US public utilities experienced a 70% increase in cyberattacks this year, according to Checkpoint as cited in a recent Reuters article. These utilities are strategic targets because they manage critical infrastructure such as gas, water, and electricity.
Threat actors aim to disrupt these essential services for maximum impact and attention. They can do this because public utilities are often chronically underfunded, have an expanding attack surface, and are based on legacy infrastructure.
Most companies run operational technology (OT) without a structured management program, leading to legacy systems that haven’t been patched or replaced in decades and remain open to threat actors.
Recent Attacks
This past October, the largest regulated utility company for water and wastewater was the victim of a cyberattack. But water isn’t the only utility vulnerable to attacks. Check Point says utilities globally experienced a 47% spike in weekly cyber-attacks in Q3 2024 compared to the same quarter in 2023.
Cybersecurity researchers say utilities are considered low-hanging fruit when it comes to cyberattacks. While there are a few reasons for this, one big one is their use of outdated software. On average, there were 1,162 cyberattacks against utilities from January through August, compared with 689 in 2023.
Vulnerable Sectors
While all public utilities are vulnerable, most experts say the energy sector ranks higher than others. The Colonial Pipeline cyberattack in 2021 is one of the largest on record in the energy industry. More recently, on August 22nd, Halliburton, an oilfield service provider, reported an unauthorized party had accessed its systems. Halliburton shut down specific systems to contain the incident while launching an immediate investigation.
The public utilities sector relies heavily on ICS and IoT (Incident Command System and Internet of Things) technology. According to experts, the cyber defense of these technologies isn’t as advanced as the software used by Microsoft or Apple.
“Every organization needs to get a clear and unbiased evaluation of its risk from an expert outside party. The best way to do that is to have a cybersecurity risk assessment performed in accordance with IEC 62443.”
Tristan Fries, Director of Federal Cybersecurity Services at Novacoast
Even if these organizations comply with the North American Electric Reliability Corp’s (NERC) Critical Infrastructure Protection regulations, which protect bulk power systems from cybersecurity threats, this is only the minimum standard for protection.
Additionally, the attack surface grows due to grid expansion and increment connections for new customers; Gen-AI is one example. Additionally, NERC shared that the number of susceptible points on US electrical networks is increasing by at least 60 daily.
The US EPA (Environmental Protection Agency) has been investigating the water sector’s cybersecurity vulnerabilities. A recent memo from its Inspector General’s Office showed that 9% of public drinking water systems contained high—or critical-priority cybersecurity flaws.
Specifically, an assessment shared details of over 1,000 drinking water systems that serve 193 million people. In addition to discovering 97 systems with high-risk vulnerabilities, 211 water utilities had low—to medium-risk vulnerabilities.
The Challenges in Securiting Public Utilities
We know that cyber threats frequently target public utilities. It’s also facing many cybersecurity challenges.
Operational Technology (OT): The management and security of these systems, which typically control critical infrastructure, are complex because of their legacy systems and specific protocols. Vulnerability identification is challenging due to these issues.
Physical security vulnerabilities: Substations and similar systems can have physical access issues that attackers who seek to manipulate them can exploit.
Ransomware Attacks: Attacks that encrypt systems or data can cause disruptions and significant financial losses.
Advanced Persistent Threats (APTs): Nation-state threat actors continue to develop highly sophisticated cyberattacks that are intended to infiltrate systems while remaining undetected for long periods.
Supply chain vulnerabilities: Security risks can be introduced when third-party vendors that provide equipment or services to public utilities aren’t properly vetted.
Data breaches: If these systems are attacked in a data breach, sensitive customer information can be compromised if the utilities don’t have the appropriate data protection measures in place.
Compliance challenges: Another resource-intensive and complex area is meeting the strict regulatory standards for cybersecurity set for public utilities.
Aging infrastructure: Legacy systems often used in public utility infrastructure typically lack modern security features, making them more vulnerable to cyberattacks.
Keeping Public Utilities Secure
Experts suggest a multi-layered approach to keeping public utilities safe from cyber-attacks. Here are a few recommended actions that utilities can take.
- Comprehensive incident response plans will lead to quicker detection and responses to cyber incidents.
- Conducting periodic security audits will help identify vulnerabilities where security updates should be implemented.
- Separating OT networks from IT networks will help minimize the impact of possible breaches.
- Implementing strong authorization and user authentication processes restricting access to critical systems will help increase access control.
- Comprehensive incident response plans will lead to quicker detection and responses to cyber incidents.
- Manage and evaluate vendors’ cybersecurity posture and maturity with access to critical systems, both upstream and downstream.
Utility companies encounter various cyber threats, such as hacking, ransomware, phishing, etc. Additionally, they face challenges in enhancing their security posture due to reliance on legacy systems, the need to comply with constantly changing standards, and the escalating costs associated with security initiatives.
Final Thoughts
Utility organizations should be working to meet current cybersecurity threats and challenges.
Tristan Fries, Director of Federal Cybersecurity Services at Novacoast, a firm with 25+ years of deep expertise in security operations, says: “Every organization needs to get a clear and unbiased evaluation of its risk from an expert outside party. The best way to do that for organizations that manage utilities is to have a cybersecurity risk assessment performed in accordance with IEC 62443—preferably by a provider who does them frequently.”