Energy Sector Cybersecurity: Recent European Cyberattacks Highlight the Risk

Energy sector cybersecurity has long been a point of strategic leverage in Europe. In recent years, that leverage has extended beyond physical infrastructure into the digital systems that support generation, distribution, and coordination across the grid.

Recent cyber incidents have brought this into sharper focus. While each attack appears isolated, they collectively point to a more structural issue in how Europe’s energy system is designed and where its dependencies lie.

Energy sector cybersecurity — generation, transmission, distribution, market operations, and service-provider layers linked by a single exploitable access path

The Energy System Is a Cyber Target by Design

At a high level, an energy system is composed of multiple layers — generation, transmission, distribution, market operations, and the service providers that support them. From a cybersecurity standpoint, what matters is that these layers are operationally connected but managed separately, often by different organisations with different levels of cybersecurity maturity.

That creates a landscape where access in one part of the system can have consequences elsewhere.

For an attacker, this is valuable. It means there is no single point of failure to defend, but there are multiple points of entry that can be used to move laterally, disrupt coordination, or degrade visibility across the system.

It also means that many organisations within the energy ecosystem are not traditional security leaders. Contractors, IT providers, and regional operators often sit in positions where they: maintain access into core systems, support critical processes, and operate with less scrutiny than primary operators.

That combination of access, trust, and lower defensive focus makes them attractive targets.

There is also a second dimension. Energy systems rely heavily on coordination: balancing supply and demand, scheduling generation, managing cross-border flows. These processes depend on timely, accurate data and trusted communication between entities.

That introduces a different kind of risk. Disruption does not always require taking systems offline. It can come from manipulating data inputs, delaying or degrading communication, or interfering with the systems that coordinate activity.

In that sense, the energy system is, from threat actors’ perspectives, a network of relationships to exploit.

Geopolitics and the Strategic Value of Energy Systems

Cyber operations now sit alongside physical and economic pressure as a means of influencing energy supply. They offer a way to probe, disrupt, or shape outcomes without crossing the thresholds associated with conventional conflict.

From a state perspective, energy systems present a particularly attractive target for three reasons.

First, they sit at the intersection of economic stability and public confidence. Disruption to energy supply (or even uncertainty around it) has immediate downstream effects on industry, pricing, and everyday life. That creates a form of leverage that extends well beyond the operator itself.

Second, European energy systems are interconnected, but not uniformly or without friction. National operators ultimately prioritise domestic stability, particularly under stress, and mechanisms exist to restrict exports or rebalance supply internally.

However, that doesn’t remove interdependence. Power flows, cross-border trading, and shared infrastructure mean that disruptions in one part of the system can still have knock-on effects elsewhere, even if those effects are partially contained. Cyber disruption at a specific point, whether technical, operational, or market-based, can introduce instability, price volatility, or coordination challenges that extend beyond the initial target.

Different state actors are drawn to this space for different reasons.

Russian-linked operations have historically focused on energy systems as a direct lever of influence. The objective is not always sustained disruption, but the ability to create pressure, whether through uncertainty, short-term outages, or demonstrating access at critical moments. In the context of ongoing tensions in Eastern Europe, energy remains one of the most immediate ways to translate cyber capability into political and economic impact.

Chinese-linked actors tend to approach the same systems differently. Rather than prioritising disruption, there is usually greater emphasis on long-term access and visibility; understanding how infrastructure is managed, where dependencies sit, and how systems coordinate across organisations and borders. This type of access has value beyond any single event.

Recent European energy cyberattacks — Poland grid, Oltenia ransomware, ENGIE extortion, UK payment fraud

Recent Attacks Show the Threat Is Broadening

Recent incidents suggest that cyberattacks against Europe’s energy sector are becoming more diverse in both their objectives and their targets. Some are overtly geopolitical. Others are financially motivated. Others still sit somewhere in between.

The cyberattack on Poland’s energy infrastructure on 29 December 2025 remains one of the clearest examples. According to CERT Polska’s incident report, the operation targeted more than 30 wind and photovoltaic farms plus a large combined heat-and-power plant, damaging or disrupting the remote terminal units, protection relays, and communications equipment that connect these sites to the wider grid. The immediate effect was a loss of remote visibility and control at the affected sites rather than a confirmed interruption to electricity distribution — a distinction worth preserving, since the operational impact was serious but narrower than a distribution outage.

Rather than focusing on central transmission infrastructure, the attackers targeted the edge of the grid: the remote systems responsible for monitoring and controlling geographically dispersed renewable generation assets. That marks a shift from the pattern seen in earlier, historically documented attacks on Ukraine’s transmission substations, where a threat cluster tracked by vendors as ELECTRUM used custom tooling against centralised utility operations. Dragos’s analysis of the Poland incident assesses ELECTRUM as a likely actor with moderate confidence; Polish authorities and other researchers have pointed more broadly to Russian-linked tooling and infrastructure. Attribution here is not settled across all public reporting, and that nuance matters more than assigning a single name.

Financially motivated groups are also recognising the leverage the energy sector provides. The ransomware attack against Romania’s Oltenia Energy Complex, just days after the Poland incident, highlighted a different but equally important lesson.

Oltenia is Romania’s largest coal-fired electricity producer, supplying a significant share of the country’s electricity. On 26 December 2025, the Gentlemen ransomware group encrypted documents and disrupted critical business systems, including ERP platforms, document management applications, email services, and the company’s website.

Attacks like the Oltenia one show how modern energy companies have become dependent on their business systems. ERP platforms coordinate maintenance, procurement, inventory, workforce scheduling and countless operational processes that keep generation facilities functioning over time. Even where turbines continue to generate electricity, losing the administrative systems that support those operations can significantly degrade an operator’s ability to plan, coordinate and recover.

On 20 April 2026, the ransomware group CoinbaseCartel — a group that relies on data theft and extortion rather than encryption — added French energy giant ENGIE to its leak site, threatening to publish stolen data unless negotiations began. Whether the objective is extortion or disruption, the calculation is obvious: organisations responsible for critical services often face far greater operational and reputational pressure to recover quickly than businesses in less time-sensitive industries.

Lastly, in April 2026, UK-listed energy company Zephyr Energy lost approximately £700,000 after attackers compromised a US-based subsidiary and redirected a contractor payment to an account under their control — a reminder that payment and business-process manipulation can be just as damaging as a direct intrusion into operational technology.

Energy cybersecurity policy — Eurelectric and government scrutiny of critical infrastructure resilience

Energy Cybersecurity Is Moving Up the Agenda

Increasingly, policymakers and industry leaders are asking how Europe’s energy system can remain resilient against cyber threats that target interconnected infrastructure, remote management technologies, and strategic dependencies.

That shift is reflected in recent warnings from both industry and government.

Speaking at the Munich Security Conference in February 2026, industry association Eurelectric warned that “EU energy infrastructure is as vulnerable as European defence,” calling for cyber resilience to become a core element of energy strategy rather than an operational afterthought. Eurelectric President Markus Rauramo argued that preparing for, responding to, and recovering from both physical and hybrid attacks must be a key element of power companies’ strategies going forward, pointing to Russia’s sustained campaign against Ukraine’s electricity infrastructure as a preview of what European utilities need to be ready for.

Governments are also beginning to reassess the technology underpinning Europe’s energy transition. In Germany, reports emerged in late June 2026 that officials are considering new cybersecurity measures targeting Chinese-manufactured solar inverters over concerns that internet-connected devices embedded throughout the electricity network could create systemic risk if compromised. The debate is significant because modern inverters increasingly act as intelligent control devices rather than simple power conversion hardware, placing cybersecurity alongside cost and efficiency as a factor in procurement decisions.

At a practical level, this means organisations need to move beyond asset-level protection and focus on: understanding how access is granted and used across IT and OT environments, identifying which systems and relationships would have the greatest operational impact if disrupted, ensuring visibility into activity across both corporate and operational networks, and testing how well existing controls hold up under realistic attack scenarios.

DIESEC energy sector cybersecurity services — GRC, SOC-as-a-Service, and resilience testing

Protecting the European Energy Ecosystem

Just as importantly, it requires recognising that cybersecurity is not confined to core operators. Contractors, service providers, and technology vendors all form part of the same risk landscape.

This is where many organisations struggle. The complexity of modern energy systems makes it difficult to map dependencies, enforce consistent controls, and maintain visibility across environments.

DIESEC supports organisations across this challenge.

From governance, risk, and compliance (GRC) services that help define clear security structures and responsibilities, to SOC-as-a-Service (SOCaaS) that provides continuous monitoring and detection, to targeted simulations and assessments that test real-world resilience, DIESEC helps organisations understand where their exposure lies — and how to address it effectively.
Contact us today.