Europe's Power Grid Is Under Cyber Attack — And Experts Say It's Only a Matter of Time

From Polish solar farms to Dutch password vaults, the cybersecurity vulnerabilities threatening European energy infrastructure are more serious — and more widespread — than most people realise.

Europe's Power Grid Is Under Cyber Attack — And Experts Say It's Only a Matter of Time

The Attack on Poland's Grid That Almost Worked

European energy grid cybersecurity moved from theoretical concern to documented reality when Poland's national grid operator suddenly lost contact with dozens of solar and wind farms. The incident, which occurred late last year, was later confirmed by researchers at Poland's national cybersecurity centre: hackers had deliberately targeted the country's energy infrastructure, with one fossil fuel power plant also falling victim to the campaign. Their goal was clear — cause physical destruction inside the energy system.

They failed. The solar farms remained operational, energy production continued without interruption, and the lights stayed on across Poland. But the near-miss sent shockwaves through the European cybersecurity community. As Chris van 't Hof, a cybersecurity expert at the Dutch Institute for Vulnerability Disclosure (DIVD), put it bluntly: "An attack like this is highly attractive to Russia or other powers that wish us harm."

The DIVD is a volunteer-driven organisation that hunts for security vulnerabilities in connected infrastructure — including solar panel inverters and other energy hardware. Their findings over the years paint a troubling picture of how exposed Europe's energy transition has left the continent's digital attack surface. Five years ago, the organisation discovered a vulnerability that would have allowed a malicious actor to take more than 10 gigawatts of European solar capacity offline in a single coordinated strike — a scenario Van 't Hof calls a "hack-out."

"I find it something of a miracle that this hasn't happened yet. When you see what is technically possible and you look at the current geopolitical climate, for me it is not a question of if, but when."

— Chris van 't Hof, Dutch Institute for Vulnerability Disclosure (DIVD)

How a Russian Password Manager Ended Up Inside a Dutch Solar Giant

The threat is not limited to direct infrastructure attacks. A separate investigation by the journalist collective OCCRP, conducted in collaboration with Investico and NU.nl, revealed that Novar — one of the Netherlands' largest solar park builders — had been using Passwork, a password manager developed by a Russian company, to manage internal credentials. Novar manages approximately 1.3 gigawatts of solar capacity in the Netherlands alone.

The full extent of what credentials were stored in the Russian-operated vault, and what a hostile actor could theoretically have done with them, remains unknown. But the discovery is a textbook example of the kind of supply chain risk that keeps IT security professionals awake at night. According to a report by Solar Power Europe, an attacker who gained control of just 3 gigawatts of solar panel capacity could trigger "significant consequences" for the power grid.

Cybersecurity professional monitoring energy infrastructure threats
Security teams monitoring critical infrastructure face an expanding and increasingly sophisticated threat landscape

Maaike Beenes of the Dutch solar industry association Holland Solar described the Novar case as a cautionary tale about unknown unknowns: "This example shows that something can just pop up that you simply hadn't thought of. Ultimately, it is probably impossible to prevent everything — which means companies need plans not just to defend against attacks, but also for what happens when something does go wrong."

This kind of supply chain exposure is not unique to the energy sector, but the stakes are dramatically higher when the software in question touches infrastructure that millions of people depend on. The ENISA Threat Landscape report has consistently flagged supply chain attacks as one of the most significant vectors targeting European critical infrastructure, noting that attackers increasingly focus on less-secured vendors to reach their ultimate targets.

Why Europe's Energy Transition Is Expanding the Cyber Attack Surface

Europe's rapid buildout of renewable energy is creating a paradox: the same decentralised, software-driven infrastructure that makes the grid more resilient to physical disruption is simultaneously expanding its exposure to digital attacks. Unlike traditional centralised power plants, renewable energy systems — solar farms, wind parks, battery storage units — rely heavily on internet-connected inverters, smart meters, and management software. Each of those connections is a potential entry point.

10 GWEuropean solar capacity vulnerable in a single coordinated attack (DIVD finding)
3 GWThreshold for "significant grid consequences" (Solar Power Europe)
15 GWSolar panels installed on Dutch rooftops
16 hrsTime to restore Spain/Portugal grid after technical fault

Van 't Hof draws a particular distinction between the scale of the hardware problem and the software layer on top of it. In the Netherlands alone, around 15 gigawatts of solar panels sit on residential and commercial rooftops. Add the 1.3 gigawatts managed by a single company like Novar, and the aggregate risk becomes substantial. But it is the "smart software" increasingly embedded in energy management systems that concerns him most. "It is an enormous growth market," he says. "But you see that very many mistakes are being made in software design." Innovative startups entering the energy tech space often prioritise speed to market over security-by-design — a pattern well-documented across sectors but particularly dangerous in critical infrastructure contexts.

Attack Vector Example Potential Impact Sector Covered by NIS2?
Solar inverter firmware vulnerability DIVD 10 GW discovery Large-scale blackout Partial
Compromised password manager Novar / Passwork Credential theft, operational access Yes (operator level)
Grid management software attack Polish grid incident Loss of grid visibility, potential destruction Yes
Residential inverter compromise Home solar systems Aggregated grid destabilisation No (currently excluded)
Energy management platform breach Third-party SaaS tools Remote control of generation assets Partial

NIS2, the Cyber Resilience Act, and the Gaps That Still Remain

European policymakers are not standing still. The EU's updated Network and Information Security Directive — known as NIS2 — significantly expands the scope of cybersecurity obligations for operators of critical infrastructure, including energy companies. Meanwhile, the Cyber Resilience Act, which is currently being rolled out, will for the first time impose mandatory cybersecurity requirements on hardware and software products sold in the EU — covering everything from industrial control systems to consumer IoT devices.

Beenes of Holland Solar welcomes both pieces of legislation but points to a critical gap: not all manufacturers of solar inverters for residential use currently fall under NIS2's obligations. "We therefore advocate for that coverage to be extended further," she says. The Cyber Resilience Act's linkage to CE certification — the product marking required to sell goods across the EU single market — is seen as a potentially powerful lever, because it would make security a prerequisite for market access rather than an optional extra.

Solar panels and wind turbines representing renewable energy infrastructure
Europe's renewable energy buildout has dramatically expanded the digital attack surface of the continent's power grid

The European Commission's own posture has hardened noticeably. EU foreign policy chief Kaja Kallas recently condemned what she described as cyber activities conducted by the Russian intelligence service FSB, directly attributing responsibility for the attack on the Polish energy sector to Russian state actors. This public attribution is significant: it signals a shift towards treating energy infrastructure cyberattacks as acts of hybrid warfare deserving a geopolitical response, not merely a technical incident to be managed quietly.

The framing matters for IT and security professionals working in the energy sector. According to Wired's coverage of Russian cyberwar tactics, attacks on power infrastructure have long been a preferred tool of Russian hybrid warfare — Ukraine has experienced repeated grid attacks since well before the full-scale invasion. The Polish incident suggests that these tactics are now being deployed more broadly across European NATO members.

Van 't Hof frames the appeal of grid attacks in terms that any security architect will immediately recognise: low cost of entry, high impact, deniability, and remote execution. "You can do it from a distance and cause a great deal of damage in a short time, without having to be physically present," he says. "This is far more effective than an aircraft or a bomb."

What Does "Resilient" Energy Infrastructure Actually Look Like?

For IT decision makers and infrastructure professionals, the lesson from both the Polish attack and the Novar disclosure is that European energy grid cybersecurity cannot be treated as someone else's problem. The interconnected nature of modern energy systems means that a vulnerability in a residential inverter manufacturer's cloud platform, a compromised vendor credential, or a poorly secured SCADA system can cascade into consequences felt across borders.

The Spain and Portugal outage — caused by technical faults rather than a cyberattack — provides a useful reference point for understanding recovery timelines. It took sixteen hours to fully restore power after the incident. Van 't Hof is explicit that a targeted cyberattack, especially one designed to damage physical equipment rather than merely disrupt software, could take significantly longer to recover from. The ENISA guidelines on energy sector cybersecurity emphasise that recovery planning must account for scenarios where the attack has caused physical damage to hardware, not just encrypted data or disrupted communications.

Originally reported by NU.nl Tech. Summarised and curated by European Purpose.