Europe is bolstering energy sector resilience. But cyber risk remains a major vulnerability

Russia’s war in Ukraine has created one of the most significant energy crises in Europe in recent memory. So far, the crisis has largely been a result of physical disruptions—the flow of natural gas has been curtailed, pipelines have been sabotaged and supply lines have been cut off.

European countries have responded by replenishing energy reserves and reducing demand. The European Union (EU) has also taken steps through new legislation to bolster infrastructure defence and resilience.

“Critical infrastructure is the new frontier of warfare,” EU Commission President Ursula von der Leyen declared in a speech earlier this month. “And Europe will be prepared.”

Yet experts warn that should the energy sector come under significant and sustained cyberattacks, the consequences could be rather devastating. The ongoing war has brought new risks, physical and cyberattacks, often combined as a hybrid threat.

Already, Europe has faced cyberattacks targeting the energy sector. In February, for example, a cyberattack hit the Amsterdam-Rotterdam-Antwerp (ARA) oil refining hubs, interrupting the trade of refined products across the region. Two other German oil refinery firms reported cyberattacks around the same time, too.

The cyberattacks in Europe follow the devastating attack on the Colonial Pipeline in the United States. In May 2021, the pipeline—the largest supplier of jet fuel, gasoline and diesel in the eastern US—came under a ransomware attack that paralyzed the system, disrupting fuel supplies for up to 50 million people for over a week. Seventeen US states declared a state emergency as a result.

In Europe, more cyberattacks on the energy sector this winter could be disastrous. Interruptions to the already precarious energy markets could raise fuel costs for hundreds of millions of consumers, cause immense economic losses and force governments to tap into stock reserves.

So far, Russia’s cyberattacks have had mixed results, with many strikes being less fruitful than intended. In April, for instance, Ukraine’s Computer Emergency Response Team announced that it had successfully repelled a series of cyberattacks on the country’s power grid. The attack, which was traced back to Russia, aimed to cut the power for up to two million people.

Yet today, experts are warning that the cyber front may intensify as Russia—whose military aggression has been less successful than envisioned—could turn to more belligerent cyberattacks.

“In response to significant battlefield set-backs, in the last week we have seen Putin react in unpredictable ways,” Lindy Cameron, the chief executive of the UK’s National Cyber Security Centre, said in a recent speech. “There is still a real possibility that Russia could change its approach in the cyber domain and take more risks.”

In September, the Ukrainian Defense Ministry also warned that Russia plans to conduct “massive cyberattacks” on the country’s critical infrastructure facilities.

Indeed, the energy industry is taking note of the threat. One recent survey found that 77% of energy executives said cybersecurity has become a higher organizational priority than it was two years ago. Meanwhile, 46% of respondents said their organization is complacent about cybersecurity.

“Cyberattacks are one of the top risks we face,” Amin H. Nasser, the president and CEO of Saudi Aramco, said in a recent speech. “On a par with natural disasters or physical attacks.”

In Europe, there is a push to reinforce cybersecurity measures. In a debate this month in the EU Parliament, several lawmakers urged the bloc to expand cybersecurity laws and proposals, arguing that they do not go far enough. Many also stressed that cyber carelessness today is untenable—especially given the interconnectedness of the region and world.

As Jeremy Jurgens, managing director at the World Economic Forum, stated in the Forum’s recent inaugural Global Cybersecurity Outlook report, “Cyberspace transcends borders. We therefore need to mobilize a global response to address systemic cybersecurity challenges.”

In the face of heightened cyber risks, it is crucial that players across the energy ecosystem prioritize mitigating actions to minimize disruptions caused by cyberattacks similar to the ARA or Colonial Pipeline incidents.

To advance this effort, the Forum’s Cyber Resilience in Electricity and Oil and Gas initiatives have convened industry leaders to help strengthen the overall cyber resilience of the energy sector. The collaborative efforts have resulted in the following guiding principles, providing the first steps for senior leaders take action:

In the words of Amin H. Nasser, "As the world deepens its digital footprint, cyber threats are becoming more sophisticated. But one company working alone is like locking the front gate while leaving the back door wide open. We must work together if we want to truly protect the critical energy infrastructure that billions of people around the world depend upon.”