Closing the cyber gaps in Europe's energy security

After nine months of war, Ukraine is advancing to retake its own territory while Russia’s responses have been to attack Ukrainian civil targets and infrastructure though both military force and cyber means.

At the same time, the rest of Europe continues to wean itself from Russian energy sources and prepare for a challenging winter of potential shortages of natural gas and electricity. But while a kinetic war continues in Ukraine, Russia is also continuing a hybrid campaign in the West to divide NATO and the European Union and reduce Western support for Ukraine. There is much speculation on whether Mr Putin will decide to further squeeze Europe on energy via cyber means or through acts of sabotage like the recent one on the Nord Stream 1 pipeline in the Baltic Sea.

In recent years, EU member states and private companies have spent millions of euros to shore up their cyber defences and build digital resilience in their societies and workforces. Today, they are more resilient to ransomware attacks and distributed denial of service (DDoS) attacks that can make our own digital infrastructure unavailable. Despite these efforts, key vulnerabilities remain that may have consequences for Europe in the coming winter if they are not addressed urgently.

In the current cyberwar raging on between Russia and Ukraine (and the West), the targets have shifted from compromising databases and communications to attacks on the industrial controls that are vital to critical infrastructure. This represents a significant escalation in cyberwar, which Europe’s critical infrastructure is not completely prepared to address.

The Russian state-sponsored cyber campaign to disrupt services in both Ukraine and the West have used the Industroyer2 and PIPEDREAM cyber tools to attack not databases but industrial control systems. Among their targets have been Ukraine’s Viasat, electricity and water supplies in Kharkiv and Nordex’s wind farms in Germany.

Industrial control systems and their associated operational technologies run the water treatment plants, transportation systems, electrical grids, gas pipelines, manufacturing plants and oil refineries that are critical to our societies. These systems are vital to the monitoring and control of sensitive processes and physical functions. They differ from IT systems since they are the hardware and software closest to the actual physical processes.

The effects of a successful cyber-attack on industrial controls can result in the physical destruction of critical infrastructure, inability to deliver basic services and even risks to human life. In this way, cyber-attacks on critical infrastructure can resemble the impacts of a kinetic attack. According to Jukka Savolainen, Director of Vulnerabilities and Resilience at the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE), “such cyber-attacks on critical infrastructure can have more serious consequences for economic activity and societal safety than other types of cyber-attacks.”

Placed within the context of the current Russian hybrid campaign in Europe and the coming energy crunch, these specific vulnerabilities in the energy sector could make even the most well-implemented plans of EU member states ineffective in the event of a cyber-attack. Specifically, this includes not only natural gas loading and transmission infrastructure and electrical transmission systems, but also liquefied natural gas (LNG) tankers themselves.

During a penetration test in 2017, a fully loaded LNG tanker in the Red Sea was hacked and taken over by a cyber-security firm looking for gaps in security of an energy shipping company. These ‘white hackers’ managed to take control of the vessel’s engines, steering and gas pressure systems, which could have been weaponised in a number of ways against a port, LNG terminal, commercial shipping or maritime security forces. In the hands of malign actors today, such a scenario could cripple key energy infrastructure for months, if not years.

At present, there is an urgent need to address these new threats to critical infrastructure since governments, institutions and private companies are not fully prepared for them. The reason this gap exists is because our approach to cyber-security has been focused on the protection of databases and not on safety through the protection of industrial controls. Securing industrial control systems in parallel to IT databases requires a different mindset because it means focusing on the protection of critical processes and not on data loss.

Within the EU, key documents such as the EU Cyber Resilience Act, EU Network and Information Security (NIS) directive and the current draft of the EU directive on the resilience of critical entities do not address the challenges of cyber threats to industrial control systems and operational technologies.

All too often, cyber policy documents are written in consultation with IT companies but not with the engineers and facility experts who work with the cyber control of physical processes that are vital to critical infrastructure. In addition, industrial control vulnerabilities are also not normally featured in cyber or resilience exercises.

So far, Ukraine has been able to withstand such cyber-attacks on its critical infrastructure due to years of thorough preparation, exercising their defences and constant upgrades to cyber and industrial control security. Meanwhile, Ukraine’s hacktivist army has also been conducting cyber-attacks on critical infrastructure in Russia, including gas and petrochemical processing facilities, satellite control facilities, as well as communications providers.

At present there is no international rulebook that prohibits attacks on critical infrastructure during peacetime. If such threats continue to grow globally, they could lead to spiralling costs to protect critical infrastructure and public services, weakening governance in other less-funded areas and causing financial hardship on citizens through higher prices for basic services.

For Europe to be prepared to defend critical infrastructure in the coming winter and beyond, the following steps will be necessary.

Firstly, we must fundamentally change our approach to the protection of these critical infrastructure by incorporating the protection of industrial controls with a focus on safety and not only data protection. This is especially important since the most dangerous attacks on critical infrastructure are being carried out by highly skilled and resourced state actors and their proxies.

Secondly, we should ensure the full participation of plant control and safety engineers in the cyber policy and planning processes. This also includes agreeing to updated security compliance rules since sometimes IT security compliance within critical infrastructure can lead to outages and safety issues. For example, a worker at a nuclear power plant following IT procedures to update a computer’s software resulted in setting off the safety systems of the plant, causing a 48-hour reactor shutdown.

Next, we must address and prioritise the security of physical process controls of critical infrastructure in all EU, NATO, national and corporate plans and policies relating to the protection of critical infrastructure and societal resilience.

Furthermore, we should incorporate industrial control defence into broader resilience exercises so leaders can better understand the choices and risks they face in the broader context of a hybrid or conventional campaign.

In addition, we should establish international rules and norms to protect critical infrastructure. To prevent cyber-attacks on global critical infrastructure from becoming an expensive and increasingly disruptive race to the bottom, the EU should lead an effort to seek consensus on a peacetime agreement to prevent states from directing malicious cyber activities at the critical infrastructure of other states. This can be either part of a broader international effort towards a new Geneva Convention governing cyber and information warfare or as its own separate regime.

Finally, we must continue to focus on cyber and industrial security compliance. All of these efforts will not be nearly as effective without constant updates to security procedures and compliance to them by operators, engineers, managers, IT specialists, suppliers and everyone associated with running critical infrastructure.

The real-world example of the LNG tanker being hacked and taken over was completely preventable had the operators complied with basic security rules. In fact, 94% of cyber-attacks are successful because a person clicks on a harmful link in a phishing email or breaks security rules and plugs a USB device into their office computer. Adhering to basic security fundamentals is an easy fix but much work remains to be done to address the remaining 6% of successful cyber-attacks.

The views expressed in this #CriticalThinking article reflect those of the author(s) and not of Friends of Europe.