By Nora Buli, Nina Chestney and Christoph Steitz
OSLO/LONDON/FRANKFURT (Reuters) - Saboteurs target a nation leading the world in clean energy. They hack into vulnerable wind and solar power systems. They knock out digitalized energy grids. They wreak havoc.
It's the stuff of nightmares for European power chiefs.
Henriette Borgund knows attackers can find weaknesses in the defences of a big renewables power company - she's found them herself. She joined Norway's Hydro as an "ethical hacker" last April, bringing years of experience in military cyberdefence to bear at a time of war in Europe and chaos in energy markets.
"I am not sure I want to comment on how often we find holes in our system. But what I can say is that we have found holes in our system," she told Reuters at Hydro's Oslo HQ, declining to detail the nature of the vulnerabilities for security reasons.
Hydro is among several large power producers shoring up their cyberdefences due in significant part to Russia's invasion of Ukraine, which they say has ramped up the threat of hacker attacks on their operations, according to Reuters interviews with a dozen executives from seven of Europe's biggest players.
"We established last year, after the start of the Ukraine war, that the risk of cyber sabotage has increased," said Michael Ebner, information security chief at German utility EnBW, which is expanding its 200-strong cyber security team to protect operations ranging from wind and solar to grids.
The executives all said the sophistication of Russian cyberattacks against Ukraine had provided a wake-up call to how vulnerable digitalized and interconnected power systems could be to attackers. They're nervously monitoring a hybrid war where physical energy infrastructure has already been targeted, from the Nord Stream gas pipelines to the Kakhovka dam.
"The cyber campaigns that Russia has been running against Ukraine have been very targeted at Ukraine. But we have been able to observe and learn from it," said Torstein Gimnes Are, cybersecurity chief at Hydro, an aluminium producer as well as Norway's fourth-largest power generator.
Gimnes Are said he feared a nation state could work with hacker groups to infect a network with malicious software - though like the other executives declined to divulge details on specific attacks or threats, citing corporate confidentiality.
Ukraine's SBU security service told Reuters that Russia launched more than 10 cyberattacks a day, on average, with the Ukrainian energy sector a priority target. It said Russia had tried to destroy digital networks and cause power cuts, and that missile attacks on facilities were often accompanied by cyberattacks.
Russian officials have said that the West repeatedly blames Moscow for cyberattacks without providing evidence and that the United States as well as its allies carry out offensive cyber operations against it. The Russian foreign ministry didn't immediately respond to a request for comment on the views of the power companies or the Ukrainian SBU's assertions.
The European power companies, as well as half a dozen independent tech security experts, stressed that the digitalized and interconnected technology of the thousands of renewable assets and energy grids springing up across Europe presented major - and growing - vulnerabilities to infiltration.
"The new energy world is decentralized. This means that we have many small units - such as wind and solar plants but also smart meters - which are connected in a digital way," said Swantje Westpfahl, director at Germany's Institute for Security and Safety.
"This networking increases the risks because there are significantly more possible entry points for attacks, with much greater potential impact."
TRITON VIRUS SHUTS PLANT
The possible effects of a cyberattack range from capture of sensitive data and power outages to the destruction of a physical asset, said James Forrest, executive vice president at Capgemini, which advises companies on security risks.
He cited, in particular, the risk of malware such as the Triton virus, which hackers used to remotely take over the safety systems of a Saudi petrochemical plant in 2017 and shut it down.
While malware packages like Triton might be exotic algorithmic weapons, the most common mode of entry used by hackers looking to deliver them is more familiar, according to the executives and experts interviewed: via phishing emails designed to elicit data from employees like network passwords.
Such attacks are "more or less constant", according to Cem Gocgoren, information security chief at Svenska Kraftnaet. The Swedish grid operator has roughly quadrupled its cybersecurity team to about 60 over about the last four years and is raising awareness among staff. "We have to make them understand that we are under attack all the time. It's the new normal."
Hydro's ethical hacker Borgund echoed this sense of a relentless barrage via phishing, which she described as the "first initial vector" of cyberattackers.
CYBERATTACK ON SATELLITE
Traditional power plants like gas and nuclear typically operate on airgapped IT infrastructure that's sealed off from the outside, making them less susceptible to cyberattacks than physical sabotage, said Stephan Gerling, senior researcher at Kasperky's ICS CERT, which studies and detects cyber threats on industrial facilities.
By contrast, the ever-growing number of smaller renewable installations around Europe run on diverse third-party systems that are digitally hooked up to the power grid, and are below the power-generation monitoring threshold set by safety authorities, he added.
This kind of interconnectedness was demonstrated last February when a Russian cyberattack on a Ukrainian satellite communications network knocked out the remote monitoring of more than 5,800 wind turbines of Germany's Enercon and shut them down, said Mathias Boeswetter, head of IT security at German energy industry group BDEW.
While the incident did not affect the electricity grid, it showed the escalating cyber vulnerabilities posed by the energy transition, he added.
KEY TO HACKING A WIND FARM
Hacking into a wind farm can be relatively easy.
Researchers at the University of Tulsa conducted an experiment by hacking into unnamed wind farms in the United States in 2017 to test their vulnerabilities, with the permission of the wind farm operators, according to a report on cyber threats to energy by risk consultancy DNV.
The researchers picked a lock to gain access to a chamber in the base of a wind turbine, the report said. They accessed the turbine's server and got a list of IP addresses representing every networked turbine in the field. They then stopped the turbine from turning.
Driven by government efforts to wean nations off fossil fuels and double down on renewables, wind and solar power accounted for more than a fifth of European energy demand in 2021, according to EU data, a share expected to double by 2030.
E.ON - Europe's largest operator of energy grids with a network sprawling 1 million miles - has also observed a rising risk of cyberattacks, its CEO Leonhard Birnbaum said at the group's shareholder meeting in May.
The company has expanded its dedicated cyber staff to around 200 over the years, it said in emailed comments, adding the group had long recognized the issue's relevance.
"Putting cybersecurity at the top of the priority list only after the start of the war in Ukraine and the energy crisis would have been a serious omission," it said.
The European power sector as whole may be unprepared for the scale of the security challenge - that's the view of many workers in the sector who say a lack of in-house cybersecurity skills was the biggest obstacle to effectively guarding against attack, according to a separate DNV survey of around 600 energy professionals carried out in February and March.
"Companies in the energy space, their core business is producing energy, not cybersecurity," said Jalal Bouhdada, CEO of cybersecurity firm Applied Risk, a division of DNV.
"This means that they must work diligently to secure every aspect of their infrastructure because malicious actors only need to find one gap to exploit."