A previous version of this article was published on the Northwest Public Power Association website.

Cyberattacks are now a normal threat to utilities everywhere. For many organizations, it’s no longer a question of whether they will be compromised but when they will be compromised.

In its 2023 IC3 report, the FBI stated losses from cybercrime reported by companies totaled $12.5 billion. In 2024, the global average data breach cost increased to an all-time high of $4.88 million.

High-profile enterprise hacking leads to the loss of important data, customer confidence, and hundreds of millions of dollars in legal fees, notification costs, and technology remediation.

Because of this, executives at organizations of all sizes are now paying more attention to their entities’ vulnerabilities when it comes to cybersecurity. Investors and boards of directors are increasingly holding management accountable for cybersecurity, customers and partners are demanding adequate cybersecurity controls are in place before conducting business, and states and regulatory bodies are legally mandating cybersecurity.

Utilities are core to our national infrastructure and provide the stability behind everything we do—and are no exception to the dangers of cybersecurity breaches, so being prepared with strong cybersecurity practices is crucial.

Dangerous Trends and Increasing Threats

In an evolving cybersecurity environment, new potentially dangerous trends are always on the horizon, but a few stand out as the most threatening.

Emerging Technology

The rapid proliferation of new technology, including AI, along with a wide array of mobile devices and cloud-based solutions provide hackers with many more entry points to attack.

Many utilities are switching from old systems to cloud or hybrid cloud, and are undertaking digital transformations, while trying to protect and organize their data.

Digital transformation can help facilitate security, analytics, and make things easier to orchestrate. However, it can be used as an enabling tool by hackers to find gaps and automate attacks.

International Threats

Economic espionage, or cyberespionage, isn’t limited to borders. It isn’t uncommon for overseas companies to target entities with significant importance to our nation’s infrastructure, such as the electric power grid or water supply.

While the act itself isn’t necessarily something new, there are now organized and contracted teams leading the attack.

Shortage of IT Risk and Compliance Talent

As more breaches occur and costs rise, it’s hard for both the public and private sectors to keep up with the latest malware patches and keep an eye on the ever-changing dangerous landscape.

It’s estimated 90% of organizations will suffer critical tech skills shortages in the next two years. There are not enough skilled cybersecurity workers to defend against threats, which cybercriminals have been able to target and leverage.

Attack Types

Attackers are increasingly sophisticated and have more access points to networks. Even with stronger security defenses, organizations are still at a disadvantage in the fight against hackers.

This is because cyberattacks are increasingly aimed at individuals rather than systems—and the human factor is much harder to manage, with 68% of cybersecurity incidents attributed to human error.

Spear Phishing

Sophisticated attacks usually begin with spear phishing. A social engineering attack, spear phishing preys on the psychological willingness of employees to divulge confidential digital information.

These attacks typically involve an email from a hacker who impersonates an individual or business the target knows. The target is usually an employee who may be susceptible to giving up desirable information, such as their system password, company account details, or other private information.

Ransomware

Also known as scareware, this software allows hackers to access an employee’s computer, encrypt sensitive data, and then demand some form of payment to decrypt it. Often beginning with a spear phishing attack, it infects the system and can propagate from there.

Common Defense Strategies

To protect organizations against these attacks, a combination of administrative and technical controls should be employed prior to the attack.

Administrative Controls

• End-user security awareness training
• Internal process controls: have at least two sets of approval for requests that meet a certain threshold and confirm any changes to vendor payment information directly with the vendor
• Vendor risk management: ensure all third-party vendors comply with the institution's security standards and undergo regular security assessments
• Disaster recovery and business continuity plans

Technical Controls

• Conduct frequent backups and snapshots of databases
• Test backups for key systems
• Maintain network segmentation
• Update antivirus and system software through frequent patching
• Implement near real-time monitoring services, such as a firewall information network

Cybersecurity Rules and Programs

Multiple agencies are involved in providing cybersecurity rules across the utilities sector. Numerous federal agencies have published guidelines for the respective utility sectors they oversee. While the regulations are not perfectly consistent, the requirements overlap.

The National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework (CSF), which was originally developed to help organizations within the energy, communications, and health care sectors build effective cybersecurity programs.

Below are some items organizations should consider as cybersecurity programs are implemented, operated, and maintained.

Continued Operations

Once the initial program is defined and implemented, allocate personnel and resources to ensure the program continues to function.

There will be critical components of the program that need to operate continuously, and some that will operate on a regular basis. No matter the control or requirement, maintaining the state of operations will help mitigate the likelihood and impact of a cybersecurity incident.

Problem Management

All cybersecurity programs require management and upkeep. Each program should have processes to self-identify and correct problems, as well as regular checks for internal and external vulnerabilities through routine system scanning, penetration testing, and control assessments. Each of these provide feedback loops on how well the cybersecurity program is operating and where there are potential weaknesses.

It's not enough to identify issues, they also need to be resolved. Using a corrective action plan process is critical. Utilities should track identified issues, prioritizing remediation based on the severity of the risk.

In addition, organizations should plan for tabletop tests of their incident response, business continuity, and disaster recovery plans. During a tabletop exercise, a scenario is drafted and presented to the response team to evaluate possible responses to follow through to resolution.

Often, teams will identify gaps in their response plans and can use those lessons learned to update the respective plan. If each plan can’t be tested annually, consider a rotation schedule so each is tested on a regular basis.

Last, all cybersecurity plans should be updated, reviewed, and approved each year. Cybersecurity risks change quickly and often. However, organizations can be prepared to handle these scenarios with a well-built cybersecurity plan.

We’re Here to Help

For more information about cybersecurity strategies for your utility company, contact your Moss Adams professional.

Additional Resources

• Power & Utilities Practice
• Cybersecurity Consulting Services