Cyberattacks targeting utility firms at 'alarmingly high levels'
Utility firms' increasing reliance on digital systems have made them more vulnerable in recent years, according to the IEA. File photo
Utility firms such as electricity providers have become the new frontier for cyberattacks, reaching "alarmingly high levels" last year, the International Energy Agency (IEA) has warned.
Russia's invasion of Ukraine gave fresh impetus to cyber criminals to attack electricity grids and demand ransoms from energy companies scarcely able to defend themselves due to a cybersecurity staff shortage, it said.
Worldwide, the average cost of a data breach in the sector in 2022 reached a record $4.7m (€4.3m) last year, the IEA said.
"Recent cyberattacks in the electricity sector have disabled remote controls for wind farms, disrupted prepaid meters due to unavailable IT systems, and led to recurrent data breaches involving client names, addresses, bank account information, and phone numbers.
"Critical infrastructure, including gas, water, and particularly power utilities, are favoured targets for malicious cyber activity," it said.
Utility firms' increasing reliance on digital systems have made them more vulnerable in recent years, according to the IEA.
"As with most industries, utilities increasingly use digital technologies to better manage plants, grids, and business operations, which contributes to energy security by improving quality of supply, providing additional services to customers, and enabling clean energy transitions through the integration of distributed energy resources.
"However, this progress comes with risks. Digital systems, telecommunication equipment, and sensors throughout the grid increase utilities’ exposure, as each element provides an additional entry point for cybercriminal organisations," it said.
According to the international non-profit ISC² organisation, the global cybersecurity workforce currently stood at 4.7 million people in 2022, the highest it ever recorded. However, there remains a shortage of 3.4 million cybersecurity workers, it cautioned.
Californian data security firm Rubrik, which has a base in Ballincollig in Cork, recently found that 94% of organisations in Europe, the Middle East, and Africa are concerned they will be unable to maintain business continuity if they experience a cyberattack.
Its Zero Labs report found that nine out of 10 organisations reported malicious actors attempted to access data back-ups during a cyberattack, and 73% were partially successful. It added that 47% of IT and security leaders believe their 2023 cybersecurity budget is not enough of an investment.
The IEA said that power utilities need to include cybersecurity as a core element of their business strategy.
"Without a strategic approach towards ensuring cyber-skills, power system stakeholders may not be able to effectively cope with future attacks," it said.
In Germany last year, wind turbines maintenance firm Deutsche Windtechnik was hacked in April, with around 2,000 wind turbines rendered powerless for a day due to remote-control systems being attacked.
Similarly, turbine maker Nordex reported that it was attacked by a Russian ransomware group aligned with Russia, forcing its IT systems to go down. Fellow turbine maker Enercon saw nearly 6,000 remote-controlled turbines attacked.
An attack on Colombian firm EPM saw more than 300,000 prepaid electricity customers affected, while in the US, some 200,000 Colorado Springs customers had their data hacked.
