The most important evolving threat to the electric grid is associated with cybersecurity and physical security. The power grid in the US, and more so in Europe, is experiencing a transformation as the world shifts to sustainable energy: this transformation, however, is introducing new vulnerabilities to the system as offshore infrastructure is susceptible to physical and cybernetic attacks. Both the US and EU governments have aimed to bolster collaboration between critical infrastructure owners and operators as well as sector risk management agencies, but the hasty nature of the grid transformation will likely leave many openings for sophisticated cyber attackers for years to come.
According to strategists, this is a “maritime century“, one in which the very foundations of prosperity rest upon maritime physical and digital connectivity. Our unprecedented reliance on this – in addition to – offshore infrastructure has made activities at sea a primary target of authoritarian regimes and non-state groups (for instance the destruction of the Nord Stream 2 pipeline, the gas conduit between Sweden, Finland, and Estonia, or the disruption of international trade brought on by drones and Houthi rockets). Given the evolution of modern countries’ link with water, offshore and undersea infrastructure is more important than ever.
These events have triggered leaders in Moscow, Beijing, and Tehran to appreciate that maritime connectivity is a pressure point with significant political value, and China in particular is pursuing the naval means to seize the opportunities emerging from increasing dependence on sea routes and remote infrastructure. Whether in relation to deep seabed exploration or the exploitation of shipping capacity and hull availability, China keeps setting new records in its investments: in the last decade alone, China has added over twice the number of ships to its surface fleet than the entire French navy, while their shipbuilding capacity is over 200 times that of the United States.
Chinese authorities understand that its ongoing naval build-up is a downpayment for maritime superiority, if not supremacy, in a potential major war in the strait of Taiwan or beyond. China has also arguably become the predominant world cyber power, combining sheer might in both fields deemed essential for all future warfare, as according to U.S. strategists, it will be non-kinetic effects rather than missiles, fighter jets, and torpedoes that will likely decide the next war on the high seas. This document reflects that notion, and expands on the topic of cyber warfare as a core competency in modern warfare.
In November, The Admiral Vladimirsky; a ship officially classified as an oceanographic research vessel, but regarded by Western authorities to be an intelligence-gathering asset, stayed for prolonged periods on European seas, loitering near the RAF’s maritime patrol base, offshore wind farms, and a Swedish naval training ground. Other Russian ships were also observed in what appears to be the mapping of British, German, Norwegian, and other underwater cables and pipelines in the North Sea.
The Norwegian government notes that Russia has long been rebuilding a Soviet underwater reconnaissance and sabotage capability, and states that countries with offshore infrastructure in the North Sea and Arctic Ocean will need to recalibrate the way they oversee and protect subsea and offshore infrastructure in the Arctic regional waters, given the increasing interest in the pipelines, cabling, and related equipment that the Russians are showing. This problem also extends to landlocked European countries whose gas supply arrives via this route, as well as the electricity generated.
Rather than presuming that a sabotage campaign is inevitable, contingency planning is arguably warranted as energy and communications infrastructures are likely to become Russian targets should the conflict in Ukraine escalate beyond its borders.
Surveillance operations are intended to serve as a warning to the West, which is more vulnerable to attacks on its offshore infrastructure than Russia is, with 97% of internet traffic, including much of our financial data passing through underwater cables and offshore wind farms (something which is set to increase due to EU plans for offshore wind farms in the North Sea). More than a year ago, the Nord Stream 1 gas pipeline between Russia and Germany was targeted, and energy/data links in the eastern Baltic. Western cyber watchdogs have also observed APTs mapping critical infrastructure.
Meanwhile, in Iran, politicians have seemingly concluded that the Houthis’ experiment in the Red Sea has been so successful that it bears repeating in the Mediterranean and other waterways. “They shall soon await the closure of the Mediterranean Sea, [the Strait of] Gibraltar and other[s],” announced the coordinating commander of Iran’s Islamic Revolutionary Guard Corps on December 23rd. Since Iran does not possess kinetic strike capability to strike targets that far, however, we can assume Iran’s cyber capabilities are being referred to – as well as the regime’s apparent willingness to use them against critical infrastructure in the West.
Iran has been rapidly accelerating cyberattacks since mid-2022 and has further increased its cyber operations against Israel over the course of the recent war, demonstrating the ability to attack critical infrastructure. The U.S. Treasury Department announced sanctions against six Iranian officials from the Revolutionary Guards Cyber-Electronic Command for their role in cyber-attacks on U.S. soil, during which Iranian hackers disabled Unitronics programmable logic controllers (PLC) at a booster station operated by the Municipal Water Authority in Pennsylvania (the hackers appear to have targeted the PLCs because Unitronics is an Israeli company). The group also contemporaneously targeted ten water treatment stations in Israel.
With Iran now seemingly far more likely to use its cyber capabilities to attack critical infrastructure – especially in countries deemed supportive of Israel – there may come a time they will extend their capabilities to attack the U.S. or some European nations.
Besides physical threats to cables and pipelines, there’s always the risk of cyber or network attacks: by hacking into the network management systems that private companies use to manage data traffic passing undersea cables or product flows (like oil and gas), malicious actors could disrupt or fatally sabotage processes. A “nightmare scenario” might involve a hacker gaining control of a network management system: at that point, physical vulnerabilities could be discovered, disrupting or diverting data traffic or damaging the equipment. The potential for sabotage is quite clear – and according to reports, the security of many of the network management systems is not up to date. The well-publicized attacks on critical infrastructure like SolarWinds and Colonial Pipeline (or cyberattacks or Russian attacks on the Czech national railway carrier) also exposed vulnerabilities of the U.S. and European private sector with dramatic implications for national security.
In an effort to reduce costs, streamline operations, and enhance performance, submarine cable and pipeline operators are increasingly turning to remote network management systems to monitor and control their infrastructure. Since these systems nearly always need to be connected to the internet, they are vulnerable to advanced cyber threat actors. A peek into that potential future occurred in April 2022 when U.S. federal agents stopped a cyberattack against a Hawaii undersea cable operating system, which was made possible by a third-party credential leak.
The 2020 breach of SolarWinds’ Orion platform and the 2021 breach of Kaseya’s Virtual Systems Administrator product are two significant cyberattacks that have recently taken advantage of flaws in remote management systems or comparable products. These attacks draw attention to the dangers of using third parties, particularly when the affected goods have privileged access to consumer networks.
The US military highlights the pivotal role of non-kinetic effects and defense against such effects in future conflicts. The potential for massive cyberattacks by advanced state actors like Russia, China, or Iran looms large, threatening to disrupt critical infrastructure or the internet-powered amenities that underpin modern life. U.S. documents emphasize that cyber warfare extends far beyond networks and cybersecurity issues, yet neither governments nor businesses are adequately prepared to confront this emerging threat.
The US Energy Department’s Office of Electricity has openly stated that the most important evolving threat to the electric grid is associated with cybersecurity and physical security, identifying Chinese cyber operations as a national security threat and warning that Beijing is almost certainly capable of launching attacks that could disrupt critical infrastructure services nationwide, including the power grid.
The power grid is experiencing a transformation as the world shifts to sustainable energy, including an increased demand for electric vehicle charging stations, which can be vulnerable to cyber threats (as are the offshore wind farms and remote solar fields that are going to supply the sustainable power). The same goes for power transformers and new power grid technologies, which are also susceptible to disruption from physical attacks, as well as increasingly advanced cyber risks that can potentially threaten the entire grid.
The significant increase in offshore infrastructure in the push for sustainability is coming fast, and the grid is already being challenged to keep up with the changes; its many bottlenecks present an opportunity for disruption by malicious actors.
In the external threat landscape of the energy industry, our analysts currently observe a medium to low risk across monitored categories. Observed Advanced Persistent Threat (APT) campaigns have dropped to a moderate risk, as the past 90 days were relatively quiet, with the exception of December. In recent years, both the US and EU governments have aimed to bolster cybersecurity collaboration between critical infrastructure owners and operators and the sector risk management agencies, however, the hasty nature of the grid transformation will likely leave many openings for sophisticated cyber attackers for years to come and the relative calm of today can easily prove to be a calm before the storm.