Political developments in different parts of the world may affect critical infrastructure in Denmark. Geopolitics, security, and energy (GSE) have become increasingly high on the agenda in the last 30 years since the fall of the Berlin Wall. Supply chains have become globalized, production and development have flourished in countries where labor and materials were cheap. Now all this is changing.
Thomas Lund-Sørensen is the former head of cyber security at the Defence Intelligence Agency and is now partner and head of Cyber Risk at the consultancy Macro Advisory Partners. At the conference on supply strategy, he painted a rather gloomy picture of geopolitical developments and the implications for critical infrastructure in general and the supply sector specifically.
The last thirty years since the fall of the Berlin Wall have in many ways been characterized by optimism and prosperity - with globalized supply chains, relocation of production to low-cost countries, and a high level of trust in suppliers. In addition, we have had low inflation and low interest rates - all of which matter a great deal to utilities among others.
Trust in suppliers disappeared almost overnight
Looking into the future, it seems that the period from 1989 to 2019 may have been a parenthesis in history. When Corona broke out in earnest as a pandemic in 2020, the unconditional trust in suppliers disappeared almost overnight.
"Let me just mention an anecdotal yet interesting story about a jumbo jet that flew from China to Europe with munitions. During a stopover in Thailand, the cargo was taken over by some Americans who had simply bought it by outbidding the original buyers, almost while the plane was on the runway," says Thomas Lund-Sørensen.
He can cite several similar examples that illustrate the reality we are now in, where we can no longer rely 100% on suppliers. Even within the alliances we form, we cannot be sure that solidarity will hold throughout. Furthermore, logistics are still affected after Corona as we are seeing, for example, Chinese deliveries of technology products being affected by lockdowns.
Changing attitudes to critical digital infrastructure
The Russian invasion of Ukraine on 24 February turned all energy strategies and green transformation policies upside down. We need to get rid of gas faster, while we are in a hurry to reduce CO2 emissions. Paradoxically, we need to invest in black energy and, for example, build energy terminals in Germany and wherever else there is room for them and a need for them, to eventually get out of dependence on Russia.
Alongside the war in Ukraine, there is a significant decoupling, both politically and technologically, between the US and China, with the latter no longer able to invest in the same way as they used to in the West. At the same time, there has been a shift in attitudes, particularly towards critical digital infrastructure, where Chinese wind turbines and other high-tech products are being discarded because there is simply no mood for us to become dependent on Chinese supplies.
Data and technology as weapons in a geopolitical conflict
All this is caused by the fact that security of supply, digital security, data, and technology are "weaponized" i.e., considered as weapons or means in a geopolitical conflict. They become elements and dimensions that companies must deal with in terms of their business model and the way they want to develop their business.
More than ever, cybersecurity and the protection of digital infrastructure are strategic issues that management must address. So, in addition to ESG, we now have a key agenda called GSE - Geopolitics, Security, and Energy.
Before Russian forces moved across the Ukrainian border on 24 February 2022, a satellite system was attacked by Russian hackers to prevent the Ukrainian military and authorities from operating. But as this very same satellite system was also used by, for example, the French emergency services and energy infrastructure in Germany and Central Europe, the attack, which had a purely military objective, had major consequences on the civilian side.
"A key lesson is that as a business, you need to have a backup system if your primary supply sources or digital infrastructure go down. You also need to know your suppliers well, and you need to know who the supplier's customers are. You may not be of much interest to hackers yourself, but if your subcontractor's other customers are, you risk being taken on a nasty ride downhill," says Thomas Lund-Sørensen.
Securing key services and digital infrastructure in Europe
Some believe that what we are seeing now in Europe with Russia and Ukraine is only a prelude to what could happen if the Chinese choose to try to take over Taiwan by military means, for example cutting the 15 sea cables that supply Taiwan with internet communications. Although the likelihood of this happening is not very high, the consequences would be extremely serious, which is why the Taiwanese businesses and government want to set up a national satellite communications system.
Looking at the number of internet cables hitting Europe, it is hard to imagine that internet connectivity in Europe could be completely paralyzed. Nevertheless, the European Commission has recently decided and received backing to set up a similar system in Europe to secure satellite communications for key services in the event of an attack on Europe's digital infrastructure.
Doubling of cyber-attacks against utilities in particular
"The cyber-attacks we see at the moment are very broad and typically criminal in nature, i.e. aimed at blackmailing companies by blocking their data. But in fact, this year we have seen a doubling of attacks against energy infrastructure, particularly utilities, and for reasons that I can't immediately explain, but which I am certainly pondering. And it is particularly in Germany that these attacks hit," says Thomas Lund-Sørensen.
"If the Russians want to really bother us in Europe this winter, then the way to do it is to go in and disrupt our energy supply. Not necessarily at a catastrophic level, but just enough for energy markets to start responding with higher prices."
"It only takes two or three effective hacker attacks against energy companies to bring down a wind farm at a time when it's really cold in Denmark - and when people are already fed up with high inflation, high prices, and high-interest rates. That might be enough to create the divisions between people and governments that can cause cohesion to crack," says Thomas Lund-Sørensen.
Cracking down on criminal hacking groups
According to Thomas Lund-Sørensen, even an end to the war would not change much. Russia will still act as it has acted for years, trying to put lice in the Western world's skin, whether it's trying to manipulate elections or hitting our critical infrastructure where it hurts most. One can also imagine an escalation of influence operations, influencing attitudes by circulating false or misleading information, typically via social media, which can also affect businesses.
In terms of dealing with criminal hacker groups, there is a new and interesting development underway. The Americans are starting to take tough action. For example, if an American company pays a ransom to a criminal group that is on an American sanctions list, the company is in breach of the sanctions, which has quite serious consequences. This means a very strong reluctance to pay a ransom and, as a consequence, a corresponding increased focus on optimally securing one's IT infrastructure against attack.
Legislation becomes an increasing challenge for companies
Critical infrastructure security also includes the question of whom to have as a supplier of IT products. The cheapest product is not necessarily preferable, even if it meets the requirements, and according to Thomas Lund-Sørensen, it will hardly be Chinese wind turbines that will be placed around the energy island in the North Sea.
"We already have restrictive legislation on critical infrastructure products in the telecommunications sector, which requires the intelligence services to cooperate with the authorities of the country of production. This severely limits who can be considered. And future legislation will be an increasing challenge for companies operating critical infrastructure because that's where the focus will be," says Thomas Lund-Sørensen.
"In the field of cybersecurity, we are facing a tsunami of legislation, and the very basic reason for this is that neither regulators nor legislators have been satisfied with the efforts made so far by companies. Now the move is to set a minimum level of cyber security, which will naturally become a basic challenge for many utilities."
Important to understand the impact of digitalization
Among other things, the largest companies will bring some geopolitical considerations into the boardroom when setting strategies. Security will be an integral part of strategy formulation, and long-term investment projects will require a solid grasp of political signals about future developments. Furthermore, it is important to better understand the impact of digitalization on one's business model.
"Just to mention one example, the Danish train service was at a standstill on a Saturday because a subcontractor to DSB had discovered a security breach. Had the safety consequences of a given scenario been known in advance, it might not have been necessary to pull the plug on train services across the country. One wonders whether the consequences of creating this digital solution had been considered and understood and whether it had been well thought out in terms of contingency and backup. Many companies will have to think about this," says Thomas Lund-Sørensen.
"In Denmark, we pride ourselves on being one of the most digitized countries. That's good, but it also requires an extraordinary focus on security. Because we are so digital, and thus completely tied up with the rest of the world, we are also more vulnerable, and there are limits to how much trust you can have when it comes to something as important as the socially critical infrastructure that utilities operate. And therefore, there is a need for greater awareness of preparedness and security procedures at the strategic level."
The threat to utilities and businesses generally through cyber attacks and digital disturbance have never been greater. And they need not be malicious acts directly targeting a specific company, we have seen that it is now possible to be an innocent bystander caught up in a cyber catastrophe caused by international confrontation. Digital infrastructure has to be resilient and effective like never before and levels of due diligence, to see who you might be aligning yourself with, have to be almost forensic. In recent times the doubling of attacks against energy infrastructure and utilities is an alarming trend and one that demands strategies formed around increasingly effective security, safety and back-ups that will avoid hackers, geopolitical traps and the chaos of being compromised.
In November 2022, a conference on how the energy crisis and utility strategies are now one of the biggest challenges for all companies, was held at the Danish Parliament. To get all valuable insights from this conference, feel free to download the Magazine with everything that you need.
