Recovering a grid under attack
A tabletop exercise: a cyberattack against an energy grid, and the job of bringing combined heat and power (CHP), renewables, and public services back online under pressure.
The response order is deliberate — containment and evidence come first, restoration second. You snapshot the system before you touch it, both to stop the spread and to preserve what later forensics will need.
Two points dominated the group discussion: heating is the first priority in a grid-down scenario, and keeping the local population informed is part of the response, not an afterthought.
Attribution without verification, escalation without scale
The central difficulty in responding to state-level cyber incidents is maintaining coherence across the actors and layers involved.
The 2014 Sony Pictures hack served as the reference case for data exfiltration and contested attribution — the temptation to name an attacker before the evidence holds. The deeper trap is that escalation doesn't scale cleanly: the political response rarely maps onto the technical reality, with Ukraine cited as a live example.
Political coordination, in other words, is the work. The layers above carry authority but abstraction; capability is concrete at the national level — and the three have to move together.
Faster decisions, more ambiguity
AI compresses detection and decision time — and the time available to escalate. That cuts both ways: less deliberation, but also more ambiguity. Faster is not always better.
The quantum transition adds a second front, split along geopolitical lines:
- Governance lag risk — regulation trailing far behind capability.
- Communications development led by China; compute led by the US.
- Europe is developing quantum computing, but scaling remains the hard part.
- Harvest now, decrypt later — data stolen today can be unlocked once the capability matures.
Escalation itself becomes the mechanism that produces a resolution. The EU holds high-level capabilities here — but the framing that stuck was simpler: cybersecurity is a political competition as much as a technical one.
When the grid fails, everything else follows
The European electricity system runs in tiers — and a failure propagates through all of them.
The proposed fixes are organisational as much as technical: pre-authorised coordination (agree the response before the crisis), AI decision thresholds, the European Network for Cyber Security (ENCS), and standardisation such as ISO 27001.
What makes the stakes vivid is the cascade — how quickly a blackout compounds into a societal one:
Where availability beats everything
Operational technology runs physical processes and stays in service for the long term. Its security goal is simply to keep the system running — and that changes the threat model.
As OT connects to IT, the risk surface grows: malware can cascade across multiple countries, and phishing remains a primary way in.
- Threats — organisational challenges, insider threat, and the physical security of the infrastructure itself.
- Measures — ISO 27001 (optional), NIS2 (required), and technical controls such as intrusion detection.
- IoT risk — a backup threshold (~36 W) is mandated; high-power IoT is dangerous precisely because it far exceeds it.
- Sovereignty gap — central servers located outside the EU are a structural vulnerability.
Auditable, EU-resident, secured by design
The regulatory direction was concrete: ISP monitoring with data held on EU servers, EU-auditable data for IoT, and security built into devices by default. The honest footnote — those costs ultimately land on the customer.
The through-line
Five things worth keeping
- Coordination beats capability
- The hardest problem isn't technical — it's keeping NATO, EU and national responses coherent and agreed in advance.
- Resilience is about cascades
- A grid failure isn't one event but a timed chain. Heating and public communication come first.
- Speed cuts both ways
- AI and quantum compress decision time while amplifying ambiguity and escalation risk.
- Sovereignty is structural
- EU-resident servers, auditable data and standardised security (NIS2, ISO 27001) recur as requirements, not extras.
- Cybersecurity is political
- Throughout, the technical questions kept resolving into questions of governance, competition and who decides.