Smooth operations: energy infrastructures’ security is more than a matter of trust

From the skies to the depths of the ocean, and across cyberspace, threats to energy production are increasingly hard to counter. And, as power dynamics and defense spending strategies are being reshaped globally, new solutions might now be needed.

Experts warn that the remarkable developments in the United States are set to impact energy infrastructure strategies worldwide for many years, making the need for stable government backing and consistent regulatory guidance even more pressing.

Washington’s new foreign policy and spending commitments “put defense and energy de facto as a policy priority in Europe, the Middle East, and Asia for the next decade,” says Raffaella Tenconi, a senior economist at Wood & Company, a leading investment bank in Central and Eastern Europe.  “However, political challenges to its execution remain.”

With threats from the crippling impact of cyberattacks, which can bring entire systems to a halt, to the destructive power of wars and natural disasters, what is at stake is the use itself of fossil or renewable sources.

“Deterrence is the first line of defense, beyond that the work on insurance of extreme events is in evolution,” London-based Tenconi notes.

More vulnerable?

When it comes to vulnerability it is hard to set a threshold.

Indeed, some areas of the world and some infrastructures are more exposed than others to natural disasters. And some are more at risk of physical attacks, as extensively shown by the ongoing war in Ukraine and, to a lesser extent, by the conflicts in the Middle East and parts of Africa.

But when it comes to hackers, criminals, state-sponsored terrorists or lone wolves, the threat to the energy systems’ cybersecurity is virtually the same everywhere – including in the US where in 2024 utilities faced a near 70-percent jump in cyberattacks over the previous year, data from Check Point Research show.

“The threat landscape will continue to expand as unfortunately threats increase in number, become more complex, sophisticated, and targeted,” says Goran Gotev, adviser for Cybersecurity Policy at Rud Pedersen Public Affairs in Brussels.

To successfully address these risks, cooperation must be effectively pursued at all levels -- among governments, companies, industrial sectors, technology producers, firms using these technologies, lawmakers, and defense leaders.  

“Collaboration is key for the public-private partnerships but also for the ability of states to mitigate cross-border incidents,” adds the cybersecurity-policy adviser. 

Sabotage campaigns

According to the latest Thales Data Threat Report, nearly half of state and private organisations have been breached once or more (49% globally, 51% in the European Union and the Middle East), with ransomware attacks becoming increasingly common and human error remaining the primary cause.

In the recent past, “we have witnessed sabotage campaigns i.e. on the submarine cables, and let’s not forget that Ukraine’s energy infrastructure has been targeted even before the 2022 invasion, including through cyberattacks,” notes Gotev.

The techniques and malware once exclusive to the “complex offensive campaigns” of state-sponsored groups – he notes, citing researchers and cybersecurity vendors- are increasingly being used by financially motivated criminals who operate without any political agenda.

And when cybercrime hits, it is hard to respond to. In May 2021, the Colonial Pipeline suffered a ransomware attack that forced a complete operational shutdown to the largest pipeline system for refined oil products in the US -- despite paying $4.4 million in ransom under the FBI supervision, the company faced significant recovery challenges and widespread fuel disruptions.

Roll out solutions

Moreover, as grids expand rapidly to meet surging power and more assets become digitalised, it is crucial to leverage artificial intelligence to predict vulnerabilities or automate response mechanisms in mitigating the impact of cyberattacks. Like when hackers target vendors and suppliers to access key systems, a method that is increasingly common due to the interconnected nature of modern energy systems.

Effective vulnerability management and faster incident response necessitate substantial investment and effort. In the European Union the “increasing electrification of the energy system, accompanied by more digitalisation, will require even better security of the critical infrastructures,” says Megan Richards, another senior advisor at Rud Pedersen Public Affairs. “There are numerous technical solutions to strengthening security and improving reliability, but these require financial support, innovative approaches and future planning.”

“Given geopolitical challenges and geography, Europe will have to innovate and roll out solutions in real time,” she admits.

In the recent past, the EU swiftly shifted from Russian gas, with Norway and the US emerging as key suppliers. And across the globe the energy sector has proven—time and again — that it can adapt faster and more effectively than many expect. It might need to do so again.