Image courtesy 123rf
Ric Derbyshire of Orange Cyberdefense discusses rising cyberattacks in the utilities sector and how, as ever, any cyber-resilience programme must begin with the security fundamentals: people, processes, and technology.
The utilities sectors include a large supply chain for energy, gas, water, and their respective subsectors. In recent years they have been experiencing a major push towards modernisation, bringing with it numerous benefits, from improving efficiencies to enabling data sharing and the integration of new technologies like AI. However, it also increases the attack surface, with systems that had previously been offline now exposed to cyber threats.
As part of the UK’s 13 sectors with critical national infrastructure (CNI) status, utilities are critical to defend, with the fallout of a successful attack being potentially catastrophic. Earlier this year, a major power blackout across the Iberian Peninsula resulted in a complete outage of the electricity supply. While this was not caused by a cyber attack, it highlights the fragility and complexity of such systems.
However, a perfect storm is brewing for the utilities sectors, driven by the complexities that come with modernisation, an increasingly motivated threat landscape, and growing regulatory pressures. Being prepared starts with understanding what the industry is up against.
A new era of vulnerabilities
The first major challenge is around modernisation, particularly of operational technology (OT). Traditionally, OT and IT have been isolated from one another, but in recent years, the two have become increasingly interconnected. This convergence and transformation bring opportunities, but they also open up OT systems to the threats that have historically targeted just IT.
OT networks are often expansive, having grown organically over time through incremental changes and without comprehensive records of the devices and technologies of which they’re composed. This limited visibility leads to incomplete knowledge of the attack surface, resulting in potentially unknown vulnerabilities.
To worsen this problem, utilities also face chronic staff shortages. With engineers and other personnel stretched thin, it can be difficult to enforce accountability for OT networks. Knowledge hoarding is also a major problem here, with engineers sometimes keeping mental logs of the OT environments they operate without proper records. This is especially concerning when we consider that about a third of employees in the energy sector, for example, are over 50 and many of them are expected to retire in the next decade. Once they leave, an untracked, forgotten OT device could be the route in for an adversary, whether they stumble upon it by accident or locate it intentionally.
Have you read:
Grid enhancing technologies: How to manage new cybersecurity risks
NATO cyber advisor ready to work with energy sector to bolster security
The rise of geopolitical cyberattacks
The primary threats to OT systems typically stem from attacks aimed at IT systems, predominantly driven by cyber extortion, or more specifically, ransomware. In fact, our 2025 Security Navigator Report recorded a staggering 39% increase in cyber-attacks impacting OT systems between 2023 and 2024, compared to the entire 35-year period prior. While ransomware remains a primary driver, other types of adversaries are showing intent to target and impact OT, particularly hacktivists.
Hacktivists are a growing threat to OT environments such as those operated by utilities organisations. In fact, a recent deep-dive study we conducted found that, between 1988 and 2024, hacktivists accounted for 23% of OT-impacting cyber-attacks that used tactics, techniques, and procedures unique to OT. We refer to these as ‘category 2’ attacks, which make up 16% of all OT-impacting cyber-attacks in the same timeframe.
As geopolitical unrest continues, hacktivists are showing an increasing intent to target OT systems, particularly in CNI. As they continue to develop their capabilities, their attacks will continue to be more successful.
How renewables are changing utilities
Adding to this mix of factors is the journey to Net Zero, with greater investment and emphasis on renewable energy sources being central to this change. But as with every change, there is also risk.
Reflecting this, the UK government recently announced its Clean Energy Industries Sector Plan, which recognises both the opportunity and risks of the evolving industry. For instance, there’s a major emphasis on security and the plan calls for infrastructure protection, with investment in resilient and decentralised energy systems. Supply chain security and resilience are also central to the plan, which calls for industry-wide standards to be established and promoted. Unifying goals and priorities like this to defend against the cyber threats posed will be key.
The plan is a vital step in the right direction, but the extent of its success is dependent on how these policies translate into unified action across the industry.
Achieving cyber resilience
As ever, any cyber-resilience programme must begin with the security fundamentals: people, processes, and technology.
New, water-tight processes must be put in place around the integration and maintenance of OT environments. This means moving away from manual, Excel-based systems and the eradication of knowledge hoarding. Crucially, the people working within CNI must be brought along for this step. Changing long-standing behaviours can often be the hardest part of change, and so investing in training and education around the evolving threat landscape and how individuals can help defend against it will be key.
Steps must also be taken to actually identify what exists on a network, as you can’t defend what you don’t know you have. This involves asset discovery, which helps organisations gain visibility over the devices in their network and then ascertain what their most valuable assets are, their ‘crown jewels’, and how to mitigate the risks posed to these assets. Next, putting in place security measures to protect these networks is key, such as network segmentation. Despite IT/OT convergence, segregation of OT remains one of the strongest strategies for maintaining security. This segmentation can be done with a variety of technologies, depending on the environmental requirements, such as firewalls or unidirectional gateways. Robust identity and access governance and controls should also be implemented, helping to prevent unauthorised access and to detect a breach early.
Finally, keeping on top of the many regulatory frameworks is crucial for utilities organisations, including CAF, NIS2, and the upcoming Cyber Security & Resilience Bill. Legislation like this will shape the security and resilience of the sector through compliance.
Ultimately, an updated nationwide ecosystem approach is needed for national cybersecurity and resilience. The goal should be to enhance security by making it much more of a priority both financially and education-wise, and this extends to people, processes, and technology components alike.
About the author:
Ric Derbyshire is a principal security researcher at Orange Cyberdefense and an honorary researcher at Imperial College London. He holds a PhD in computer science from Lancaster University, where he researched adversary-centric quantitative risk assessment.
