German authorities are warning power companies that hackers are knocking on their firewalls in pursuit of cyberattacks and have urged utilities to report any suspicious activity.
Handelsblatt saw a letter sent by the Federal Office for Information Security (BSI) to utilities last week that provides updated information on cybersecurity and confirms what the National Cyber Defense Center warned recently: A complete blackout of the European grid cannot be ruled out.
The electricity grid is an obvious target for cyberattacks. If the power goes down, entire countries could come to a standstill. Attacks on utilities in Ukraine in 2015 and 2016 show that hackers are capable of taking out power grids.
“The risk increases the more digital the infrastructure becomes — and electricity grids, as well as power stations in this country, are increasingly run digitally,” BSI President Arne Schönbohm told Handelsblatt. Power companies including E.ON, EnBW and EWE all insist that cybersecurity is a top priority and that they’re investing in technology and expertise to combat the problem.
Cyberattacks are already a reality. Last summer, unknown hackers breached the network of regional internet firm NetCom, an EnBW subsidiary, through its Cisco router. EnBW stressed that the affected telecoms network was completely separate from EnBW’s energy networks. “Unknown people attacked the telecommunications network of the EnBW subsidiary NetCom. The attackers breached the network by hacking the portal used by an external service provider and had access to a limited portion of the internet traffic for a period of a few minutes,” a spokesperson said in May.
In February, the German Interior Ministry acknowledged that federal data networks were penetrated, blaming Russian hackers. And German steel mill suffered major damage after hackers used targeted social engineering, meaning they relied on human interactions to gain access to systems, to compromise the company’s network.
Mr. Schönbohm said hackers tend to find a roundabout route to their targets. “Hackers don’t necessarily attack power stations or electricity grids directly; instead they creep in through office communications and work their way to the critical infrastructure step by step,” he said. “It’s like cancer.”
Florian Haacke, in charge of security at power company Innogy, said his team has registered hackers “knocking” at their systems looking for weak points and is in touch with security authorities on an almost daily basis.
Innogy’s central security department has 65 staff working on cybersecurity, not including specialists in its IT department and network units. The company maintains some 360,000 kilometers (223,693 miles) of power lines in Germany alone.
Two years ago, Innogy launched a human firewall project, providing knowledge via training videos, seminars, live hacking sessions and roadshows. To test threat awareness, it has sent out some 450,000 phishing emails to its own employees.
Innogy is also setting up a training center in Frankfurt to simulate cyberattacks. Starting next spring, teams of up to 25 people will be able to train for procedures under realistic conditions. It’s a war games scenario, with a red team playing the attacker, a blue team trying to keep them out and a white team acts as management. They will use real industrial machinery and control systems to make the tests as realistic as possible.
Fending off attacks on the power grid was much easier before the digital age. To be sure, power and gas networks have always been vulnerable, but they were at least separate from the public data network. Major power and gas lines had their own communications lines running along them to control the systems, and the central hubs were protected by guards.
But power lines are being hooked up to data networks to measure electricity consumption and optimize flow, giving hackers more and more entry points as the grid becomes increasingly decentralized with power from wind turbines and privately-owned solar panels feeding into it.
And while power grids may be smart, network components are analog and often up to 30 years old, built in an era when cyberattacks were the stuff of science fiction.
“The power sector is undergoing a technological transformation that requires continuous adjustments in security technology and organization,” Mr. Haacke said. Integrating existing and new components poses a challenge for the entire industry. “Of all the critical infrastructure, the electricity supply is the most critical. The public has strong fundamental faith in the security of utilities. That’s why we have a special responsibility.”
But he admitted: “There will never be 100 percent security.”
Jürgen Flauger covers the power industry for Handelsblatt. To contact the author: firstname.lastname@example.org