The Rising Threats Against Utilities: A Sobering Recap Of 2024

Attacks and threats against utilities are not a new phenomenon, but they are becoming increasingly frequent and sophisticated with each passing year. Early utility systems, such as ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) and PLCs (Programmable Logic Controllers), were designed to prioritize availability and reliability over security. These systems relied on being air-gapped—isolated from external networks—as their primary, and sometimes sole, means of defense. However, the evolution of cyber threats has revealed the limitations of this approach.

One of the most significant wake-up calls for the utility sector came in 2010 with the discovery of Stuxnet. This highly sophisticated malware targeted Iran’s nuclear facilities, marking the first-known case of malware causing physical damage to control systems. Up until that point, attacks against physical control systems were more theoretical than actionable. Stuxnet demonstrated the devastating potential of such attacks, forcing governments and utility companies worldwide to reassess their cybersecurity strategies.

Fast forward to 2015, Russian state actors executed what is considered the first well-documented cyberattack against a power grid. This attack on Ukraine’s power grid left thousands without electricity for hours, validating long-held fears about the vulnerability of critical infrastructure. Since then, the frequency and impact of such incidents have only escalated.

As of January 2025, we can examine the tactics, techniques, and procedures (TTPs) employed by foreign adversaries targeting American utilities. In many cases, attack vectors remain consistent with those seen in prior years, though the sophistication of these attacks continues to grow.

Notable Threats and Incidents

In 2024, the world witnessed the activities of Volt Typhoon, an advanced persistent threat (APT) group suspected of ties to the Chinese government. Volt Typhoon targeted operational technology (OT) systems in critical infrastructure sectors, including power plants, water utilities, and communication networks. Remarkably, they managed to remain undetected for potentially over a year, indicating a focus on stealth and long-term disruption capabilities. Experts believe the group was mapping systems and identifying vulnerabilities to enable large-scale shutdowns if necessary.

Another significant event involved Sandworm, a notorious Russian hacking group known for targeting industrial control systems (ICS)s. This group disrupted water and wastewater facilities in Texas, tampering with pumps, altering chemical levels, and manipulating monitoring systems to conceal their activities. These actions underscored the dangers of cyberattacks directly affecting public health and safety.

The Colonial Pipeline attack, carried out by the ransomware group DarkSide in 2021, remains a pivotal example of the consequences of cyberattacks on critical infrastructure. This incident disrupted the supply of refined petroleum products along the East Coast, causing widespread panic and fuel shortages. While not directly targeting OT systems, the attack highlighted vulnerabilities within the interconnected networks supporting critical services.

Techniques Used to Compromise Critical Infrastructure

Adversaries employ a variety of techniques to infiltrate and disrupt critical infrastructure. Some of the most common methods we have seen include:

1. Phishing Emails: Malicious phishing emails remain a leading entry point for attackers. These emails often contain well-crafted attachments or links designed to deliver malware or steal credentials.

2. Supply Chain Attacks: These attacks exploit vulnerabilities in third-party suppliers. For example, the SolarWinds attack demonstrated how compromising a trusted vendor could grant adversaries access to numerous targets.

3. Weak or Default Passwords: Despite ongoing awareness campaigns, weak or default passwords continue to provide an easy foothold for attackers in otherwise secure networks.

4. Unpatched Software and Hardware: Legacy systems, still widely used in critical infrastructure, are often vulnerable due to unpatched software and outdated hardware.

5. Insider Threats: Malicious insiders or negligent employees can compromise systems from within, bypassing external defenses.

6. Internet of Things (IoT) Devices: IoT devices are increasingly being exploited as initial attack vectors, often due to weak security configurations.

7. Physical Access: Physical breaches remain a classic yet effective technique, especially when paired with social engineering tactics to bypass security measures.

Strengthening Defenses

The rise in attacks against utilities highlights the urgency of addressing these vulnerabilities. Collaboration between government agencies, private sector organizations, and civilians is essential to develop and implement best practices. Enhanced information sharing, robust incident response plans, and continuous investment in cybersecurity can help mitigate risks.

Federal officials inspected utility companies and said about 70% are missing controls meant to prevent intrusion. Utilities must also prioritize regular assessments of their cybersecurity posture, including patching vulnerabilities, enforcing strong access controls, and securing legacy systems. Furthermore, fostering a culture of cybersecurity awareness among employees can reduce the risk of insider threats and successful phishing attempts.

The growing sophistication of adversaries necessitates a proactive and unified approach to defending critical infrastructure. As we move further into 2025, the lessons of the past decade serve as a stark reminder of the stakes involved and the need for constant vigilance.