The cyber threat to our key infrastructure

Summary: The way our current electricity grid works is showing its age. The good news is that smart grids can make the system more responsive and reliable, enable the addition of more renewable generation, and contribute to reducing costs. But they also bring risks. They can make the systems more venerable to cyber attack, and with these coming with increasing regularity, this is a topic that everyone in sustainability finance needs to understand.

Why this is important: The electrification of many of our economic activities is a critical element in delivering the sustainability transitions. But, if we cannot safely move electricity around, or if we end up increasing the risk that the system can be taken down, then the process will be slower or even stall. Digitalisation of our electricity systems is a big positive, but we must do it with one eye on cyber security.

The big theme: Many governments around the world have set targets to decarbonise their electricity generation systems. Achieving this requires us to build a lot more renewable electricity generation, but its also about creating a smart electricity grid that is decentralised, flexible, and able to accommodate the demands that the variable generation such as wind and solar brings. This will include electricity storage, interconnectors, demand management, and grid resilience.

Most of you will recall the rupture of the Nord Stream gas pipeline in 2022, and the the 2015 cyber takedown of large portions of the Ukraine electricity grid, followed in 2022 by the attack on the Viasat satellite communication system. Plus, we have had repeated cyber hacks and ransomware attacks on major companies, including the disruption to US air travel in January 2023, and the apparent attack on Capita Group.

More recently we have had suggestions that China is building cyber weapons to hijack satellites, and that Russia has a programme to sabotage wind farms and communication cables in the North Sea.

So how should sustainability finance professionals think about the risks to critical infrastructure, and why are the risks rising (and will continue to do so)? Some of the increased risk is obviously to do with the rise in geopolitical tensions and an increase in cyber attack state actors, who either work for or are sponsored by governments. But a big part is to do with the growth in smart grid technologies.

The way our current electricity grid works is showing its age. The good news is that smart grids can make the system more responsive and reliable, enable the addition of more renewable generation, and contribute to reducing costs. But they also bring risks. They can make the systems more venerable to cyber attack, and with these coming with increasing regularity, this is a topic that everyone in sustainability finance needs to understand.

Targeting our critical infrastructure

What has changed cyber security wise - its the roll out of smart grids ! Our critical infrastructure is now much more reliant on interconnected networks of devices. This was always the case in telecoms, but its increasing true in our energy and electricity systems. In the past, these systems operated in isolation, but modern infrastructure are much more interconnected across industries and locations. More useful, but also more venerable.

Lets look at why this is important .....

While we tend to think about cyber attacks as being aimed at stealing data, many infrastructure hacks are like the Colonial incident - aimed at soliciting a ransom. But, future attacks may increasingly have a political perspective. Why, because this infrastructure is critical to the functioning of our economies, and of course our ability to defend ourselves.

Cyber attacks on critical infrastructure are not new, covering everything from electricity grids and water supply, to transportation networks and communication systems. In 2013 Iranian state sponsored hackers launched a successful attack at the Bowman Avenue Dam in New York and managed to control the floodgates.

And in 2021 a cybercriminal group hacked Florida’s water plant system and managed to raise the level of sodium hydroxide in the water with a clear intent to harm those who drink it. Later that year a ransomware attack on the Colonial Pipeline was only ended when the pipeline operator paid c. $4.4m to Darkside, an Eastern European cyber gang.

What is a smart grid?

It's the technological solution that allows us to: integrate higher levels of renewable electricity generation sources such as wind and solar, provide consumers with the real time information they need to better manage their electricity consumption, and enable our electricity utilities to make the systems more resilient and reliable. Put simply it enables all of the different parts of the electricity grid to communicate with each other and automatically respond to system changes.

You can see from the above diagram, its not just about connecting the physical element of the grid, so generation, transmission, distribution and the end customer. It also ties in all of the other parties, who use the data. And the more users there are, often suppliers and/or customers (and outside of the companies own cyber security "firewall"), the more points of potential venerability.

So what does this have to do with a rising risk of cyber attacks. Its true that many such attacks still rely on poor IT security. For instance, a recent attack on a water treatment plant in California involved stolen login credentials that an employee used to access the TeamViewer platform, that gave them the ability to control systems remotely. But, this is only part of the challenge. Much of our critical infrastructure now relies on the integration of operational systems with Internet of things (IOT) devices. And in many cases the combination of grid legacy systems, often created on old (and in some cases outdated) software platforms, and new IOT technologies, creates risks.

Costs of cyber breaches

These is a tendency to think of cyber security as a cost to be managed down. My experience has been that even in industries subject to regular attack, it still doesn't get the management and board focus it deserves, perhaps because its seen as something best left to the technical experts. As a result, many companies still run on old software, with the cost and hassle of updating systems is seen as "too high".

According to an IBM study, in 2022 the average cost of a data breach for a critical infrastructure company was $4.8m, and the majority of companies had more than one breach pa (only 17% of companies surveyed had experienced just one breach). But for companies such as those that run our electricity grids, this could only be the tip of the cost iceberg if essential services go down for extended periods.

What can be done?

It is true that in most cases protecting our infrastructure systems is "just" a case of following up to date cyber protection techniques. The IBM study referenced above suggests that c. 47% of breaches were caused by either human error or IT failures. Some of these are people related, ensuring that logins and passwords are kept safe and that security updates are run promptly.

But, for critical infrastructure companies, there is more they need to do. The good news is that governments are starting to be more proactive, we guess partly due to the changing nature of where attacks come from. The European Union is implementing regulations (National Cybersecurity Strategies - NCSS) that require critical infrastructure providers, such as energy and telecommunications companies, to adhere to certain minimum security measures. And, the United States has recently announced a new National Cybersecurity strategy, which expands the use of minimum cybersecurity requirements for critical sectors.

Cyber security, and how it could impact our ability to decarbonise our electricity system in a cost effective way, is a topic that we shall explore in more detail in an upcoming long blog.

Please read: important legal stuff.