Russian cyber attackers could target the UK's power grids and ‘leave millions without power’, a senior minister has warned.
Speaking at a Nato conference on Monday, Cabinet Office minister Pat McFadden warned that Russia had “stepped up” its cyber attacks against Ukraine and its allies over the past year.
McFadden, whose brief as Chancellor of the Duchy of Lancaster includes national security, went on to say Russian cyber attacks could “turn off the lights for millions of people” and accused Moscow of targeting British media, telecoms and energy infrastructure.
He added that Russian state-aligned groups have taken responsibility for at least nine separate cyberattacks of varying severity against NATO states, including unprovoked attacks against its critical national infrastructure.
But could such an attack really work? And how would it happen? Yahoo spoke to cybersecurity experts about the threat of attacks on Britain’s power.
How realistic is an attack on our power grid?
At a global level, cyber attacks are not only realistic, they are happening already. The International Energy Agency has estimated that attacks on energy infrastructure doubled between 2020 and 2022, up to 1,101 weekly attacks worldwide.
In 2023, those attacks doubled again. Leonhard Birnbaum, CEO of utility E.ON warned last year that Europe’s power grid was under a ‘cyberattack deluge’ since the invasion of Ukraine: “I am worried now and I will be even more worried in the future.”
The UK's electricity system - sometimes referred to as the national grid - is a series of networks spread across the country and operated by different companies. The 'grid' consists of wires and cables to take electricity from where it's produced to the homes and businesses that use it 24/7.
While the idea of attackers fully ‘shutting down’ power grids over long periods is dramatic, the reality is more nuanced, says Javvad Malik, lead security awareness advocate at cybersecurity platform KnowBe4.
“Power grid cybersecurity is a serious concern, but it's important to understand both the risks and the safeguards in place," Malik tells Yahoo News.
“There is increasing digitisation and systems are being more interconnected. This connects previously isolated systems and potentially exposes them to new vulnerabilities."
Malik says cybersecurity companies can already see ‘non-state groups’ probing electricity systems with phishing attacks and other methods - but says there are defences in place.
"There are several mitigating factors which have prevented us from full-scale blackouts," he says, pointing out that power stations are often designed with "multiple layers of redundancy and have segmentation in place”. These additional layers of security include systems isolated from one another to make them safer.
“Having said that, it does not mean that it can't happen. As power and other critical infrastructure modernises, there is an increased need to balance security so that systems can be usable and secure.”
Lucy Easthope, an expert in disaster planning and a member of the Cabinet Office National Risk Assessment Behavioural Science Expert Group, cautions that the UK shouldn’t underestimate such a threat.
“I don’t think we have enough respect for our adversaries,” she tells Yahoo News. “One of the things that I’ve come to understand working on various incidents is we need to understand the capabilities of other countries and we need to stop playing it down.
“The cyber risk that is inherent - the pipeline risk, the cable cutting risk - this is an adversary that is willing to do very many things and sometimes in different ways so it does things that can be very disruptive.
“When people think of cyber attacks, they think it would mean you couldn’t access the internet or something like that. But it’s about things like loss of power; loss of fundamental utilities; loss of critical mass infrastructure.
“Cyber is the method by which ultimately state terrorism is committed. That’s as terrifying [as nuclear war] in some ways.”
What would happen in the event of such an attack?
In winter 2015, Russian hackers used malicious software to attack the power grid in Kyiv, causing a blackout.
Two-hundred and thirty thousand people, a fifth of Kyiv’s population, were left without power as a result of malware thought to have been deployed by the ‘Sandworm’ hacker group - the cyberwarfare unit of Russia's military intelligence service.
In the UK, while short-term blackouts might happen, long-term disruption are much less likely.
“There have been successful attacks on power infrastructures such as in Ukraine in 2015 and 2016," says Malik. "These have been limited in scope and duration. Complete long-term shutdowns of large scale power grids remain largely theoretical."
However, that doesn't mean the impact of a relatively conservative attack wouldn't be widely felt.
According to analysis published in 2019 by Dr Edward Oughton of the Centre for Risk Studies at Cambridge Judge Business School, smaller-scale attacks could still have a significant impact.
“Critical national infrastructure such as smart electricity networks are susceptible to malicious cyberattacks which could cause substantial power outages and cascading failure affecting multiple business, health and education organisations as well domestic supply,” Oughton warned at the time.
He said an attack similar to one in Ukraine in 2015, would - if it happened in London - have impacted around 1.5 million people and had an economic impact of up to £111m daily if just 14 of Britain's 300 substations were affected.
x