Cyberattacks on the power grid are on the rise as utilities seeking security play catch-up

Energize Weekly, August 9, 2023

In the summer of 2022, the Colorado Springs Utilities alerted its customers that their data from its system had been hacked. Several months later, 2,000 wind turbines in Germany were shut down when their remote controls were disabled in a cyberattack.

Cyberattacks are on the increase in the electricity sector, a report by the International Energy Agency (IEA) said. But the IEA analysis “indicates that utilities face serious difficulties in finding and retaining the skilled professionals needed to defend themselves.”

Utilities are increasingly using an array of digital technologies to better manage their infrastructure from plants to grids to business operations. While enhancing operations and allowing the growth of clean energy, these technologies also open the door to cybercriminal organizations.

The energy sector worldwide accounted for almost 11 percent of all cyberattacks in 2022, according to the Threat Intelligence Index compiled by X-Force – IBM’s cybersecurity service.

That made the sector the fourth most attacked industry, while in North America energy companies accounted for 20 percent of the attacks, making them the most targeted industry.

Data thefts made up 20 percent of the attacks, extortion another 23 percent and ransomware 15 percent. Other types of strikes included spear phishing, credential harvesting and botnet infections.

“There is increasing evidence that cyberattacks on utilities have been growing rapidly since 2018, reaching alarmingly high levels in 2022 following Russia’s invasion of Ukraine,” the IEA said.

Deutsche Windtechnik, the company whose wind turbines were knocked out of commission for a day, suspected Conti, a ransomware group that has declared support for the Russian government.

The U.S. energy sector is playing catch-up, the IEA said. “Job posting data from major power utilities in the United States shows that cyberattack events trigger sudden increases in demand for cybersecurity professionals, suggesting a lack of long-term strategy or planning in the past,” the agency said.

The U.S. Department of Energy (DOE) as the lead federal agency for the energy sector has developed plans to implement a national cybersecurity strategy for protecting the grid.

However, an assessment by the Government Accountability Office (GAO) said the “DOE’s plans do not fully incorporate the key characteristics of an effective national strategy.”

The strategy, the GAO said, does not include a complete assessment of all the cybersecurity risks to the grid.

One example, the agency noted, are distribution systems, which carry electricity to consumers. The widespread adoptions of so-called smart meters and other two-way communication technologies are making this part of the grid more vulnerable.

“This could allow threat actors to access those systems and potentially disrupt operations,” the GAO said.

Still, the U.S. and North America have been in the forefront of developing cybersecurity standards for the electric grid through the North American Electric Reliability Corp. (NERC), the IEA said.

NERC, which is responsible for the reliability and security of grids from Canada to Baja Mexico serving 1,600 bulk power users, has issued “Critical Infrastructure Protection” standards and a Cybersecurity Framework Smart Grid Profile.

“European Union utilities have also been in reactive mode” with a scramble to hire cybersecurity experts in 2020, the IEA said. “These trends suggest that European Union utilities were not fully prepared at the time to face critical events such as the COVID-19 pandemic and Russia’s invasion of Ukraine.”

Worldwide, there was a shortage of 3.4 million cybersecurity workers across all sectors, according to a report by the International Information System Security Certification Consortium.

That included 1.3 million openings in North America and 1.2 million in Europe, the Middle East and Africa.

“Cyber threats will continue to evolve and become both more frequent and more powerful, given the established business models of cybercriminals and the wide range of advanced technologies at their disposal,” the IEA said. “It is therefore essential that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to inhouse cybersecurity professionals and their skills, continuously updating them and ensuring talent retention.”