyed think that investment in cyber defence only occurs following a security incident. Organisations thus engage reactively, but have not fully understood the need to anticipate, quantify and prepare for cyber risks.
IT/OT convergence and a global approach
This situation requires the energy sector to make cybersecurity a priority. But the task is complex. Energy grids are often old installations, but they operate hand-in-hand with the world of connected energy, information systems, remote control and remote maintenance… The frontier between OT and IT is no more. Energy companies have become dependent on connected devices. This makes it essential to think about this convergence between OT and IT. Between the French military planning act, the NIS directive and soon NIS2, many obligations have been imposed on operators to ensure a common high level of network and information system security within the European Union. But the efforts must now go further still, with a dynamic, evolving mapping of risks, potential attack scenarios and indicators to quantify risks and their impacts, making it possible to anticipate attacks and take decisions quickly and accurately.
Renewable energy: the new challenge
Renewable energy also needs to take the problem of cybersecurity seriously. Controlled remotely, wind turbines and solar panels are also connected objects that need to be secured from end to end using appropriate protocols and technologies. IoT cybersecurity remains a weak link, and these turbines and panels were not created on the basis of security by design. Their vulnerabilities are immense… For evidence, we need only look to the remote wind turbine maintenance compromised after the KA-SAT network operated by the American company Viasat was attacked by Russia, as I mentioned above.
Added to this is the problem of decentralisation in energy generation, which will also multiply backdoors and expand the attack surface.
The multiple sanctions caused by this war have also forced us to rethink our partnerships in terms of strategic supplies and energy dependency. Cybersecurity could well become one of the key elements in a review of the criteria for choosing partnerships that are strategic or even vital for the nation, and for Europe more broadly. As cybersecurity is a basis for trust and reliability, it could weigh increasingly heavily in future high-level negotiations.
To respond to these priorities and achieve the necessary results, cooperation and a coherent, robust collective approach are vital. Only then can the pillars of our society’s cyber resilience be constructed.