Risky Bulletin – Srsly Risky Biz: Like Huawei, but for electricity
Podcast: Risky Bulletin
Host: Risky.biz team (Guest host: Patrick, with Tom Uren)
Date: December 17, 2025
Episode Overview
This episode explores three major cybersecurity stories from the Seriously Risky Business newsletter, with a primary focus on the West’s growing dependence on Chinese-made components in the renewable energy sector. The hosts discuss the systemic risks of reliance on Chinese solar inverters and grid batteries, compare it to past concerns over Huawei in 5G networks, and consider the current geopolitical tensions. Additionally, the episode reviews the wiper/ransomware attack on Venezuela’s state oil company (PDVSA) and examines Russian state-backed “hacktivism.” Throughout, the hosts maintain a dry, analytical tone, with occasional humor and candid political commentary.
1. Main Segment: "Like Huawei, But for Electricity" (00:00–11:01)
Key Discussion Points
-
Comparison to the Huawei Debate
- The episode's main topic draws a direct line from previous worries about Huawei (Chinese telecoms giant) in Western networks to current anxieties about Chinese dominance in renewable energy infrastructure.
- Tom Uren notes that, compared to back then, the situation is now potentially “a whole lot worse,” especially given the combination of Chinese market dominance and documented intent to pre-position in Western critical infrastructure (02:26).
-
China's Market Dominance in Grid Equipment
- China is deeply invested in electrification and renewables, making it the dominant supplier of batteries, inverters, and other grid components for many Western countries.
- This dependency creates strategic vulnerability, with limited alternative suppliers for these critical devices.
- Tom explains:
“China is the dominant player. And so it seems like we're in much worse of a pickle than we were back in the day.” (03:35)
-
Documented Security Threats
- The existence of the “Volt Typhoon” group—a Chinese cyber entity reportedly pre-positioning in critical infrastructure for sabotage—underscores active intent, not just idle potential.
- Research has identified hundreds of Chinese military-affiliated publications on scenarios for attacking the American grid.
-
Demonstrated Leverage: The Remote "Kill Switch" Example
- There’s a real-world example of a Chinese manufacturer disabling inverters remotely over a commercial dispute (04:36).
"They just flip the switch on all of these devices... it is the sort of thing to make a Western think tanker go, 'Hmm.'" (04:36, Patrick)
- Highlights a “brutal mindset” and a key difference in business culture compared to Western manufacturers.
- There’s a real-world example of a Chinese manufacturer disabling inverters remotely over a commercial dispute (04:36).
-
Sub-Threshold Security and Volume Risk
- Many of these components fall below regulatory cybersecurity thresholds, allowing widespread deployment without strict scrutiny.
- Tom comments:
“Any one system is not that important. When you've got tonnes and tons of them, it becomes quite significant.” (06:06)
-
Tone of the Debate: Hysteria vs. Reality
- Both hosts acknowledge how legitimate concerns can get muddled with political agendas and anti-China (or anti-renewable) rhetoric.
- Patrick reflects:
“When you are using this as a way to just smear renewables, it's like no one engages with it...” (08:42)
- Tom tries to strike a balance:
“Looking at the security aspects in isolation is like not the right answer. Like we need to have a. Yeah, there’s a risk here, but we also need to manage that given the other benefits that we get out of these technologies.” (10:12)
Notable Quotes & Moments
-
On security research:
“There were 225 papers written by PLA-affiliated organizations that were basically like dreaming up scenarios for how to attack the grid in America.” (Patrick, 06:35)
-
On mitigation and hope:
- Hosts reference Dragos report suggestions that although the problem is hard, electrical grid gear might be more defensible than 5G core networks due to the more limited scope of device communication.
“The electricity equipment is like, what it's trying to do is more defined. So at least in theory there's some hope there that you can do a more convincing job locking it down.” (Tom, 08:19)
- Hosts reference Dragos report suggestions that although the problem is hard, electrical grid gear might be more defensible than 5G core networks due to the more limited scope of device communication.
2. Venezuela’s Oil Company Hit by Wiper/Ransomware (11:01–15:40)
Key Discussion Points
-
Attack Overview
- Venezuela’s state-run oil company, PDVSA, suffers a devastating wiper/ransomware attack, which the government swiftly blames on American (U.S.) actors.
-
Plausibility of U.S. Involvement
- The hosts initially express skepticism towards Venezuela’s claims, but both agree that, given recent U.S. actions and a shift in policy under the Trump administration, such an operation is plausible or even probable.
- Tom explains:
“You would hear the Venezuelans say this and you'd say, sure, buddy… In this case… it very well could have been the Americans who were behind this.” (12:09)
-
Historical Context & Strategic Shifts
- Past cyber operations targeting Venezuela (e.g., interfering with military and logistic systems) were previously restrained by “wiser heads” in U.S. government.
- Today, such restraints may no longer exist, making destructive operations more likely and unopposed.
“All the senior personnel are now on board with these kinds of operations. So… I'd be surprised if it wasn't a U.S. operation.” (Tom, 14:01)
-
Imbalance of Power
- Venezuela, lacking comparable cyber capabilities, likely has no means of retaliation and risks severe escalation if it tries.
“If you’re Venezuela and the Americans are doing this to you, there is absolutely nothing you can do about it.” (Patrick, 14:39)
- Venezuela, lacking comparable cyber capabilities, likely has no means of retaliation and risks severe escalation if it tries.
-
Wider Context
- The attack is seen as a modern echo of the “wiper wars” between Iran and Saudi Arabia a decade prior (Shamoon attacks), only now potentially involving the U.S. as the active aggressor.
3. Russian State-Backed “Hacktivism”: Dumb Until It Isn’t (15:40–18:58)
Key Discussion Points
-
Overview of U.S. Indictments
- Coverage of recent U.S. indictments exposing Russian government-funded “hacktivist” groups that haphazardly targeted control systems—mostly unsuccessfully.
- These efforts seem amateurish and ineffective, but the hosts caution against underestimating them.
-
Motivation & Risk Calculation
- Tom postulates the war in Ukraine likely prompted Russian intelligence to “do something,” leading to funds being rapidly funneled into any plausible disruptive efforts—regardless of quality.
“We've got a person, we can shovel some money to them, get them to do some things and maybe that'll pay off. But it doesn't cost us all that much..." (Tom, 17:10)
- Tom postulates the war in Ukraine likely prompted Russian intelligence to “do something,” leading to funds being rapidly funneled into any plausible disruptive efforts—regardless of quality.
-
Potential for Escalation
- The low sophistication of such operations means their risk of blowback is high, and the benefit is limited, but they represent a shift in tactics under wartime pressure.
-
Insight on Bureaucratic Drivers
- Patrick notes that much of this activity, across nations, is driven by a bureaucratic need to demonstrate “action” to superiors—regardless of efficacy:
"Just how much of this activity is dictated by people's need to impress their bosses by putting stuff in a PowerPoint presentation and saying, look, we did a thing.” (18:03)
- Patrick notes that much of this activity, across nations, is driven by a bureaucratic need to demonstrate “action” to superiors—regardless of efficacy:
Timestamps for Key Segments
- Chinese dominance in renewable grid equipment & security risks: 02:26–11:01
- Wiper/ransomware attack on Venezuela’s oil company: 11:01–15:40
- Russian state-backed hacktivism & US indictments: 15:40–18:58
Notable Quotes
-
“It kind of displays a different mindset, a very like quite brutal mindset, frankly, of… now they're beating us at capitalism, which is… quite the achievement.”
— Patrick, 05:19 -
“Any one system is not that important. When you've got tonnes and tons of them, it becomes quite significant.”
— Tom, 06:06 -
“Looking at the security aspects in isolation is like not the right answer. Like we need to have a. Yeah, there’s a risk here, but we also need to manage that given the other benefits that we get out of these technologies.”
— Tom, 10:12 -
“If you’re Venezuela and the Americans are doing this to you, there is absolutely nothing you can do about it.”
— Patrick, 14:39 -
“Giving money to a group of people is… the thing we’ve got most of [in Russia]… But it's the time and effort and, and so like that kind of makes sense. I think if it weren't for the war, they wouldn’t be doing this.”
— Tom, 17:10
Conclusion
This episode paints a nuanced portrait of global cybersecurity risks driven by geopolitics, technical interdependence, and increasingly blurred lines between commercial and national security interests. If the “Huawei in 5G” episode was a warning, reliance on Chinese renewables tech is now a lived reality, tangled with economic and climate policy as well as cybersecurity. The Venezuela and Russia segments underscore that offensive cyber operations—state-backed or pseudo-state—are becoming a normalized tool in global conflict, with unpredictable consequences. The discussion is critical, laced with humor, and unflinching in its analysis.