Nord Stream explosions highlight global security threat

A disastrous mini-budget had Britain bubbling with anger. The volatility spooked global markets causing pensions, investments and ISAs to take a hit. But less than a week later, bubbles of a different kind were dominating the headlines.

The gas bubbles were the result of a gas leak from the Nord Stream 2 pipeline which broke the surface some twenty kilometres southeast of Bornholm island in Denmark. But it appears that the leaks were no accident, as Danish Prime Minister Mette Frederiksen was quick to state. She also went on record to say that the explosions were “deliberate actions” and many suspect that the alleged attacks were carried out by a hostile nation state – namely Russia. But Russia has since flatly denied that it was responsible for sabotaging the pipelines.

Fast forward two weeks and the cause of the explosions remains a mystery. However, the gas explosions have been a wake-up call for the West. Difficult questions have had to be addressed. Does the UK and the EU have a robust preparedness plan in place to protect critical energy infrastructure? How resilient and effective is it and does it need to be further strengthened? And the million-dollar question: how do states protect from sabotage pipelines that are thousands of miles long and sit on the seabed?

When you consider that the Langeled and Vesterled pipelines carry a large portion of the country’s gas from Norway to the UK, the stakes are high but “not new” according to Nick Childs, an expert on Naval Forces and Maritime Security.

In response to the suspected sabotage of the Nord Stream pipelines, The Royal Navy recently sent a Type 23 frigate to guard pipelines in the North Sea. But Childs, who is a Senior Fellow at the International Institute for Strategic Studies, says that protecting “full lengths of undersea networks is very challenging.”

Dr David Toke, an Emeritus Reader in Energy Politics at the University of Aberdeen, agrees. He notes, “Protecting pipelines is exceptionally difficult and the military services assigned to carry out this task will no doubt request quite a large increase in resources in order to be effective.”

So, where should resources be spent? Childs says that governments, including the UK’s, and NATO “are investing in vessels and other assets to improve undersea monitoring and surveillance.” This, he says, includes “undersea remote systems.”

Childs also says that going forward “increased private-public co-operation and information sharing is another avenue for increased protection.”

While Dr Wojciech Ostrowski, an energy security and policy expert from the University of Westminster agrees, he doubts whether it is possible to protect every part of the energy sector’s critical infrastructure.

“There is so much to protect. It is not just pipelines, but oil and gas platforms, refineries and power stations. Of course nations need to be extra vigilant in light of what has happened, but it would be virtually impossible and extremely costly for governments to protect them all. And if this was indeed an act of deliberate sabotage, it is not likely that it will be repeated as to do so would be an act of war.”

Cyber terrorism threat

Instead, Ostrowski believes that ploughing more resources into bolstering cyber defences around critical energy infrastructure has been – and will continue to be – a priority for NATO. It is a view shared by the UK government. The Centre for Protection of National Infrastructure, for example, which helps to reduce the vulnerability of the UK to a variety of risks, such as cyber terrorism, has for many years considered cyberattacks as a Tier 1 level threat.

In America too, the U.S. administration, spend heavily on cyber security. This year it allocated USD$ 2.9 billion to Cyber Security and Infrastructure Security Agency. And for good reason. In May 2021, hackers breached the defences of the Colonial Pipeline, a 5,500-mile artery, which transports a large portion of America’s refined oil from Texas to its east coast.

The ransomware hack, which ranks as one of the largest attacks on U.S. energy infrastructure, led to the pipeline being shut down for several days. It later emerged that hackers had breached the pipeline’s cyber defences using a compromised password. In doing so, according to Professor Steve Schneider, Director of the Surrey Centre for Cyber Security, “the attackers were able to infiltrate the pipeline’s accounting system, which meant that the pipeline operators were unable to bill customers, so could not continue to operate commercially.  Although the pipeline itself was operable, the back-office systems were critical to the overall commercial function and provided a weak link in the armour.”

Schneider says that while energy operators in the UK work closely with the National Cyber Security Centre and Government Communications Headquarters to constantly evaluate the robustness of cyber defences, he worries that there are “a shortage of people with the right expertise and experience” to stop sophisticated cyberattacks, which are often carried out by nation states or organised crime groups.

However, with the UK committed to eliminating Co2 emissions to net zero in just under thirty years’ time, renewable energy technology is likely to feature heavily in Britain’s energy mix. In addition to Cleantech projects, there will be more onshore and offshore windfarms, more large-scale solar power projects and more tidal power programmes. As these technologies will be plugged into the National Grid, they could become a target for hackers. So, to what extent are renewable technologies vulnerable to attacks and could hackers, who breach their systems, shut down vast swathes of the UK’s Grid?

Says Schneider, “It’s important to differentiate between small-scale operations and large- scale ones. An individual homeowner, who installs solar panels, while potentially vulnerable to hackers, is not going to be on the radar of state-sponsored cyber terrorists. However, a utility company with windfarms, solar power and perhaps tidal power, all of which feed directly into the national grid is likely to be a target.

He continues, “That said, large renewable providers, in common with any other critical infrastructure provider, will not only provide cyber security training to inculcate a culture of digital hygiene amongst staff, they will look to future-proof their physical cyber defences to enable remote monitoring and updating, to enable critical security updates to be done in a timely manner. The downside is that this provides a targeted attack surface. However, if firmware is not regularly updated, or a password compromised, attacks that could temporarily partially cripple critical energy infrastructure are possible.”

With cyber terrorism a clear and present danger, and western states entering into recession, there is a risk that governments, NATO and energy companies might see the Nord Stream gas explosions as an isolated, one-off event and not pump adequate resources into pipeline monitoring and surveillance. In an age of asymmetric warfare, the challenge for those who are responsible for our energy security is to view both threats though the same lens.