Russia’s war on Ukraine has sparked widespread concern about escalating cyberattacks on European energy supplies and infrastructure. Putin’s regime, which has long used such disruptive tactics, could retaliate to Western economic sanctions with cyber warfare. European states and energy companies should reflect on the long list of such attacks that have occurred in recent years to recognize and respond to the risks they face in this area.
On May 7, 2021, the US Colonial Pipeline suffered a critical ransomware cyberattack resulting from a single leaked password – the largest cyberattack on infrastructure in US history. This prompted authorities to declare states of emergency in 17 US states along the east coast and in Washington, and led to major fuel shortages and long lines at gas stations in areas affected. In early February 2022, a multitude of cyber attacks had struck oil and gas installations across Europe, disrupting the operations of several oil transport and storage companies in Germany, Belgium and the Netherlands, and threatening production and distribution in the sector.
Such attacks are possible due to three unique vulnerabilities in the global energy ecosystem.
First, this ecosystem relies on an inherently complex infrastructure. Utilities companies are exposed to relatively high risks because their networks of physical infrastructure and cyberinfrastructure – including distributors, suppliers, storage facilities and other assets – often overlap and are spread across many country.
Second, the digital infrastructure that supports the global energy sector operates around the clock, with virtually no downtime.
Third, the vulnerability of the global energy sector is rooted in the many motivations for attacks against it. As a recent evaluation of the Canadian Center for Cyber Securitythese include attacks by states trying to achieve geopolitical goals, by criminals trying to extort money from desperate businesses, and by activists seeking to publicize their agendas or oppose to specific projects.
Therefore, given the frequency of attacks on these structures and their importance to the economy, the energy sector is a key geopolitical battleground. Vulnerabilities in Europe’s digital security and global energy interconnections could have a significant impact on the lives of citizens. The World Economic Forum Underline this in 2021, arguing that: “as one of the most sophisticated and complex industries in the world makes a multifaceted transition – from analog to digital, from centralized to distributed and from fossil to low carbon – the Cyber risk management and cyber threat prevention are rapidly becoming critical to business value chains.
The pandemic has accelerated the digitization of the European economy and led to a rapid shift to distributed and hybrid working practices. The process has greatly expanded the possibilities for attacking critical energy infrastructure. The Putin regime’s war on Ukraine is one of many conflicts in involve hybrid operations that include targeted cyberattacks on critical infrastructure in areas such as banking and the internet – as was particularly clear during the wave of attacks on the country that occurred in early 2022.
The Colonial Pipeline attack showed how various actors could exploit a single compromised password to severely disrupt the energy infrastructure of the United States for several days. How was it possible?
A recent report by Constella Intelligence revealed just how much sensitive personal information linked to company credentials is in circulation. Over the past few years, millions of records of sensitive personal and employee data related to the world’s 20 largest energy companies (by revenue) have circulated online. Moreover, these risks reach the next level: almost half of the leaders of these companies have been found to have experienced exposure to their data in recent years. Each of these data breaches could create additional vulnerabilities that various actors can exploit.
Business and geopolitical risks are highly dependent on the integrity and security of individuals’ data. Public and private security protocols are among the most effective tools to improve this integrity and security. However, in a rapidly changing digital sphere, it is difficult to create adequate legislation to protect private companies, public organizations and individual citizens.
The European Union’s push for cyber resilience has been deliberate and diligent. Yet the evolution of threats in the digital ecosystem could outpace EU attempts to implement cybersecurity measures in all of its member states.
Currently, EU officials are drafting the details of a bill, proposed in December 2021, which aims to increase minimum cybersecurity requirements for “critical” businesses, including suppliers. After approval and legislative negotiations, the proposal would update and expand a European cybersecurity law that came into force in 2018 but only applies to a select group of industries designated as critical infrastructure. There are significant differences in the application of the between Member States, as national governments have the autonomy to decide which companies are classified as ‘critical’.
Moreover, the EU’s approach to information security still has room for improvement. According to Juhan Lepassaar, Director General of the European Network and Information Security Agency, EU institutions “currently spend on average 41% less on information security than their US counterparts”. European companies are often unaware of the vast volumes of sensitive personal data linked to the identity of their employees that is publicly available or for sale on the dark web. As the Colonial Pipeline attack showed, it doesn’t necessarily take advanced cyber tools to engage in identity theft or compromise passwords in ways that can cause billions in damage.
Jonathan Nelson is Director of Institutional Relations at Constella Intelligence.
Alejandro Romero is a board member of ECFR and COO of Constella Intelligence.
The European Council on Foreign Relations does not take a collective position. ECFR publications represent the views of its individual authors only.