Are you ready for a hacky Christmas?

It is three weeks since Danish turbine giant Vestas revealed it had fallen victim to a major cyberattack. While the company said it was able to get most of its IT systems back up within a fortnight, the revelations have kept coming.

Last week, Vestas said that the hackers had gained unauthorised access to personal data of its business partners and employees in the attack of 19th November and had started to leak it. This includes sensitive data contained in passports, birth certificates and work permits, as well as bank account details.

You can see the Vestas statement here

The firm also reiterated that it moved immediately to stop the attack when it was discovered on 19th November and stopped the hackers from “further unauthorised access to Vestas’ data”. It said it would notify affected individuals if appropriate, but that customer operations has not been affected.

The attack on Vestas used ransomware technology, which encrypts sensitive data that will only be decrypted again if the victim pays a large fee. It was the work of a group called LockBit 2.0 that is reported to have links to Russia.

The Danish Defence Intelligence Service said cyberattacks from the group had “dramatically increased” in recent months. Vestas said it has not paid a ransom.

Why does this matter?

Companies in the energy sector are popular targets for hackers. Cybersecurity firm Hornetsecurity has reported that energy companies account for 16% of attacks that are officially known about. This is likely because hackers see companies in the fossil fuel sector as unethical and able to pay ransoms.

As a wind turbine manufacturer, Vestas may have better ethical credentials than companies in the dirtier parts of the energy sector, but it is big enough to be an attractive target.

In addition, hackers know that companies are sensitive about breaches of personal data due to GDPR rules, which gives hackers more leverage; and the decentralised nature of a renewables-based grid gives more points to attack. This is not just about Vestas though. It poses a risk to all firms in the sector.

Vestas is not the only large renewables company recently hit by ransomware.

In June, hacker group Revil said it was responsible for a ransomware attack on the US operator Invenergy, where it took information about contracts and projects, as well as personal information on founder Michael Polsky. Invenergy refused to pay a ransom for the data, which runs to about four terabytes, and has said little other than it is cooperating with data regulations.

In 2020, EDP Renewables North America disclosed that a ransomware attack on its parent company EDP had put some EDPR customer data at risk.

And last week, hackers at Conti claimed it had attacked Australia’s CS Energy, which has wind and solar off-take deals.

These all show that companies in the wind sector are not immune just because they see themselves as more ethical than fossil fuels. We should also not fool ourselves that these hackers are on some kind of noble quest.

System failures

Finally, some IT experts argue energy companies are behind other industries when it comes to the adoption of digitisation and cloud computing technology; and many do not have the skilled cybersecurity staff they need.

Renewables firms will also likely struggle to find these staff due to a general shortage of people with cybersecurity skills.

A report from the Enterprise Strategy Group and the Information Systems Security Association in July, called ‘The Life and Times of Cybersecurity Professionals 2021’, questioned 489 cybersecurity professionals about skills shortages in their industry.

It found 95% of respondents said a shortage of cybersecurity skills had not improved in recent years, and 44% said it had got worse. That makes it tough for companies in the renewables sector to find the cybersecurity experts that will protect them. The challenge therefore is twofold.

First, renewables companies must work with cybersecurity experts to ensure their systems have enough protection against ever-evolving hack threats.

Second, they must be willing to share details about cyberattacks, as Vestas is, so renewable energy companies know the size of the threat they face and how to address it. None of us know who will be hit next.