Europe’s power-grid operators say they are struggling to hire cybersecurity experts at a time when the sector is especially vulnerable to hacking threats related to the war in Ukraine.
The staff shortage is alarming executives, particularly after Ukraine disconnected from Russia’s electric grid in February and linked to continental Europe’s grid, adding new risks that a potential cyberattack could ripple across countries.
“The worry is about cascading effects,” said Gregorz Bojar, chief information officer at
Polskie Sieci Elektroenergetyczne SA,
the operator of Poland’s electricity-transmission system.
European electricity operators and providers are on alert. The Covid-19 pandemic and Russia’s invasion of Ukraine have heightened cyber threats in recent years. Hackers hit three German wind-energy companies in the early months of the war, taking down some remote-control systems that monitor turbines. In one case, an attack launched one hour before Russia invaded Ukraine on Feb. 24 on a
satellite providing internet connections in Ukraine disrupted those systems and took down internet service for thousands of Ukrainians and people in other parts of Europe.
“We can talk about a weaponization of the energy sector,” said Aurélio Blanquet, secretary general of the European Energy Information Sharing and Analysis Center, speaking at a conference in Brussels last month. The center helps energy companies exchange information about cyber threats.
New European laws set to come into force over the next few years will also heighten regulators’ scrutiny of cybersecurity processes at critical infrastructure operators. This, in turn, is putting pressure on companies such as PSE to hire more workers, who are hard to find, Mr. Bojar said.
“We are in the worst situation ever,” he said.
Employers across industries face the same challenge of having a growing number of jobs in cybersecurity, but a thin pool of qualified candidates.
The International Information System Security Certification Consortium, or (ISC)2, a nonprofit organization that provides cybersecurity certifications, said in a study published in October that the talent gap between the number of professionals needed and those available grew by 26.2% over the last year. There are now around 3.4 million professionals needed worldwide, (ISC)2 said.
The problem is pronounced in heavy industries such as power, because companies need staff with cybersecurity skills and knowledge of the operational equipment used in critical infrastructure environments. Finding people with both is a challenge, said Nuno Medeiros, associate director for information technology and operational technology strategy and cybersecurity at E-REDES, the main operator of Portugal’s electricity-distribution system.
“I see that every day; that’s clearly a problem,” he said.
Mr. Medeiros said it is particularly difficult to find people with knowledge of operational equipment for roles such as security analysts. He hires junior analysts and trains them internally because senior analysts have salary expectations that the utility can’t afford. Still, many cybersecurity experts leave within a few years because they frequently receive other job offers, he said.
Energy companies in the EU spend about 5% of their IT budgets on cybersecurity, around 1.7 percentage points less than other critical infrastructure sectors such as healthcare and banking, according to a study published last month by the European Union Agency for Cybersecurity.
Investing in cybersecurity technology and programs won’t solve electricity firms’ major problem if they can’t find staff to operate critical systems and analyze threats, said Anjos Nijk, managing director of the European Network for Cyber Security, a Netherlands-based organization that develops training and shares cyber threat information with critical infrastructure and energy companies.
“You can say we’ll make money available, but money isn’t going to resolve the problem,” he said.
ENCS is part of an EU-funded initiative started in September to train cybersecurity experts to protect power grids better.
Ukrainian authorities said they thwarted a cyberattack against the country’s grid in April. If European operators were hit with a similar cyberattack, engineers would need to be already trained to step in and shut down substations to prevent damage, creating a challenge for operators without enough staff, Mr. Nijk said. “It requires planning to have the engineers ready to operate substations,” he said.
Even in emergencies, companies with a lack of experts might not be able to work quickly as cybersecurity staff prioritize certain tasks, said Mr. Medeiros.
Officials who managed Ukraine’s connection to the European grid are monitoring it to detect threats coming from Ukraine such as denial-of-service attacks, but acknowledge that the link increased risks. Denial-of-service attacks occur if hackers flood websites with traffic, which can knock out websites and other internet service or make them difficult to access.
“At the moment we have to consider the connection from Ukraine as a not-secure connection because there is a war going on,” said Gianluca Guidarelli, an engineer who led a European unit overseeing the work, while speaking at the same conference in Brussels last month as Mr. Blanquet.
Safeguards such as anti-malware protection and a subnetwork known as a demilitarized zone that adds a layer of security prevent Ukrainian electricity connections from directly flowing to transmission-system operators in Europe, Mr. Guidarelli said.
“We have a completely different threat landscape than we did before,” Mr. Medeiros of Portugal’s E-REDES said.
Write to Catherine Stupp at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8