BRUSSELS — Thousands of cyberattacks have inundated Europe’s energy grid since Russia’s invasion of Ukraine, and a top industry leader is calling for help as officials and researchers fret that not nearly enough is being done.

“The crooks are becoming better by the day, so we need to become better by the day,” Leonhard Birnbaum, the chief executive of E.ON, one of Europe’s largest utilities, said in an interview. “I’m worried now and I will be even more worried in the future.”

Birnbaum has reason to fret. A recent report from the International Energy Agency found the average number of cyberattacks against utilities each week more than doubled between 2020 and 2022 worldwide — with 1,101 weekly attacks registered last year. In the EU, companies scrambled to hire cybersecurity experts in the month following Moscow’s assault on Kyiv, the report noted, indicating “utilities were not fully prepared.”

Polish Deputy Energy Minister Ireneusz Zyska has seen it with his own eyes. He recalled a recent visit to Poland’s grid operations hub, buried three stories underground to protect it from nuclear attacks.

“I was … observing thousands of attacks on our energy grid taking place live,” he told POLITICO.

“It is clear that these attacks come from the East: the Russian Federation and non-democratic countries,” he added. These places, he said, “have created special teams of people working on attacking the democratic states of the European Union cybernetically to cause havoc.”

“We’re extremely concerned about the cyber threats and cyberattacks in the energy sector in the European Union,” Zyska said.

For Birnbaum, it’s all an indication that EU action is urgently needed. Europe’s electricity networks are being increasingly digitized, creating more potential openings for hackers, he noted. And the ongoing threat of physical damage to energy infrastructure — a gas pipeline connecting Finland and Estonia ruptured just last month — is compounded those concerns, especially as winter arrives.

“I think Europe can actually up their game here,” Birnbaum said.

A recent report by Europe’s cybersecurity agency ENISA also showed the energy sector ranked below sectors like transport, health care, banking and the wider ICT sector in terms of what IT spending went into cybersecurity.

The problems are inevitable, Birnbaum argued, pointing to 1 million generators feeding into E.ON’s German grids alone.

“The best protection against being attacked in the cyberspace is being analog,” he said, but that’s “just not an option,” given new grid networks “can only be operated, maintained, managed in a fully digital way.”

Blackouts and clogged pipelines

Already, hackers are taking advantage. Researchers at Google’s Mandiant cybersecurity service tied a notorious Russian intelligence hacking group called Sandworm to an attack that disrupted Ukraine’s power grid late last year, and then to another attack that hit nearly two dozen energy firms in Denmark in May.

The global energy sector got a major wake-up call back in 2021 when U.S. energy pipeline operator Colonial Pipeline faced a ransomware attack that forced it to take down its systems and caused massive disruptions to the country’s energy supplies for weeks.

Europe’s grid operators share the concerns. Damian Cortinas, who chairs the board of the EU’s electricity network association ENTSO-E, told a POLITICO event last week that tackling cyberattacks is an especially “high priority” for operators due to how interconnected Europe’s power systems are. The EU needs to help countries that are the “weakest links,” he said.

Brussels has taken steps toward protecting the bloc’s grids, but glaring gaps remain.

The EU earlier this year imposed new cybersecurity requirements on critical sector companies including the energy sector under its NIS2 Directive, which will become applicable in October 2024. The bloc also set up networks of private and public cybersecurity services in key sectors that are meant to improve sharing between countries on large-scale digital assaults.

The European Commission, the EU’s executive, also presented new plans in September asking EU countries to better liaise on cross-border threats and strengthen cooperation with NATO after the apparent acts of sabotage that destroyed the Russia-to-Germany Nord Stream gas pipelines last year. 

“Because of Nord Stream 2, because of the Balticonnector [Finnish-Estonian pipeline], because [of] whatever could happen, it’s absolutely crucial,” Mechthild Wörsdörfer, deputy director general at the Commission’s energy department, said at the same POLITICO event.

But “there is no 100 percent coverage,” she added. “By definition, it’s quite difficult.”

The challenge is that the operating systems used by Europe’s grids are up to 40 years old, said Swantje Westpfahl, director of the Institute for Security and Safety think tank, meaning they’re “very hard to patch” if there’s a problem. Energy suppliers are often still figuring out how to secure both operations and information systems (OT and IT) and make sure they work with trusted partners in their supply chains.  

Equally, as grid networks increasingly digitalize, “it’s really hard to find” cybersecurity experts to match the growing cyber risks, Westpfahl added. 

The bloc has sectoral non-profit organizations called ISACs, including in the energy sector, that share best practices cybersecurity threats among the bloc’s countries, Westpfahl said. But these are run by volunteers and would benefit from EU funding, she said.

And that’ll only get worse with growing geopolitical instability. “Conflict rallies people to a so-called cause,” she said, “and if they … think they’re doing the right thing by attacking critical infrastructure, then we have a problem.”