Energy: a hot commodity
Before the highly publicised Black Energy attack that hit a power grid in Ukraine in December 2015 and caused a giant blackout depriving between 800,000 and 1.4 million people of electricity for several hours in the middle of winter, the news rose from the ashes. In the throes of war, the country nicknamed the ‘breadbasket of Europe’, has just been hit by massive cyberattacks affecting its energy supplies. A recent study carried out by DNV, the Norwegian insurance and risk consultancy company, shows that ‘the energy industry is becoming aware of the threat posed by IT security, but faster action needs to be taken to combat it ’, points out Trond Solberg, Managing Director of Cybersecurity, in a press release.
The industry is certainly being targeted by cybercriminals, but beyond the financial lure, what is at stake is preparation for the battlefield, as has been the case for a long time. A situation reinforced by what has been happening in Ukraine. This is particularly the case with the European Union's attribution last May to Russia of the hacking of satellites an hour before the invasion of Ukraine to prepare the ground for its assault.
This report demonstrates the growing concern of energy players over the next two years. They believe that cyberattacks targeting the industry are likely to cause damage to people, property and the environment over the next two years. Over 80% expect material damage to assets and 57% expect loss of life. In Europe, 29% of respondents believe that defence investments are only made after a cyber incident. These organisations are, therefore, engaged in a reactive process, but have not grasped the importance of anticipating, preparing for and quantifying risks.
OT-IT convergence and a global approach
This situation means that cybersecurity must become a priority for the energy industry. But the task is complex. Although power grid installations are very old, they are now rubbing shoulders with the world of connected energy, information systems, remote inspections and maintenance... Today, the boundary between OT and IT no longer exists. Energy companies have become dependent on connected devices. That’s why it is essential to think in terms of this OTIT convergence. With the LPM and the NIS2 directive, there are numerous obligations imposed on operators to ensure a common high level of security for networks and information systems within the European Union. But today, we need to go further, with dynamic and evolving risk mapping, possible attack scenarios and indicators for quantifying the risks and their impact, enabling us to anticipate and take decisions quickly and accurately.
Renewable energies: the new challenge
Renewable energies also have to consider the issue of cybersecurity. Controlled remotely, wind turbines and solar panels are connected objects that need to be secured from end to end using appropriate protocols and technologies. However, the IoT's cybersecurity remains a weak link, and these wind turbines and solar panels have not been designed with security by design in mind. The vulnerabilities are, therefore, huge... As proof, the hacking of wind turbines' remote maintenance was compromised after the KA-SAT network operated by the American company Viasat was attacked by Russia, as I mentioned earlier.
Added to this is the problem of the decentralisation of energy production, which will also multiply the number of entry points and widen the scope of attacks.
This war, which has led to multiple sanctions, has also forced us to rethink our partnerships in terms of strategic supplies and energy dependency. Cybersecurity could well become one of the key factors in rethinking the criteria for choosing partnerships that are strategic or even vital for the nation, and, more broadly, for Europe. As cybersecurity is a guarantee of trust and reliability, it could play an increasingly important role in future high-level negotiation processes.
