A German power utility specialising in renewable energy was hit by a serious cyber-attack two weeks ago that lasted five days, knocking its internet communications systems offline, in the first confirmed digital assault against a European grid operator.
A smart grid is an upgraded electricity network utilising two-way digital communication between producer and supplier, ‘intelligent’ metering and monitoring systems.
Smart grids offer clear environmental, social and economic advantages but their dependence on computer networks and the internet makes them acutely vulnerable to cyber-attacks, according to the EU’s European Network and Information Security Agency (ENISA)
A 2012 ENISA report offered 10 recommendations for protecting grids from cyber-threats, including:
- An improved EU and member state regulatory and policy framework
- The development of a minimum set of security measures by ENISA, in collaboration with member states and the private sector
- Security certification schemes for smart grid components, products and organisational security
- Empowering the Consortium for Electric Reliability Technology Solutions to advise on cyber security incidents affecting power grids
“It was a DOS (‘Denial Of Service’) attack with a botnet behind it,” Boris Schucht, the CEO of 50Hertz told EurActiv on the fringes of a Brussels renewables conference. “It blocked our internet domains so that in the first hours, all email and connectivity via the internet was blocked.”
DOS attacks involve thousands of requests being sent to a server each second to clog up a system’s functioning.
Electricity supplies were not affected in the onslaught, which was “serious but not dangerous,” Schucht said. Email services were quickly repaired, although a fix to the problem was only discovered five days later.
EurActiv has learned that the security breach has already been discussed at an assembly meeting of the European Network of Transmission Systems Operators for Electricity (ENTSO-E), which brings together bosses of the continent’s transmissions industry operators (TSOs).
The association is understood to be communicating closely and regularly with the European Commission about potential cyber-security threats to Europe's grids.
However, beyond flagging their critical systems protection working group, ENTSO-E will not comment on the details of particular incidents like the 50hertz attack, or even whether similar attacks have occurred before.
A recent report claimed that one in four of the world’s power companies had suffered extortion from criminals who had gained access to their system’s utilities.
Cyber-attacks on power grids have the power to disrupt critical electricity infrastructure and until now have been the stuff of science fiction, with a gallery of villains stretching from criminals and rogue states to cyber-terrorists.
The US National Academy of Sciences said last month that a terror attack on the US power grid could cause thousands of deaths and cost hundreds of billions of dollars.
Pointers to Moscow and kiev
While the identities of the 50hertz hackers are unknown, their cyber barrage was mounted from IP addresses in Russia and the Ukraine, EurActiv understands, although these could themselves have been used to disguise the real source of the attack.
“It shows that we have to take cyber-security seriously,” Schucht said. “We have to think how we can best protect ourselves in the future.”
50Hertz is one of Germany’s four transmissions systems operators, and supplies more than 18 million people with electricity largely sourced from ‘volatile’ renewable energies like wind and solar.
These account for 38% of 50hertz’s production-side energy – and more than half of its capacity – making it the world’s leading renewable transmitter, lighting up north and eastern Germany, as well as central and eastern Europe.
The firm is the core partner of the 2012 Clean Tech Media Award, a prominent green technology prize in Germany.
According to a McAfee report earlier this year, power grids are a “prime target” for cyber-attack because they depend on a myriad of embedded systems, all communicating with each other via a pot pourri of wired, wireless, cellular and dial-up modems, that use a combination of TCP/IP and proprietary protocols.
“This has expanded the attack surface, making it vulnerable to cyber threats,” the report says. “Open systems invite hacking.”
“The more automation there is in the grid - and we are currently fully automated - the higher the risk,” Schucht said.
Some 70% of the existing energy grid is thought to be over 30 years old, another source of vulnerability.
If anything, the potential for disrupting more advanced ‘smart’ or ‘super’ systems in the future is thought to be even greater, because of the way that millions of interconnected nodes will link industrial and household smart meters with grid supplies.
“That something different as there are no smart systems connected to our system in Germany,” Schucht said. “But this will change in the future,” he added.
At least 80% of electricity users in the EU must be equipped with smart meters by 2020, because of the EU’s internal market for electricity and gas directives.
This in turn should enable great cost savings for consumers – and energy savings for the planet – but the costs of securing the system may prove prohibitive in times of austerity.
Utilities would have to spend nine times more than at present to insure against a ‘digital pearl harbour’, according to a recent Bloomberg survey.
“We weren’t aware of the risk five or ten years ago and we were investing in cables,” Jacques Vandermeiren, the CEO of 50hertz’s parent group Elia told EurActiv.
“But now cyber-security is one of the most important items on the agenda of all TSO’s,” he went on. “We spend a lot of money on hardware so it would be a shame if we were attacked through our software.”
- Early 2013: Final approval of EU energy infrastructure package expected by European Parliament and EU Council of Ministers.
- By end 2013: LIst of projects of common interest to be finalised.
- 2014: Planned entry into force of 'Connecting Europe Facility' (CEF), under which infrastructure will be financed.