FlexSource - RISE Cyberhot mot Elsystemet (2023)

Source - RISE Cyberhot mot Elsystemet (2023)

RISE Rapport 2023:marsFörslag på åtgärder för att möta cyberhot mot elsystemet (executive summary for leaders and decision-makers). Published March 2023 by Centrum för Cybersäkerhet, RISE Research Institutes of Sweden. Contact: Kim Elman (kim.elman@ri.se). ~10 pages. Subtitle: “Rapporten belyser cybersäkerheten för uppkopplade energiprodukter.”

Summary

The report examines the cybersecurity of connected energy products — primarily heat pumps, but also solar PV, EVs, and BESS — and their potential to cause system-level disturbances in the Swedish electricity grid if compromised in a coordinated attack. The central finding is that the number of connectable heat pumps in Sweden is now approaching a critical mass where a synchronized attack could produce measurable grid frequency disturbances.

Key facts (2023 figures)

  • Heat pumps: ~1.5 million heat pumps in Sweden; installed compressor capacity in the order of several GW — at cold temperatures, equivalent to the output of several nuclear reactors. Sweden is the second most heat-pump-dense country in the world (after Norway per capita)
  • Connectable liquid-based heat pumps: RISE estimates ~300,000 that can be connected to the internet; virtually all new heat pumps are internet-connectable at delivery
  • Solar PV: 92,359 installations in 2021; 1.1 TWh; 1.6 GW installed capacity. Energimyndigheten projects 9–11 TWh by 2050
  • EVs: 438,000 plug-in vehicles in January 2023 (199,000 pure BEV). Forecast: 2.5 million plug-in by 2030 (⅔ BEV), consuming ~10 TWh/year

The grid stability risk

Using simulations in the Nordic32 (N32) test system (the standard Nordic transmission grid test model used by power system researchers), RISE found that a sufficiently large coordinated attack on heat pumps could push grid frequency outside the normal range and create significant disturbances across large areas of the electricity system.

The attack model: an adversary silently recruits a large number of devices (via software vulnerabilities, compromised cloud services, or user credential theft) to form a botnet, then activates them all simultaneously to cause a synchronized step change in consumption. The response of HVDC links and load shedding provides system defense — but only after the disturbance has propagated.

The scenario is generic: the same logic applies to any large population of connected loads (EV chargers, BESS inverters, solar PV inverters, industrial demand response assets).

Attack vectors for connected energy products

Via the product itself: old or poorly manufactured hardware leaves unused services exposed with weak or hard-coded passwords, or via unencrypted channels. Security patches are often not applied reliably over the product lifecycle.

Via cloud services: management platforms may have insufficient customer isolation, poor access management, or be exposed via supply chain attacks or insider threats.

Via users: password reuse, weak passwords, failure to install updates. Products have long lifespans (heat pumps: 15–20 years) and are large investments — owners do not replace them while they function.

Consequences of a successful attack

  • Grid frequency deviation in a large area of the Nordic synchronous area
  • Individual households: large unexpected electricity consumption (financial harm); frozen pipes in winter if heating is disrupted
  • Undermined investor confidence in Sweden if the electricity system is perceived as unstable
  • Potential for intelligence theft, ransomware, sabotage, or as a stepping stone to other attacks

Reference incident: Ukraine electricity system cyberattack (2015); New Orleans ransomware (2019).

Myndigheter och beslutsfattare

  • Serve as a trusted, neutral information source on cyber risks in the energy sector
  • Require cybersecurity considerations in all flexibility system development
  • Include cybersecurity requirements in standardization work
  • Promote education and certification of manufacturers

Energibolag

  • Conduct risk analyses on networks and information systems
  • Educate own staff, contractors, and prosumer customers
  • Help customers update equipment and use strong passwords
  • Partition systems to limit blast radius of a breach

Leverantörer (manufacturers/vendors)

  • Deliver products with unique, sufficiently complex default credentials and secure onboarding
  • Maintain security patches beyond warranty period
  • Minimize attack surface: disable unused communication protocols in default configuration

Installatörer

  • Ensure equipment is installed behind a firewall
  • Ensure only necessary communication interfaces and protocols are enabled
  • Maintain proper credential hygiene; purge customer data after installation

Användare (end users)

  • Choose suppliers with good security reputation
  • Install security updates promptly
  • Use long (≥14 character), complex passwords; do not reuse passwords
  • Alert to anomalous device behavior

Regulatory context

The EU Cyber Resilience Act is mentioned as an active initiative to improve security requirements for connected IoT products. ENISA (2021) has noted increasing cyberattacks on critical infrastructure including healthcare, transport, and energy.

Connection to islanding risk

The synchronized consumption step-change scenario is effectively the demand-side analogue of unintentional islanding: both represent a sudden unexpected imbalance large enough to overwhelm available frequency reserves. A large botnet attack causing a step-up in consumption could, in extreme scenarios, trigger automatic load shedding cascades or destabilize weaker regional grid sections — including areas running as intentional or unintentional islands.

Relevance to other wiki pages

  • Island Operation — cybersecurity as a threat vector for grid stability; large-scale DER compromise as a trigger for unintentional frequency events
  • Demand Response — flexibility assets as potential attack surface; V2G and smart charging cybersecurity requirements
  • Energy Storage — BESS and inverter cybersecurity; grid-forming inverters as targets
  • Electric Power Distribution — DSO responsibility for cybersecurity in distribution-level DER connections
  • Source - Energimyndigheten Cybersäkerhet Energisektorn (web, 2026) — official NIS2 regulatory framework for the energy sector; Energimyndigheten as supervisor, MCF for incident reporting, CERT-SE for response support; provides the regulatory response layer that RISE’s threat analysis calls for

Data gaps

  • Has RISE published a follow-up report quantifying the risk for EV chargers or BESS specifically (not just heat pumps)?
  • Whether heat pump and EV charger manufacturers fall within NIS2’s 50-employee / EUR 10M annual turnover thresholds — Energimyndigheten supervises NIS2 compliance for energy operators (DSOs, TSOs, suppliers, aggregators); whether appliance manufacturers are in scope as essential/important entities is unclear. Incidents are reported to MCF (Myndigheten för civilt försvar, mcf.se — successor to MSB); CERT-SE provides incident response support. (Source - Energimyndigheten Cybersäkerhet Energisektorn (web, 2026))