For decades, energy security was all about geopolitics: ensuring supplies of oil and gas from producers who would sometimes abuse their dominant position for political blackmail. The much-feared âenergy weaponâ may soon be a thing of the past, as countries diversify their suppliers and transit routes and increasingly turn to renewable energy. But a new and often overlooked challenge is emerging. Renewables â which make up a greater share of the energy mix around the world â have a major flaw: vulnerability to cyberattacks.
In 2006, renewable energy sources accounted for around 19 percent the worldâs electricity production. Ten years later, this number increased to 24 percent. The trend is most obvious in the European Union, where the share of renewables in the electricity generation mix rose from around 15 percent to more than 30 percent over the past decade.
For many states, the shift toward renewables has improved energy security by reducing dependency on oil and gas imports, which are vulnerable to geopolitical influence. But a greater reliance on renewables does not guarantee an uninterrupted supply of energy. Like fossil fuels, renewables depend on sophisticated industrial control systems and distribution networks. Because renewables like wind and solar power are not available around the clock, they also require advanced energy storage solutions. These systems are all vulnerable to cyberattacks.
Todayâs wind farms, for example, are managed by industrial control systems that act like nerve centers, connecting individual turbines, substations and other equipment to a single computer. Many of these systems were designed with efficiency and not security in mind. An increasing number are also connected to the internet of things, which makes them âsmarterâ and more cost-effective, but also increases their vulnerability to hackers.
Energy companies banking on renewables will have to face the reality of their vulnerabilities and acknowledge the importance of investing in cyber defense.
A series of major cyberattacks against industrial control systems and associated critical energy infrastructure in recent years have already taken advantage of this fact.
In 2013, a hacking group known as âDragonflyâ infected a number of renewable energy companies in Europe and was able to compromise their industrial control systems. Although their malware was intended primarily to gather intelligence, subsequent analysis suggested it also had the capacity to take control of physical systems themselves â thus putting thousands of people at risk.
More recently, in 2015, industrial control systems of an electricity distribution grid in Ukraine â similar in setup to the grids to which wind farms are connected â were hit by sophisticated malware called âBlackEnergyâ and âKillDisk.â The attack left 225,000 customers in the dark and caused severe software damage from which the electricity grid took months to recover.
As cyberattacks against the energy sector increase in both frequency and destructiveness, renewables are likely to become a regular target. To build up their defenses, energy companies banking on renewables will have to face the reality of their vulnerabilities and acknowledge the importance of investing in cyber defense. Dismissing these financial investments as detrimental to their competitiveness could result in catastrophic losses.
More attention must be paid to the training of energy infrastructure operators, who are not yet fully aware of the risks. Industrial control systems are much more than mere information technology. A blocked website may be a mere inconvenience, but an attack on an industrial control system can result in massive physical damage.
Debating supply monopolies and energy blackmail will be unavoidable for as long as oil and gas are an important part of the energy mix.
The renewables industry also needs to work more closely with government institutions to guard against hacks. With most energy and cyber networks in private hands, it will be crucial to build public-private partnerships to address the cyber dimension of energy security. The goal should be to establish âcommunities of trustâ in which different stakeholders can share confidential information on cyberattacks.
International debate on energy security will have to focus much more on grid vulnerability. Debating supply monopolies and energy blackmail will be unavoidable for as long as oil and gas are an important part of the energy mix. But obsessing over geopolitics is counterproductive. Not only does it foster the false notion that the shift to renewables equals energy security; it also undersells what will ultimately be the most pressing energy security issue in the years ahead: ensuring an effective cyber defense for energy networks.
Michael Ruhle and Lukas Trakimavicius work in the energy security section in NATOâs Emerging Security Challenges Division.Â