Russia’s war on Ukraine has created widespread concern that European energy supplies and infrastructure will come under intensifying cyber-attacks. The Putin regime, which has long used such disruptive tactics, may retaliate against Western economic sanctions with cyber-warfare. European states and energy companies should reflect on the laundry list of such attacks that have occurred in recent years to recognise and respond to the risks they face in this area.
On 7 May 2021, the US Colonial Pipeline suffered a critical ransomware cyber-attack resulting from a single leaked password – the largest cyber-attack on infrastructure in US history. This prompted the authorities to declare a state of emergency in 17 US states along the east coast and in Washington, and resulted in major fuel shortages and long queues at gas stations throughout affected sectors. By early February 2022, a slew of subsequent cyber-attacks had struck oil and gas facilities across Europe, disrupting the operations of multiple oil transport and storage companies in Germany, Belgium, and the Netherlands, and threatening production and distribution in the sector.
Such attacks are possible due to three unique vulnerabilities of the global energy ecosystem.
Firstly, this ecosystem relies on inherently complex infrastructure. Utility companies are exposed to relatively high risks because their networks of both physical infrastructure and cyber-infrastructure – including distributors, suppliers, storage facilities, and other assets – often overlap and are spread across many countries.
Secondly, the digital infrastructure that supports the global energy sector operates around the clock, with virtually no downtime.
Thirdly, the vulnerability of the global energy sector is rooted in the many motivations for attacks against it. As noted in a recent assessment by the Canadian Centre for Cyber Security, these include attacks carried out by states trying to achieve geopolitical goals, by criminals attempting to extort money from desperate companies, and by activists seeking to publicise their agendas or oppose particular projects.
Therefore, given the frequency with which these structures come under attack and how vital they are to the economy, the energy sector is a key geopolitical battleground. The vulnerabilities of Europe’s digital security and global energy interconnections could have a significant impact on citizens’ lives. The World Economic Forum highlighted this in 2021, arguing that: “as one of the world’s most sophisticated and complex industries makes a multifaceted transition – from analogue to digital, from centralized to distributed and from fossil-based to low-carbon – managing cyber risk and preventing cyberthreats are quickly becoming critical to company value chains.”
The pandemic accelerated the digitisation of the European economy and prompted a rapid shift to distributed, hybrid working practices. The process has dramatically expanded opportunities to attack critical energy infrastructure. The Putin regime’s war on Ukraine is one of many conflicts to involve hybrid operations that include targeted cyber-attacks on critical infrastructure in areas such as banking and internet services – as was particulary clear during the surge in attacks on the country that occurred in early 2022.
The attack on the Colonial Pipeline showed how various actors could exploit a single compromised password to severely disrupt the energy infrastructure of the United States for several days. How was this possible?
A recent report by Constella Intelligence revealed just how much sensitive personal information tied to corporate credentials is in circulation. In the last few years, millions of records of sensitive personal and employee data linked to the 20 largest global energy companies (by revenue) have circulated online. Moreover, these risks reach the senior level: nearly half of the executives of these companies were found to have suffered exposure of their data in recent years. Each of these data breaches could create additional vulnerabilities that various actors can exploit.
Corporate and geopolitical risks are highly contingent on the integrity and security of inidividuals’ data. Public and private security protocols are among the most effective tools to improve such integrity and security. However, in a rapidly evolving digital sphere, it is difficult to create legislation suited to protect private companies, public organisations, and individual citizens.
The European Union’s push for cyber-resilience has been deliberate and diligent. Yet the evolution of threats in the digital ecosystem could outpace the EU’s attempts to implement cyber-security measures across all its member states.
Currently, EU officials are drawing up the details of a draft bill, proposed in December 2021, that aims to increase the minimum cyber-security requirements of “critical” companies, including providers. After approval and legislative negotiations, the proposal would update and expand an EU cyber-security law that came into effect in 2018 but applies only to a narrow group of industries designated as critical infrastructure. There are important differences in the application of the across member states, as national governments have the autonomy to decide which companies are classed as “critical”.
Additionally, there is still ample room for improvement in the EU’s approach to information security. According to Juhan Lepassaar, director-general of the EU Agency for Network and Information Security, EU institutions currently “spend on average 41 per cent less on information security than their American counterparts”. European companies are often unaware of the vast volumes of sensitive personal data linked to their employees’ identities that is publicly available or for sale on the dark web. As the Colonial Pipeline attack showed, it does not necessarily require advanced cyber-tools to engage in identity theft or compromise passwords in ways that can cause billions in damages.
Jonathan Nelson is the director of institutional relations at Constella Intelligence.
Alejandro Romero is an ECFR council member and the chief operations officer of Constella Intelligence.
The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of their individual authors.