Cyberattacks on utilities risk economic stability, says Semperis​​

​​

Research by Ai-powered identity security and cyber resilience leader, Semperis reveals that 62% of water and electricity operators across US and UK have been targeted by cyberattacks in the past year, and of those, the vast majority (80%) have been targeted multiple times.

Recent cyberattacks by nation-state groups on water and electricity utilities underscore the vulnerability of critical infrastructure.  In the U.S., a recent advisory from the Environmental Protection Agency (EPA) to water utilities recommended measures to detect, respond and recover from cyberattacks.  In October, American Water Works, the largest U.S. water and wastewater utility, detected unauthorized activity in its computer network, disrupting customer service and billing.  In the UK, Southern Water suffered a data breach initiated by hacker group Black Basta, who gained access to the company’s server infrastructure and compromised a significant amount of personal data.

Cybersecurity industry experts believe the fact that over one-third (38%) of utilities didn’t think that they had been targeted in cyberattacks is troubling.  According to the experts, it’s likely that a good portion of these operators simply don’t have the technology or the expertise to detect malicious activity.

“Many public utilities likely don’t realize that China has infiltrated their infrastructure,” says Chris Inglis, Semperis Strategic Advisor and first U.S. National Cybersecurity Director.  “For instance, Chinese-sponsored threat actors like Volt Typhoon are known to prefer Living off the Land attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information or waiting to strike for months or even years.”

The Semperis report, Empowering Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities, found that nearly 60% of attacks were carried out by nation-state groups.  In addition, 54% of utilities suffered permanent corruption or destruction of data and systems in the attack.  In 67% of cyberattacks, attackers compromised identity systems, such as Active Directory, Entra ID and Okta. Another 15% of companies were unsure whether those systems were affected.

“If you don’t improve resilience, attackers keep coming.  Utilities have an opportunity to address this challenge.  They need to assume breaches will happen, and through tabletop exercises, they can practice attack scenarios that could be a reality in the future,” comments Mickey Bresman, CEO, Semperis.

“What sets utility operators apart from many other industries is the critical nature of their work.  If an electricity or water operator is compromised, the potential risks to public health and safety can put an entire nation at risk.  Resilience to cyberattacks that threaten operations should be the top priority for every organization involved in critical infrastructure.”

“The systems that supply our power grids and our clean drinking water are the underpinning of everything we do.  And yet we go about our business, confident that somebody else is going to handle it.  Somebody else isn't going to handle it.  We need to harden our systems and extract criminal elements – now,” added Inglis.

The full cyber threat study, which includes breakdowns of responses by country, is available here.