Energy Sector Expects Deadly Cyberattacks in Next Two Years

Published: 20 May 2022

Transmission Line Germany Cyberattacks against the energy industry risk loss of life, damage to property and the environment. (Photo: Lupus in Saxonia, Wikimedia, License)

By Will Neal

More than half of energy professionals believe cyberattacks on the industry in the near future will result in a loss of life and many companies are not doing enough to protect themselves, according to a recent report.

Published Thursday by Norwegian risk management firm DNV, the paper found that “energy executives anticipate life, property and environment-compromising cyberattacks on the sector within the next two years.”

DNV notes fears over “more extreme consequences” to these security breaches than in recent years, citing as examples the 2021 shutdown-inducing attack on the U.S. Colonial Pipeline, and a series of disabling attacks against parts of Ukraine’s power grid in the mid-to-late 2010s.

The research is based on a survey of almost 1,000 energy professionals and in-depth interviews with executives from different countries around the world.

Almost half of respondents said control systems at their companies were not as secure as their IT systems, and less than a third said management at their firms were making cybersecurity a top priority.

“As [operational technologies] become more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries,” said Trond Solberg, managing director of cybersecurity at DNV.

“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cybersecurity rather than actively addressing emerging cyber threats,” he added.

DNV published its report the same day U.K. Attorney General Suella Braverman addressed a conference at London-based think tank Chatham House, underlining the need for a clear and common framework for applying international law to cyberspace following the outbreak of war in Ukraine.

Russian-backed hackers have targeted multiple European institutions in recent weeks. Microsoft reported in late April that at least six Russian-aligned groups had launched 240 cyber operations against Ukraine since the invasion began, and the U.S., European Union and U.K. have since blamed Russia for a hack against a satellite network that knocked thousands of German wind turbines offline.

Italian police also said they’d thwarted a pro-Russian attack on network infrastructure during the Eurovision Song Contest, in which Russia had been barred from participating.

But while hostile states are believed to be the greatest threat to critical energy infrastructure, experts and government officials have warned that the risk of organized criminal activity in this area is not to be underestimated.

“The line between nation-state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cybercrime perpetrated by the same malicious actors,” Mieke Eoyang, U.S. Deputy Assistant Secretary of Defense for Cybersecurity, told Congress last May.