ENERGY SECTOR CYBERSECURITY

Trends in cyberattacks against energy infrastructures and supply

According to the World Economic Forum, ransomware attacks against the energy sector have increased by 150% between 2021 and 2022. This increase is partially attributed to the effects of Western sanctions on Russia and the cap on oil prices imposed by European countries following Russia’s invasion of Ukraine. These include cyberattacks instigated by Russian actors to disrupt the European energy sector in order to demonstrate Europe’s reliance on Russian oil, as well as in retaliation for Europe’s siding with Ukraine.

While in the past cyberattacks against the energy sector have targeted the oil and gas industries, the perpetrators are now also directing their attention at renewable energy infrastructures and producers.

Attacks that highlight the need for effective cybersecurity for energy infrastructures and supply

One of the largest and most widely reported cyberattacks on the energy sector took place in April 2021:

• Colonial Pipeline: The attack targeted the company’s billing system and internal business network, and temporarily shut down approximately 5,500 miles of pipeline, disrupting almost half of the East Coast’s fuel supply, and affecting the southern coast as well. This resulted in widespread shortages, and consequently, in panic and chaos. The attack was attributed to the Russia-linked group DarkSide. In order to resume operation, a ransom of $4.4 million was paid in bitcoin. In a rare win for the US Department of Justice, the bitcoin equivalent sum of $2.3 million was recovered two months later.

Attacks that took place in 2022 against companies in the energy sector included, among others:

• DESFA: In August 2022, the IT systems of DESFA, an operator of a natural gas transmission system in Greece, were briefly breached. The company’s IT teams managed to quickly contain the incident, however some documents were unlawfully accessed, and possibly stolen.
• Creos Luxembourg: In July 2022, Creos Luxembourg, which manages natural gas pipelines and electricity networks in the Grand Duchy of Luxembourg, was targeted in a cyberattack. The company disclosed that data had been stolen and customer portals were rendered inaccessible, however the attack did not disrupt services.
• Rompetrol: In March 2022, the Rompetrol gas station network in Romania was the victim of a cyberattack, forcing it to shut down its gas stations and websites. The company, which is a subsidiary of KMG International (which operates in 15 countries), also operates the largest oil refinery in Romania. The refinery’s IT systems were also breached, but according to reports, its operation remained unaffected.

At the beginning of February 2022, several attacks against oil refining facilities and port terminals took place. These were suspected of being a coordinated attack, with some experts pointing the finger at Russia:

• Amsterdam-Rotterdam-Antwerp (ARA): A cyberattack on these major European oil refining hubs disrupted the loading and unloading of refined product cargos during the continental energy crisis. The World Economic Forum commented on these and other recent cyberattacks targeting the European energy sector, stating that “the disruption could see further cascading effects, with potentially larger societal and economic impacts across all European countries… The cyberattack on ARA initially appears to compound an already difficult situation for European energy markets. Oil and gas inventories are low and prices are at levels not seen for years. As a result, it will likely increase the level of stress in the system more so than its actual physical impact. Further, these attacks and the disruptions occur in a time of geopolitical crisis, increasing the chances of wider inadvertent political escalation.”
• Oiltanking GmbH Group and Mabanaft Group: These two companies, owned by the German groups Oiltanking GmbH Group and Mabanaft Group, sustained a cyberattack on their IT systems. This attack affected the loading and unloading systems of Oiltanking, the petrol tank terminal provider, causing it to operate at limited capacity. The attack caused delays of up to a week in tanker and barge shipments.
• SEA-Invest: A cyberattack affected oil terminals at all the ports managed by the Belgian company Sea-Invest in Europe, including its largest, SEA-Tank in Antwerp, as well as its terminals in all the ports in Africa where it operates.
• EVOS: The independent bulk liquid energy and chemical storage company based in the Netherlands was also targeted. The company announced that the IT services of its terminal in Terneuzen (the Netherlands) had been disrupted, causing some delays in operations.

With the increased transition to renewable energy, wind turbine companies also suffered cyberattacks, including:

• Nordex: In April 2022, a ransomware attack was perpetrated on one of the world’s largest wind turbine manufacturers, headquartered in Germany. The company shut down IT system and closed remote access to wind turbines in order to limit the spread of the malware, and therefore only its internal IT system was impacted.
• Deutsche Windtechnik: Also in April 22, the German wind turbine servicing company sustained a cyberattack. In response, it switched off its internal systems and also its remote data monitoring connections to the wind turbines. It took the company two days to resume normal operation.
• Enercon: Although the German wind turbine producer Enercon was not the direct target of a cyberattack carried out in February 2022, it lost remote access to 5,800 wind turbines that produce 11 gigawatts (GW) of power as a result of an attack on Viasat, the commercial satellite operator. This prevented the company from being able to monitor and control the turbines, although these kept functioning, as they operate automatically. Enercon did, however, need to replace its IT equipment in the aftermath of the attack. The company’s management pointed out that the attack affected Internet access in Ukraine and coincided with the Russian invasion of this country.
• Schneider Electric, Honeywell: A cyberespionage campaign reported in January 2022 seems to have been launched as early as in 2019 and was apparently still ongoing when detected. The attack also affected HiSilicon the semi-conductor company; Huawei, the Chinese telecommunications conglomerate; and Telekom Romania. The cybercriminals are suspected of being North Korean, whose primary interest is believed to be the renewable energy sector.

It should be noted that due to the criticality of the energy sector and to security concerns, significant attacks on energy infrastructures are underreported.

ACID provides cost-effective cybersecurity for the energy sector

ACID offers an effective solution for oil & gas and renewable energy companies: It deploys clusters of bots and implements advanced AI algorithms in order to detect the first hint of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such an intent is detected, ACID alerts the target of the attack in real time and transfers all the available information to them – including screenshots of threats detected on the dark web and deep web, which they may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID continuously monitors a great number of sources, additional sources and keywords can easily be added upon request.

The real time alerts provided by ACID at the first sign of an attack, and the subsequent updates with additional information as it becomes available, enable the IT teams of the targeted energy company to prepare and implement countermeasures that will mitigate the impact of the attack, or possibly thwart it altogether. Energy sector companies are thus supported in providing a constant supply of energy and enabling their many diverse customers to continue operating smoothly.