A German cybersecurity agency has issued a fresh warning about the growing risk of cyberattacks against the country’s power grid. This warning corresponds to an emerging concern about the security of the infrastructure in the digitalized and decentralized energy system of the future.
“Alarmingly, the energy sector has continually received a ‘high’ rating for both its current threat and its future threat of being hacked by cybercriminals,” Claudia Plattner, president of the BSI, said in a release.
The swift decentralization of Germany’s energy supply, including an explosion of small power plants like wind turbines and solar parks, raises new and complex challenges. These smaller installations are often less defended than larger power plants, providing more “attack surfaces” for hackers.
And the ongoing computerization of the energy sector–necessary for updating it–adds to the vulnerability. The BSI insists that a successful hacking of the German energy infrastructure is a ‘horror scenario’ for the country with far-reaching consequences to the economy and the wider society, hinting at a near-complete halt in every day life.
Geopolitical tensions, notably the war in Ukraine and Russia’s weaponization of energy, have added to the sense of urgency. Although Russia remains the most imminent danger, other state actors such as China, North Korea and Iran are also focusing on German energy infrastructure for economic and political reasons, according to BSI.
The German government is also moving to strengthen its cybersecurity walls in the face of these growing threats. Bundesnetzagentur (Federal Network Agency), in cooperation with BSI, has recently released drafts for new IT security requirements for electricity and gas network operators.
These revisions seek to standardize security controls in line with international practices such as ISO/IEC 27001 and allow for more comprehensive risk assessments and continuous improvement.
The government also plans to extend the BSI’s competences of monitoring the energy sector and to introduce consistent cybersecurity regulations for everyone working in the sector, from big grid operators to the thousands of decentralized systems in households across the country. Cooperation and exchange between energy producers is also being strengthened, with the BSI acting as a hub for early warning and analysis.
The forthcoming NIS2 Implementation and Cyber Security Strengthening Act, to be enacted from March 2025, will extend the incorporation of the EU-wide minimum cybersecurity standards further into German law, substantially raising the security requirements for thousands of companies.
Although Germany’s electricity network is understood to be safe and stable at the moment because of protective systems and backups, the cybersecurity warning is an important warning that shows the danger that potentially hostile states or organisations pose to national infrastructure.
