Critical Infrastructure Security
BSI Cites New Technologies, Geopolitical Tensions as Key Risk Factors
Mounting decentralization and digitization put electricity grids at risk of a hacking incident that could cause power outages, said the German cybersecurity agency Wednesday.
See Also: OnDemand | Navigate the threat of AI-powered cyberattacks
The German Federal Office for Information Security said has for years ranked energy sector at a “high” risk of hacking. Recent shifts including new technologies such as internet-connected solar power inverters and a tense geopolitical situation should nonetheless spark increased concern, the agency said. Better known as the BSI for its German acronym, the agency called for an expansion in its own supervisory powers over the energy sector and uniform cybersecurity standards for all actors in the sector, from grid operators to decentralized systems.
The growth of decentralized energy sector operations make the grid more complex to secure since thousands of smaller players with photovoltaic systems become part of the grid. Solar inverters and grid control technology is additionally at risk of supply chain attacks, BSI said.
“A successful disturbance of energy supply in Germany or Europe is a horror scenario for citizens, the German economy and the state bodies. Social life would come to a standstill, the economic damage would be enormous,” said BSI President Claudia Plattner.
With the warning, the BSI becomes the latest government agency to warn about mounting dangers to electricity grids. The International Energy Agency in Vienna also said that the growth of distributed energy generation and storage is expanding the attack surface, as is increased connection and automation throughout the grid. U.S. officials are reassessing the risk posed by Chinese-made power inverters after discovering unexplained communication equipment in some models, Reuters reported earlier this month.
Warnings like the BSI’s can trigger scepticism in some cybersecurity circles, backed by evidence showing that physical destruction and grid mismanagement have posed more daily dangers to electricity delivery than hackers. In the United States, the Department of Energy has recorded only a handful of suspected cyberattacks against the grid but knows of hundreds of physical attacks, including a December 2022 shooting incident against two electrical distribution substations in North Carolina that left 45,000 individuals without power. Grid operators in Spain and Portugal have ruled out cyberattacks as a cause of a late April outage across the Iberian Peninsula that lasted up to 24 hours (see: Breach Roundup: Grid Operators Rule out Cyberattack in Iberian Blackout).
Undertaking measures such as targeted hardening of devices such as inverters, smart meter gateways, virtual power plans and grid control technology is still a necessary step, the BSI said. It also called for expanded cooperation and information sharing between energy companies, with a role for the BSI as a central contact point for early warning and analysis.
The agency last year identified a slew of nation-state groups targeting German critical infrastructure, including China’s Nylon Typhoon and Russian groups Fancy Bear and Midnight Blizzard.
The European Union in January 2023 adopted a uniform cybersecurity law, the NIS2 Directive. The law imposes cybersecurity risk management and incident reporting obligations for organizations operating across a range of critical sectors, including finance, energy, healthcare, space, IT and public administration. The regulation came into force in October 2024 but 23 member states missed the implementation deadline (see: EU Nations That Missed NIS2 Deadline Put On Notice).
With reporting by Information Security Media Group’s David Perera in Northern Virginia.
