Strengthening the Security of Critical Energy Infrastructure Against Cyber and Hybrid Threats

From the first days of Russia’s full-scale invasion of Ukraine – in February 2022, against the backdrop of Russia’s illegal annexation of Crimea in 2014 – critical energy infrastructure was in Moscow’s target list. First, fuel depots, then refineries, key power grid nodes, heat and power plants, as well as gas infrastructure. It was not a “hybrid threat”, but part of a direct military attack, in which Russia used kinetic means – missiles, drones, glide bombs – to destroy Ukraine’s critical energy infrastructure and undermine Ukraine’s ability to resist the invasion. And while in the beginning Moscow tried to deny targeting civilian energy infrastructure, the systematic nature of these attacks made Russia’s intentions clear. Critical energy infrastructure carries energy supplies that are essential for the life of population, functioning of the economy, as well as defence industries and mobility, so destroying it would help Russia to win the war.

Moscow, however, underestimated the resilience of Ukraine’s energy system and the ability to organise protection and defence and innovate while doing so, as well as the support from NATO Allies and partners with everything from air defence systems to generators, and Ukraine’s resolve to engage in deterrence, as well as action against its adversary’s infrastructure. While Ukraine’s energy system suffered significant damage, it survived. And Ukraine’s experience brought invaluable lessons to Europe on protecting critical energy infrastructure. Even when the sound of flying missiles is no longer heard above Ukraine’s power plants, these lessons will remain key for ensuring Ukraine’s long-term security, and for Europe’s preparedness and readiness to face any threat.

The Ukrainian power system featured significant generation capacity before the war, and was designed with redundancies in place to handle heavy industrial demand. Many European countries can only wish for spare power generation capacity.

This means that Europe would need to work much harder to have an energy system that can withstand the test of war. This is, however, an essential part of building deterrence: if adversaries understand that targeting infrastructure would be costly and not necessarily effective, the temptation to pursue such a strategy is supressed. And vice versa: if the cost is small, but benefits are perceived as worthwhile, the appetite for targeting infrastructure increases. So building a resilient energy system is important to its overall security. But it is not enough.

No energy system is without any vulnerabilities. And having enough redundancies to withstand any attacks or disruptions is a tall order. This is also true for the European energy sector. Being a net importer of energy, Europe relies on several key pipelines and import terminals, particularly gas, which can be exposed to a variety of threats – from drones to sabotage. Europe’s electricity grid is increasingly interconnected and at the same time more dependent on high voltage direct current (HVDC) undersea cables and substations that are hard to repair and replace. And while the European power grid is more efficient due to smarter, digitised management, it also features a larger cyber “attack surface”.

At the same time, Europe is facing a heightened risk environment and motivated threat actors. Moscow, for example, may be tempted to challenge Europe’s decisive actions of diversifying away from Russian energy and supporting Ukraine’s defence. In this regard, complementing resilience with protection measures, reinforced by NATO’s deterrence and defence, is key to comprehensive infrastructure security. To be clear, it would be unfair to expect NATO, or the military in general, to protect all energy infrastructure all of the time: that includes thousands of kilometers of pipelines and power cables – undersea and onshore. But NATO can play an important role of deterring potential attacks against infrastructure, and has already risen to the challenge. After all, no adversary can afford the cost of confrontation with the most powerful Alliance in history. It is for this reason that Allies have clearly stated that deliberate attacks against Allies’ critical infrastructure would be met with a united and determined response.

What is left for the adversary wishing harm to Allies’ infrastructure is then to hide under the veil of non-attribution. This means actively avoiding exposure by exploiting areas where infrastructure is harder to monitor and attacks are more difficult to detect.

For example, undersea, in the cyber domain, or by “blending into the crowd” and conducting sabotage attacks. And while the cost of such “hybrid” or cyber-attacks may be low, the consequences for Europe’s energy supply and infrastructure security can be significant, especially when energy markets are tense and any disruption could have cascading effects. In addition, any successful attacks on infrastructure without consequences for the perpetrator raise the appetite for more. The increasing number of cyber and sabotage incidents in Europe may signify attempts to test infrastructure security and our ability to respond.

NATO’s resolve to ensure Allies’ security is clear. After a number of incidents affecting undersea infrastructure in the Baltic Sea, NATO launched “Baltic Sentry” to enhance NATO’s military presence in the Baltic Sea and improve Allies’ ability to respond to any destabilizing acts. This builds upon another important step undertaken, through the establishment of a new NATO Maritime Centre for the Security of Critical Undersea Infrastructure within NATO’s Maritime Command in Northwood (UK).

However, to successfully detect suspicious activities, which can disrupt critical infrastructure, as well as deter and counter them, the military needs to play in a team. Energy infrastructure is owned, operated and maintained by industry, which has deep knowledge of their own infrastructure, as well as eyes and ears in the field. Combining industry’s knowledge and visibility of infrastructure with the military’s expertise on the “red picture”, while employing innovative technologies to share and fuse information about suspicious behaviour, is a powerful capability, which makes the perpetrators’ attempts to hide in the “grey area” much more difficult.

Over recent years, NATO has taken major steps to enable coordination between Allied militaries, governments and industry operators in securing critical infrastructure: from the NATO Integrated Cyber Defence Centre to the NATO Critical Undersea Infrastructure Network.

This also underlines the fact that the military and industries alike depend on secure energy infrastructure and supplies for their activities. And while NATO is ramping up its defence capabilities to respond to threats to Europe’s security, Europe’s energy sector needs to shift to a “wartime mindset” too. In this regard, the EU’s Preparedness Union Strategy and efforts to enhance the resilience of the energy sector in the EU are welcome, opening new areas for closer NATO-EU cooperation. But what also helps is the growing awareness and understanding in the private sector that critical energy infrastructure security is a shared responsibility, where the energy industry can play a major role.

There is no better way to strengthen energy infrastructure security than building-in resilience and security measures in new and upgraded infrastructure. All energy industry operators know that retrofitting those measures or dealing with disruptions is more expensive than “security by design”, which is a worthwhile investment. This can range from burying power cables into the seabed instead of simply laying them on the sea floor exposed to anchors of the Russian “shadow fleet”, to relying on solar inverters and power management controllers from reliable suppliers who would work to prevent vulnerabilities in those systems. In addition, to be ready to operate energy infrastructure and provide essential energy supplies in all scenarios, including during crises, the industry needs to be well prepared and to invest in adaptive security measures – from sensors to cyber defences, to training of their staff and regular exercising. NATO will always be there to help, and play in a team, as an integral part of a networked effort to tackle the current threats and challenges to our collective security.