Receive free Energy sector updates
We’ll send you a myFT Daily Digest email rounding up the latest Energy sector news every morning.
Germany is failing to protect critical infrastructure from cyber attacks, the head of one of the country’s biggest power companies has said, urging authorities across Europe to do more to safeguard crucial assets.
Leonhard Birnbaum, chief executive of Eon, which operates Germany’s largest gas and electricity distribution network, told the Financial Times that he believed he would be “on my own” in the event of a serious hack.
Birnbaum said his company, which also operates power grids in eight other European countries including Sweden, Hungary and the Czech Republic, was “constantly” subjected to systematic cyber attacks, including some by suspected state-backed actors.
Yet he said he had little confidence he would receive support from the German state if Eon suffered a serious successful attack, despite the country’s promise of a “sea change” in its approach to defence and security in the wake of Russia’s invasion of Ukraine.
“In Germany, I clearly feel that if I really [am] subject to a successful attack, I’m on my own,” said Birnbaum.
He said that when he asked executives at other companies that had come under attack about the support they received, “the answer was nil.” He added: “That cannot be the right approach.”
Germany has promised to increase investment in fighting cyber attacks and protecting critical infrastructure and in June, the government published its first ever national security strategy — part of an attempt to confront the consequences of the Russian invasion, which caught many in Berlin by surprise.
Birnbaum, who is also president of the EU industry body Eurelectric, criticised the fragmentation of cyber attack response units in Germany — where there is a separate team for each of the 16 federal states as well as one at national level — but also across the EU.
He said that all of the cyber threat experts should be brought together in a single team under a pan-European agency.
“We need a European response because we are going to be attacked across Europe all together. And we need the best talents. The attackers are actually crossing country boundaries . . . Why should we stop at a country boundary?”
Experts have long warned that critical European infrastructure such as power and gas networks is vulnerable to attacks by foreign actors — a concern that has deepened since the invasion of Ukraine.
In late 2015, parts of western Ukraine suffered power outages after the first known successful cyber attack on an electricity grid. Kyiv was hit by another attack the following year.
The EU has an agency for cyber security, known as Enisa, but Matthias Schulze, a cyber security researcher at the German Institute for International and Security Affairs, said it was “mostly an information sharing platform for sharing information on best practices and guidelines for enhancing cyber security”.
Enisa said that national governments were responsible for responding to cyber security incidents and problems with critical infrastructure.
The European Commission said that it took cyber attacks seriously, adding: “The EU has mechanisms in place for cyber crisis co-ordination at all levels: technical, operational and political, in the event of a large scale cyber attack.”
Schulze said Birnbaum was far from the only industry executive who was “frustrated” about the fragmentation of the response network. He argued that Germany had made some progress thanks to the establishment of a national cyber defence centre by the interior ministry but said it was still not always clear “who would be in charge” during a cyber attack.
Germany’s interior ministry said in a statement that its office for information security could advise and support operators of critical infrastructure in the event of serious cyber incidents.
It added that it was working to improve the country’s resilience to cyber threats, pointing to a proposed legal change that would make it easier to counteract “serious, cross-border cyber attacks” as well as plans to expand and centralise teams working on cyber crime.