Prof Dr Sebastian Lehnhoff is Professor of Energy Informatics at the Department of Computing Science. His research focuses on intelligent energy systems, also known as smart grids. He is Chairman of the Executive Board of the OFFIS Institute for Information Technology, which is affiliated with the University of Oldenburg, and also a member of the Berlin-Brandenburg Academy of Sciences and Humanities (BBAW) and the National Academy of Science and Engineering (acatech).

Prof. Dr Andreas Peter is Professor of Safety-Security-Interaction at the Department of Computing Science and a visiting professor in IT security at the University of Twente in the Netherlands. He is an expert in cybersecurity with a focus on safety-critical systems and the Internet of Things, and is currently putting together a set of courses on cybersecurity at the University of Oldenburg.


Prof. Dr. Sebastian Lehnhoff

Energy Informatics

+49 441 9722-240

Prof. Dr. Andreas Peter

Safety-Security-Interaction group

+49 441 798-3118

  • A dark screen divided into several fields with incomprehensible information.

    Cybercriminals attempt to encrypt or steal data from companies in order to blackmail them afterwards. Photo: Pexels/Tima Miroshnichenko

When the hackers are already in the system

Cyberattacks on critical infrastructure such as power grids are on the rise. Oldenburg experts Andreas Peter and Sebastian Lehnhoff explain how to detect hackers and why total security is an unattainable goal.

Cyberattacks on critical infrastructure such as power grids are on the rise. Oldenburg experts Andreas Peter and Sebastian Lehnhoff explain how to detect hackers and why total security is an unattainable goal.

The German Federal Office for Information Security (BSI) recently wrote in a report that the threat of cyberattacks is greater than ever, especially in the area of critical infrastructure. What types of attacks are we talking about here?

Peter: Mostly so-called ransomware attacks with which criminals target a company and try to encrypt or steal its data. Then they blackmail the company: if it pays the ransom, it gets access to its data once more. If it doesn't pay up, the criminals publish sensitive data, for example customer data.

Who is behind such attacks?

Peter: The attackers are usually driven by financial motives. You can get your hands on a lot of money with cyberattacks, billions of euros in some cases. For the most part this is organised crime. But to paralyse parts of a country's critical infrastructure is not their real goal. If this does happen, the attackers sometimes even apologise, as was recently the case with the Lockbit group, whose ransomware hit a Canadian children's hospital.

Do such attacks occur in the energy sector too?

Lehnhoff: Yes, in fact attacks like this are happening all the time. One recent victim was Kisters, a global company with offices in Oldenburg and an important manufacturer of energy grid control systems. Kisters was hacked in 2021 and is still reeling from the effects – we know this because Kisters communicated the incident in an exemplary manner, so that others could learn from it. A number of municipal utilities and network operators in Germany have also had to shut down parts of their operations or go into emergency mode in recent months because of ransomware attacks. This is now a regular occurrence.

This makes it perhaps all the more surprising that we non-experts hear very little about such incidents. It would seem that everything goes back to normal relatively quickly.  

Lehnhoff: Unfortunately, not all companies are as transparent as Kisters about such incidents. Moreover, it's safe to say that we really do have very robust and resilient electrical energy systems. But regional power outages are indeed occurring more frequently than a few years ago. Generally, however, the systems can be restarted very quickly.

Thanks in part to the expansion of solar energy, the number of electricity generators has risen sharply in recent years. Has this increased the risk of attacks on the energy system?

Lehnhoff: Of course. Every modern inverter in a photovoltaic system has a network connection. And for a long time, no one checked whether there were regular security updates on these or similar systems. In the meantime, manufacturers are obliged to perform these checks, but the old systems are still in use, so there are many end devices that are connected to the internet and vulnerable to attacks. At the same time, they're part of the critical infrastructure of the energy grid. So if, for example, attackers were to gain access to a large number of electric vehicles and charge them all simultaneously, they could cripple the power grid.

Are targeted attacks being carried out on critical infrastructure?

Lehnhoff: Russia demonstrated that such attacks are possible in Ukraine in 2016, when it used elaborately designed Trojan malware to shut down parts of the electrical energy supply system from the outside. The technical prerequisites for such attacks therefore already exist. But it's also clear: if someone comes along with the intention of shutting down our electricity system, of knocking out our critical infrastructure – that's an attack on our society, on us as a Nato partner. That's a big red line to cross.

The BSI updated the IT Security Act in 2021 and stipulated stricter requirements for critical infrastructures. Is this helpful?

Peter: The law contains some really good measures and they must now be consistently implemented. But what will pose a major challenge is detecting whether a system has already been compromised in the past and the hackers have built in well-concealed backdoors for future attacks. Even if security solutions are put in place to prevent attacks, in such cases this may only be of limited use. Especially in the case of state-sponsored cyberattacks endowed with considerable resources, it's highly likely that the backdoors are designed to be barely detectable.

How can critical infrastructures be made secure?

Lehnhoff: This poses a fundamental problem because they have key tasks to fulfil and are very wide-ranging geographically. The energy system, for example, is spread out across the entire continent and fully interconnected and digitalised. Conventional security concepts essentially focus on an organisation segmenting its own IT network and ensuring that it has a secure area that can only be accessed by a very limited group of people. With large international systems such as the power grid, you can basically forget that strategy.

What can be done instead?

Lehnhoff: You need strategies, mechanisms that work to secure a system that can't really be made totally secure. This is something we are currently focusing on here at the university.

Peter: It's a very good strategy to say: Okay, the hacker is already in the system. How can I make the energy network resilient despite this? Then if the worst comes to the worst, I can at least swiftly implement countermeasures.

How do you detect a potential cyberattack?

Lehnhoff: Most companies' systems use standard software that was installed at a time when IT security requirements were much laxer. And presumably cybercriminals exploit precisely these weak points to remain in the system. But IT systems are constantly evolving, among other things through the installation of security updates. A hacker who wants to keep a backdoor open from the outside has to constantly make changes in the system. This opens up opportunities to identify the hacker.

How does that work?

Lehnhoff: You can look for indications that something is wrong in the system – check for anomalies, for example. Plausibility checks are also important here, for example to identify false readings that could be part of a so-called "stealth attack". These are attempts to trigger wrong decisions using plausible scenarios or plausible simulated readings.

And how do you go about this?

Lehnhoff: We collect a large amount of secondary information such as the computing load of small embedded systems or communication between different units. We look at correlations, for example, whether consumption is increasing for all users simultaneously. The fascinating thing about the energy system is that basically everything is correlated. We have developed a very complex model to detect dangerous anomalies based on all this data.

What happens when an anomaly is identified?

Lehnhoff: I may conclude that I can no longer rely on certain values and create substitute values. Or replace hardware and software.

So you need software such as an AI tool that constantly monitors everything?

Lehnhoff: Exactly, a lot of this software is AI-based. But these programmes are not just meant to detect vulnerabilities and anomalies, but also to determine whether the anomaly is unusual enough that I need to react to it? Because of course, anomalies are detected all the time, but most of them are irrelevant. You can tackle this to some degree by training the AI accordingly.

Peter: Nevertheless, a company using such a system needs humans to scrutinise the alerts. This is a huge problem: small and medium-sized companies in particular often don't have the appropriate expertise to deal with the many alerts, let alone enough people on site. Unfortunately, not enough experts in cybersecurity are being trained. According to various studies, there is a shortage of around 100,000 specialists in this field in Germany, and worldwide we're talking about more than four million.

Are efforts being made to close this gap?

Peter: We are currently setting up a new set of courses on IT security topics at the university. We want to train computer scientists who have the necessary cybersecurity expertise to make a difference, at least at the regional level. At the same time, our goal is to automate IT security. Together with our working groups, Sebastian Lehnhoff and I are developing AI-based software that can distinguish between false alerts and real attacks. The Department of Computing Science has also secured funding from the Federal Ministry of Education and Research (BMBF) for a junior research group led by Dr Eric Veith, which is specialised in this area. The next step is for such a system to point out measures that can be taken to automatically counter an attack so it doesn't ever reach a critical scale, or even avert it entirely. For this purpose, we use artificial neural networks, which already work relatively well.

Overall, however, it all sounds quite worrying...

Lehnhoff: Well I can tell you that Andreas Peter and I know the facts, but we still sleep easy. Cyberattacks are a real problem and we need to raise awareness of this in society and politics. But at the same time there are many positive developments. And in our daily work, we, too, see that we can contribute to ensuring that the world remains as safe a place as possible.

Interview: Ute Kehse

This might also be of interest to you:

Portrait on the campus, green trees and bicycle stands in the background.
Research Top News Computing Science

"A large part of the world's knowledge is in AI"

Artificial intelligence is currently a hot topic in the media. In this interview, computer scientist Oliver Kramer explains what programmes such as…

Top News Computing Science

Major success for Oldenburg energy systems research

The Joint Science Conference (GWK) is funding the nfdi4energy consortium in Oldenburg. The aim is to improve communication and the exchange of data…

Landscape with power lines and wind turbines on the horizon.
Research Top News Computing Science

Using AI to operate critical infrastructure autonomously

Developing an interdisciplinary approach to using artificial intelligence methods for the secure operation of critical infrastructure systems is the…

(Changed: 21 Feb 2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page