It is generally understood that the world is deeply interconnected, especially when it comes to energy supplies and the global energy trade. Maintaining complex, but reliable business and nation-state relationships, has been central to ensuring a smooth and sustained functioning of the energy supply chain.
Yet, the crisis in Ukraine, and for the focus of this article, the knock-on effect to European and global energy markets, show that these often-durable relations can be broken, and that countries need to rethink how much energy they generate themselves, where they buy energy and how do they protect production, transmission, and distribution from the seemingly ever-increasing risk of cyberattacks.
Moreover, in this digital age, where a near-unlimited supply of energy, especially electricity, is fundamental, it is imperative to ensure we can not only meet our energy needs, but also guarantee that it is transported and distributed safely. In this vein, talking about energy and energy security is increasingly a matter of cybersecurity.
Ideally, the vision of “smooth and sustained” would mean more predictable advances in human progress for the approximately eight billion people on the planet. But, to deliver that and protect progress, a few immediate questions have to be asked. How many people need power? How large and where are the energy gaps? and What other conditions must be met to sustain economic and supply priorities? The answers to these are usually studied by the International Energy Agency (IEA), the World Bank, which hopes to advance economic development, and energy majors like Total Direct Énergie, Exxon, BP, or Gazprom, which vie for market share.
However, the current climate should also highlight the need for governments, institutions, and businesses to examine the state of cyber- and digital security across the energy supply chain. And we, as consumers of energy and users of IT, must collectively recognize that computing at a global scale is massively energy intensive, and that many popular and promising digital technologies sit at top end of energy intense operations.
EU’s transition to clean energy
Fortunately, R&D in the energy sector has been making remarkable progress over the past few decades. Renewable energy is near the center of this discussion, making plausible the idea of unlocking vast energy resources with a smaller carbon footprint.
While the EU has been focusing on renewable energies for its green transition, another potentially large source – the nuclear power option – has remained rather quiet for the past few decades. But that too might be changing. In February of this year, French President, Emanuel Macron announced that France will build at least six new reactors by 2050. It’s a bullish move that defines the country’s path to reach carbon neutrality and energy independence. The French President, however, reminded that “a nuclear plant won’t be built in less than 15 years” highlighting that meanwhile, France needs to “massively develop renewable energies”.
As France currently holds the rotating Presidency of the Council of the EU (FPEU2022), this initiative is also emblematic of the long-term strategy for reaching Europe’s energy independence and climate goals. There’s definitely a momentum.
The pandemic has created a consciousness among European policymakers that real, effective steps have to be taken both on the national level and across the block. Unprecedented financing lines through the Recovery and Resilience Facility (Next Gen EU) are already in motion in several member states to invest in energy efficiency, innovative sustainable solution, but also to finance new projects on hydrogen production. On the European level, the Council agreed in June 2021 on the EU’s Connecting Europe Facility Programme 2.0 and on the need to new approaches on the Trans-European network for energy that, ultimately, could make it possible to create new routes for liquefied natural gas (LNG) from west to east.
The quest for energy independence
The EU’s concerns are not only environmental, however. The 2014 Russian-Ukrainian gas transport crisis served as another alert to push for new EU-wide legislation on energy supplies and reverse flow gas capacity. Current EU energy needs are far beyond what it can produce, relying primarily on the imports of Russian gas: 40% of the gas needs and 27% of crude oil.
In 2022, fears from the 2014 crisis materialized, leading to renewed calls for immediate action to reshape the EU’s current energy mix and to address the need for energy autonomy. Last week, EU climate policy chief Frans Timmermans noted as well that such overdependency on only one provider represents a “concern for our security” that needs to be addressed by investing in “renewables and diversification of supply”.
This concern was also supported by France’s Macron who called for a “European energy independence strategy” that is already in motion. While France is a marginal producer of gas, it is a leader in LNG transport. In league with Norway, the Netherlands and the UK which speak for 80% of European production, France has a strong hand to play in mitigating reliance on eastern sources.
According to Timmermans, the Fit for 55 plan set last year already envisaged the objective of reducing gas consumption by 30% by 2030 – that’s 100 billion cubic meters less than needed today. However, pushed by the current crisis, the EU now intends on cutting this same amount on gas imports from Russia by the end of this year. In doing this, the EC guarantees the gas trade-relationship with Moscow should decrease by two thirds in the next 12 months.
The plan now put forward focuses on a new paradigm: “find freedom on our energy sources”, “our energy”. But just as building new nuclear power plants takes tens of years, a rethink around renewable energy or LNG distribution also has its challenges. Setting up large solar farms or offshore wind turbines is costly and even its sufficient energy production requires favorable conditions and proper management, both of which benefit from massive, and largely automated, analysis of performance data via IT systems.
At present, both the Commission and the Presidency of the Council of the EU are already leading the way in an unprecedented effort. More than just diversifying gas suppliers, through the next months the EU will be working to accelerate all previously planned transition goals via higher production of biomethane, and importing renewable hydrogen, faster licensing for millions of solar panels to power homes as well as large scale solar power plants. Regardless of progress with sourcing and/or replacing energy supply, the question of securing these increasingly IT-driven processes is critical.
Making infrastructure safe – the specter of Industroyer
While the question of IT security for the energy sector might sound tangential to some, in fact, the topic has been well into its moment for the better part of 15 years. However, perception of its importance has welled up to a priority position in the energy conversation. This age of digitalization is largely an extension of electrification, “the greatest engineering achievement of the 20th century”. It is a process that is expanding exponentially and applies to everything from smart homes to agricultural production, extending into commercial transport and other critical sectors including energy.
For this reason, ensuring the safety of our electrical grid is just as important as making sure we can deliver the energy needed to power our world, mainly when we consider that the advance is now increasingly dependent on automation, largely driven by IT. In industry verbiage, generation, and transmission and distribution (T&D) have relied on industrial control software like Supervisory Control and Data Acquisition (SCADA) and increasingly the internet, which in the digital age is now a part of critical infrastructure itself. And we have a few examples already of what can go wrong when systems offer vulnerabilities.
In 2010, after a reported five years in development, a malicious computer worm called Stuxnet was deployed against Iran’s nuclear program, targeting SCADA systems to damage uranium enrichment processes. The deployment of this cyberweapon set the stage for the direct disruption of industrial processes.
Fast forward to November 2015, when ESET investigated a set of unique cyberattacks by the BlackEnergy group targeting Ukrainian news media companies with destructive KillDisk malware that made systems unbootable. This campaign was followed in December of that year with another KillDisk variant delivered to electricity distribution companies that appeared to contain functionality to sabotage specific industrial control systems. The BlackEnergy operators caused a 4-6 hour power outage for around 230,000 people in the Ivano-Frankivsk region of Ukraine on December 23rd, 2015. This was the first time in history that a cyberattack was known to disrupt an electrical distribution system.
A year on, in what was widely regarded as a weapons test, ESET research picked up new malware that we named Industroyer. The researchers discovered that Industroyer was capable of speaking several industrial communication protocols that are used worldwide in critical infrastructure systems for power supply, transportation control, water, and gas. Because these protocols were developed decades ago and were intended for use in offline systems, security was far from the foremost consideration in their design.
Thus, once Industroyer achieved access to systems running these protocols, it became a simple matter to directly control the electricity substation switches and circuit breakers and turn off the power. The result was a significant power outage in Kiev, Ukraine.
Although it was no simple task for Industroyer’s operators to learn the language of industrial control systems, designed to be isolated from the outside world, older and modern protocols now connected to the digital sphere are more at risk without better implementation of security by design. Ultimately, a broader palette of threats, tactics and techniques exist to infiltrate, persist within, and damage almost any and all power or energy systems when connected online.
Before the Ukraine crisis we had already seen increased activity and potency by ransomware groups and state actors targeting critical national infrastructure and its supply chain for extortion, disruption, cyberespionage. With an ongoing war on the border of the EU and the EU at odds with the Russian leadership (and its supporters elsewhere) there is a heightened risk of spillover with enhanced attacks in the so-called “grey zone” in retaliation for the EU’s stance in this conflict.
Securing energy security
Enjoying the wonders of technology means enjoying a green and safer environment. And despite all difficulties, we can see some efforts being made. Policymakers are now more engaged on working with the scientific community on climate change and with cybersecurity specialists to ensure that progress continues for the generations to come.
And, while nothing at the scale of Industroyer has been seen since, other events like last summer’s Colonial Pipeline attack in the US keep reminding us of the urgency to step up our response capacity. It is important to keep in mind that ransomware and other threats on critical infrastructure like drinking water reservoirs, railways or even on airplanes are a danger we can work on to avoid.