Jamie Collier is an associate fellow at the Royal United Services Institute and a senior threat intelligence advisor at Mandiant. Jamie MacColl is a research fellow in cyber threats and cyber security at the Royal United Services Institute.
The recent leak of the Nord Stream natural gas pipeline has demonstrated the vulnerability of European energy infrastructure. Yet, in addition to such physical threats, the Continent must also brace for the prospect of heightened cyberattacks this winter.
These potential cyber threats to energy supplies will lead to plenty of doom-mongering as we approach the colder months — but now is the time to prepare, not panic. And European governments and energy providers alike should focus on the opportunity to plan for the possible dangers that lie ahead.
So, what kinds of cyber threats might the Continent face as temperatures drop?
European energy suppliers are an obvious target for Russian state-sponsored groups, as cyber operations provide a chance to apply pressure on countries participating in sanctions against Russia, or are currently reducing their reliance on Russian energy. Like any other measure below the threshold of armed conflict, such cyber operations are also attractive, as they are painted with a veneer of deniability. And from the Kremlin’s perspective, undermining public trust will be just as important as any physical or technical disruption caused.
Russia’s aggressive operations have routinely pushed the boundaries of what’s considered “acceptable behavior” in cyberspace already. For instance, Russian cyberattacks against Ukrainian electrical operators in 2015 and 2016 caused power outages in the depths of winter. And additional destructive malware with the capability of shutting down operations, sabotaging industrial processes, and disabling safety controllers to cause physical destruction has also been detected since the start of the invasion.
Beyond such destructive operations, Russian intelligence agencies and their associate front companies are likely to spread false narratives through information operations as well. These campaigns seek to capitalize on domestic tensions, arousing alarm and division. In this vein, concerns around European energy supplies and the cost-of-living squeeze could be stoked to impose more pressure on European governments looking to wean themselves off Russian energy.
Additional threats may also come from cybercriminals, many of whom operate with tacit approval, and even encouragement, from the Russian state. Cybercriminals might be primarily financially motivated, yet Five Eyes security and intelligence agencies have warned that many Russian ransomware operators have pledged support to the government. And these groups have a track record of targeting key sectors and services — as shown by their remorseless targeting of healthcare providers in the United States and Europe during the pandemic — which makes the energy sector an obvious target in the months ahead.
One of the main concerns here will be the disruption of physical processes, such as energy sensors, gas terminals, generators and power grids. In February, for example, a ransomware attack affected operations at several major oil port terminals in Belgium, Germany and the Netherlands — a similar incident affecting gas terminals during the winter months could cause significant disruption. And while we can be encouraged by the fact that manual safeguards are increasingly being put in place to minimize the impact of cyberattacks, the energy sector remains vulnerable.
Such threats are serious and will require a proactive response in the coming months to avoid any disruption. Yet, we should not be paralyzed by fear, as we have the agency to meet these challenges head-on.
For one, NATO has already warned that “any deliberate attack against Allies’ critical infrastructure would be met with a united and determined response.”
Though such warnings are welcome, there’s still sufficient ambiguity regarding NATO’s potential response to a cyberattack carried out to embolden the Kremlin. Additionally, normative and deterrence-based restraints have had limited impact on ransomware operators thus far — as shown by the ruthless targeting of critical infrastructure in recent years.
Such political responses must, therefore, be combined with a relentless focus on building operational resilience. Rather than just trying to prevent attacks, European energy suppliers must also be able to recover quickly, should they happen.
In this regard, European leaders and energy operators should look to the Ukrainian experience for inspiration. Beyond simply blaming Russia, it’s Ukraine’s long-term efforts to build cyber resilience help explain the lack of highly destructive cyber activity since the start of the invasion. The country’s cyber defenders and private sector partners clearly demonstrated this in March and April, when they thwarted Russian attempts to cause a blackout via cyberattack that would have affected 2 million people.
The apparent effectiveness of Ukraine’s cyber resilience demonstrates two lessons for the transatlantic community this winter:
First, we need to cultivate deep and meaningful operational partnerships across both government and industry. Policymakers often pay lip service to the need for information sharing and public-private partnerships in cybersecurity. But rather than just high-level commitments to merely collaborate, now is the time to build much deeper working relationships between NATO members, cybersecurity vendors and European energy operators. This means engaging deeply with the operational realities of network defenders.
Building resilience must also go further than just protecting energy sector networks — developing resolve will be equally important. Many of the cyber operations targeting the energy sector will ultimately seek to unnerve European society and undermine support for Ukraine, and in the face of cyberattacks and disinformation campaigns European citizens must remain united.
If we subscribe to a narrative of fear, we’re doing the Kremlin’s work for it. Instead, it’s time we plan and tackle Europe’s winter cyber threats directly.