A recent report by Semperis revealed that over three-fifths of water and electricity firms in the US and the UK were targeted by cyber-attacks in the past year, with a majority experiencing significant disruptions as a result. The survey, conducted among IT and security professionals at 350 water treatment plants and electricity operators in both countries, highlighted the vulnerability of critical infrastructure to cyber threats.
According to the report, 62% of the respondents admitted to being victims of cyber-attacks in the past year, with 80% stating that they were targeted multiple times. Shockingly, 59% of those affected reported disruptions to normal operations, while 54% suffered permanent corruption or destruction of data and systems. These numbers underscore the urgent need for improved cybersecurity measures within the utilities sector.
Chris Inglis, a strategic advisor at Semperis and former US national cybersecurity director, emphasized the importance of securing the systems that supply power grids and clean drinking water. Inglis highlighted the misconception that someone else will handle cybersecurity issues, stressing the need for organizations to strengthen their systems and combat criminal elements proactively.
The majority of cyber-attacks targeting utilities firms focused on “Tier 0” identity systems, such as Active Directory, Entra ID, and Okta. Compromising these systems could potentially grant hackers complete control over network operations, posing a significant threat to critical infrastructure.
Recent incidents, such as the breach by the Chinese APT group Volt Typhoon at the Littleton Electric Light and Water Departments (LELWD) in Massachusetts, serve as a stark reminder of the cybersecurity challenges faced by utility providers. Volt Typhoon’s prolonged access to the OT network of LELWD raised concerns about the group’s capabilities to infiltrate critical infrastructure networks and launch destructive attacks in the future.
Additionally, the ransomware attack on UK utility Southern Water by the Russian Black Basta group highlighted the financial and reputational risks associated with cyber-attacks on utilities. While operations were not disrupted, the theft of personal data on employees and customers cost the company millions.
In response to these escalating threats, Semperis proposed four steps to enhance the resilience of utilities firms against cyber-attacks:
1. Identify Tier 0 infrastructure components crucial for recovering from attacks.
2. Prioritize incident response and recovery for these critical systems.
3. Document response and recovery processes, and conduct drills involving organization-wide stakeholders.
4. Focus on secure and efficient recovery by verifying backups for signs of compromise.
As the reliance on digital systems in the utilities sector continues to grow, the need for robust cybersecurity measures has never been more critical. By heeding the recommendations put forth by Semperis and other industry experts, utilities firms can better protect their operations and safeguard the essential services they provide to millions of people.