The organization that ensures coordination of European electricity markets said Monday that its IT network had been compromised in a “cyber intrusion.”
The European Network of Transmission System Operators for Electricity (ENTSO-E), whose members include large electric transmission operators across the continent, “recently found evidence of a successful cyber intrusion into its office network,” the organization said in a terse statement.
The compromised office network is not connected to any operational electric transmission system, ENTSO-E said, meaning the attack was confined to IT systems and did not impact critical control systems.
“A risk assessment has been performed and contingency plans are now in place to reduce the risk and impact of any further attacks,” the ENTSO-E said, adding that its members were apprised of the situation.
CyberScoop sent ENTSO-E’s press office a list of questions including when the digital intrusion began and who might be responsible for the attack.
“For obvious reasons, ENTSO-E will not issue more information than what it has already communicated,” ENTSO-E’s Claire Camus said in response.
Based in Brussels, ENTSO-E is comprised of 42 grid operators across 35 European countries. It’s a coordinating mechanism for utilities delivering steady electricity to European Union citizens.
Multiple ENTSO-E members in Europe said they were investigating the incident.
Fingrid, the Helsinki-based transmission system operator (TSO), said that the breach may delay its release of Energy Identification Codes (EICs) that support trading on the European electricity market.
“The attack was not directed against Fingrid or other transmission system operators, and it didn’t have any influence on Fingrid’s customers or other stakeholders,” the statement said. “The incident only affects file exchange policies between Fingrid and ENTSO-E.”
Erik Nordman, security manager at Svenska Kraftnät, Sweden’s TSO, said his organization was investigating whether its systems were affected and had taken “preventive measures to limit possible impact.”
Norwegian TSO Statnett said it was still probing the incident, but that “so far, there is nothing to indicate that [it had] affected Statnett’s IT systems.”
Joe Slowik, adversary hunter at industrial cybersecurity company Dragos, said that organizations like ENTSO-E are natural targets for hackers looking for further access into an electricity organization’s networks.
“While insufficient evidence exists to determine who might be responsible for this intrusion, such a breach can facilitate reconnaissance of supported utility operations or allow for follow on activity such as phishing or watering hole attacks,” Slowik told CyberScoop.