Europe is investing in power grids that save consumers money and easily handle surges from wind and solar sources — features critical to curbing climate change and cutting the Continent’s reliance on coal.
But these electricity networks of the future also create big risks.
So-called smart grids and smart meters expose the power supply to cyber threats that could lead to power outages during the depths of winter or batter the components of the electricity system so badly that repairs take ages.
“Technology becomes your Achilles heel if you don’t do the right things,” said Nuno Medeiros, information systems officer at Portugal’s power distribution company EDP Distribuição.
In October, residents of two apartment buildings in eastern Finland were left in the cold for about a week after a hacking attack disabled computers controlling heating and warm water systems. In 2016, Israel and Turkey reported hack attacks. In 2015, hackers infected the workstation of a Ukrainian utility company with malware, triggering an hours-long blackout affecting about 80,000 people in the western part of the country. Ukraine reported that another wave of hacks caused blackouts in Kiev last month.
“Ukraine became such a big story because it was the first attack in the energy sector,” said Michael John, director at the European Network for Cyber Security, a non-government group that focuses on the safety of Europe’s grids and infrastructure. “It demonstrated it is possible.”
That’s a reality that the now EU faces, with member countries investing in smart technology meant to reconfigure Europe’s power networks. Companies are not oblivious to the risks, but experts say Europe needs to do more to ensure it is ready to withstand cyber attacks.
Smart grids allow power networks to deal with the uneven electricity produced by renewables. These grids allow homeowners generating some of their own power to switch between drawing from the grid and selling into it. Smart meters allow customers to monitor their electricity usage and take advantage of price differences to cut costs. All of that is crucial to lowering energy demand and allowing the world to reduce the need for coal-fired electricity and meet the goals of the Paris climate change agreement.
The EU wants to have about 200 million electricity smart meters rolled out by 2020. The European Commission has been a strong advocate for the smartening of Europe’s grids and homes. If its most recent legislative proposals are accepted by national governments, every consumer will have the right to ask their energy supplier for a smart meter. The move goes hand in hand with European utilities’ efforts to digitize grids and interact with customers in a dynamic way.
“Citizens are central to the successful uptake of low-carbon innovative solutions, from smart meters in their homes to large-scale wind farms,” according to the Commission.
The idea is that more empowered consumers and smarter grids will lead to a more efficient use of energy and more green energy flowing through Europe’s power networks.
Smart but vulnerable
But as things get smarter and people get more connected, the system also becomes more vulnerable.
“Every component in the grid that has become digitized is becoming an attack point,” said Sander Kruese, privacy and security adviser at Alliander, a distribution system operator in the Netherlands.
Cyber attacks could bring down whole grids, something that could even kill people if it happens in winter. That’s the scenario of the 2012 German best-selling novel “Blackout” by Marc Elsberg, which portrays a dystopian nightmare after the collapse of the electricity grid triggers telecommunications problems, food shortages and an economic breakdown.
Those scenarios aren’t far-fetched to experts.
“Imagine a situation where hackers find a way to switch off the grid, but in such a way that the [affected] components get destroyed,” said John of the European Network for Cyber Security. “That would mean a lot of replacement work, which means power could not be restored so fast.”
It’s going to be a growing problem. The U.S. is projected to see the number of smart meters installed climb from 65 million in 2015 (about half of all households) to 90 million by 2020, the Edison Foundation’s Institute for Electric Innovation reported. By 2020, almost 72 percent of European consumers are expected to have the meters, according to general EU rules.
EU member governments were allowed to carry out a cost-benefit analysis to see whether a mass smart meter roll-out made sense. Sixteen said yes, while seven others (including Belgium and Germany) found that the benefits of introducing them for all households wasn’t proven, according to the Commission. Nevertheless, countries such as Germany also found that the meters are economically justified for certain groups of customers.
Cost benefits aside, the millions of smart meters installed in homes are a tempting target for hackers.
That’s why some countries are choosing “dumber” models out of security fears. The meters that really worry security experts are those that can be remotely switched off. The dangers range from leaving a single house in the dark to causing a widespread blackout by switching smart meters on and off repeatedly, said Kruese, whose company distributes power to about a third of Dutch households. “If you get control of the grid by getting control of the smart meters, you can cause a lot of damage.”
The Netherlands has opted for smart meters without the remote switch-off option, “because they saw this threat,” Kruese said.
In the U.K., the government has asked the GCHQ intelligence agency to help design security for smart meters — a proactive move for a country that wants to install 53 million smart meters by 2020.
“If somebody could hack into that or turn off very large numbers of meters by mistake, the sudden shock of taking them off the grid — even worse if they were all turned back on at the same time — would cause significant damage,” technology consultant Nick Hunn said in September during testimony before a parliamentary committee looking into smart meters.
An EU response
Utilities, regulators and governments across the EU aren’t oblivious to the threat, but it is proving difficult to coordinate a response. One of the problems is that there is no EU-wide consensus on the minimum range of capabilities required for smart meters, which also makes talk on security requirements more challenging. Authorities need to assess the risks and how to test for them, which is expensive.
European utilities should try to harmonize security standards for the meters, said Thomas Weisshaupt, chairman of the privacy and security working group in ESMIG, an association representing smart energy companies.
EU-level working groups are addressing the issue and national governments also have threat assessments in place. Experts and authorities from across the bloc are trying to learn from each other through non-profit groups such as John’s ENCS or the European Energy-Information Sharing and Analysis Center. The Commission also has its own experts in the Smart Grids Task Force dealing with energy cyber security threats.
One challenge in developing a coordinated response is a lack of trust. Authorities find it hard to share information about their vulnerabilities, making it difficult to pass on lessons learned from past hacks, Kruese said. There is reluctance to go public with attacks, since that may tarnish a company’s reputation, he added.
It could also alert other hackers to a vulnerable network.
“If you go to the public and share the problem you had, you could become a target again,” Kruese said.
Some countries are doing better than others, John said. The Netherlands, the U.K. and France are at the forefront of the energy cybersecurity battle, he said. “Not everyone is there. We need to have the same level of cybersecurity across Europe.”
For now, there have only been a few reports of hacks of grids and smart meters, but that’s more the result of chance than ironclad security measures, Medeiros said.
“I think we’ve been kind of lucky, and the threats haven’t been too oriented toward companies in Europe,” he said.