Expanding Cybersecurity Threats for Utilities in the Modern Era

The utility sector is in the middle of a once-in-a-century digital shift. Modernization of some infrastructure brings many benefits but also means that power, water, and gas networks are layering cloud connectivity, distributed sensors, additional computing and even artificial intelligence (AI) onto or co-existing with decades-old operational technology (OT). That convergence is expanding the number of discrete attack surfaces faster than most organizations can defend them.

In the last few years, governments have warned that well-resourced adversaries are not only stealing data but also quietly positioning for potential disruption of critical services. US utilities saw a 70% increase in cyberattacks from 2023 into 2024.

More recently, Littleton Electric Light and Water Departments (LELWD) discovered that the Chinese-linked Volt Typhoon group had maintained covert access to its OT network for nearly a year. And in 2021, Delta-Montrose Electric Association (DMEA) suffered a ransomware attack that encrypted every server and workstation within minutes, forcing a full rebuild of its IT systems.

In today’s utility attacks, OT is a primary target, not collateral. Recent incidents and advisories highlight direct exploitation of programmable logic controllers (PLCs) and human-machine interface (HMI) systems, often via default configurations and exposed management ports.

Why utilities and smart grids are uniquely exposed

Utilities run heterogeneous fleets that span multiple generations of gear and protocols. A modern substation may have IEC-61850, Modbus/TCP, and proprietary vendor interfaces side-by-side, bridged by DA/SCADA gateways and sometimes by hastily added Industrial Internet of Things (IIoT) devices. Edge intelligence and additional IIoT-type devices push compute and storage closer to field assets. Each additional interface, firmware package, or remote-access path becomes a potential foothold.

Several structural factors amplify risk:

• Legacy constraints. Many OT assets cannot be patched or rebooted without planned outages, and some lack cryptographic support entirely. The result: long windows of exposure and a reliance on compensating controls (segmentation, allow-listing, and rigorous change management). National Institute of Standards and Technology (NIST) OT security guide codifies these realities and urges tailored protections that respect safety and reliability requirements.
• Supply-chain complexity. Integrators, OEMs, and managed service providers have privileged access during commissioning and maintenance. Compromise anywhere along that chain can cascade into operational networks. The North American Electric Reliability Corporation’s Critical Infrastructure Protection standards now include dedicated supply-chain risk management requirements for Bulk Electric System (BES) cyber systems.
• Operational sprawl. Advanced metering infrastructure (AMI) backhaul, distributed energy resources management systems (DERMS), electric vehicle (EV) charging, and distribution automation introduce thousands to millions of endpoints. Even where back-end systems are mature, field-deployed devices may ship with default passwords, open services, or outdated firmware—conditions repeatedly observed in incidents.

Edge intelligence: new value, new attack paths

Edge computing helps utilities to make possible new local analysis and decision-making; e.g., electrical location awareness, identifying DERs, transformer health monitoring, optimizing voltage/VAR, or detecting line faults, but can also create additional risk:

• Firmware and model integrity. Adversaries can target update pipelines to implant modified binaries or tamper with AI models (data poisoning or adversarial inputs). In a DER-heavy feeder, a corrupted model that misclassifies load or inverter behavior could trigger unsafe setpoints.
• Credential sprawl and lateral movement. Lightweight agents often run with elevated privileges for performance. In other words, small footprint software components have administrative or root-level access to improve performance and capability. If an attacker lifts API tokens or SSH keys from an edge device, they may pivot into OT data systems or energy management system (EMS)/distribution management system (DMS) environments, especially where flat networks without intermediary hardware persist.
• Telemetry as reconnaissance. Rich edge telemetry exposes topology, protective settings, and operating states. In skilled hands, that metadata becomes a map for surgical disruption—precisely the goal of adversaries pursuing pre-positioning.

Concrete lessons from recent incidents

• Water/Wastewater PLC exploitation (2023–2024): Threat actors accessed internet-exposed Unitronics PLCs, often via default credentials and open ports, altering displays and potentially control logic. The guidance underscores the needs for basic hardening; changing defaults, segmenting and restricting inbound exposure, and round the clock monitoring to identify atypical connections.
• Living-off-the-land campaigns (LOTL) (2024): Investigators observed operators using native Windows tools, scheduled tasks, and remote management frameworks to persist without custom malware. For defenders, this elevates the importance of baselining ‘normal’ admin behavior and detecting subtle anomalies rather than signature-matching.