Water and electricity utilities across the US and UK face an intensifying wave of cyberattacks, many of them linked to nation-state actors, according to a new report by cybersecurity firm Semperis. The findings, drawn from a survey of 350 utility sector IT and security professionals, reveal an urgent need for greater operational resilience and leadership support as threats multiply.
“The technology and systems that deliver critical services like power grids and drinking water underpin every facet of our health and safety,” said Chris Inglis, Former US National Cyber Director and Semperis Strategic Advisor. “Far too many people assume that the government or private sector companies are managing the essential task of addressing the resilience of these systems. This is a flawed assumption, borne out by frequent systemic failures of poorly designed and weakly defended systems that are easy prey for criminals and rogue nation-states. This responsibility cannot be deferred to others. We need to harden our systems and extract criminal elements — now.”
The report, titled The State of Critical Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities paints a troubling picture. Sixty-two percent of respondents said their organisations had been targeted by cyber threat actors in the past year, with 80% of those experiencing multiple incidents. Over half (59%) confirmed that nation-state-sponsored attackers were behind the intrusions.
Among the most notable actors named were groups affiliated with China, Russia, Iran, and North Korea. The report cites a case study in which “Volt Typhoon, a Chinese threat actor, had been lurking in the utility’s systems undetected for nearly a year.”
In the UK, Southern Water confirmed in January 2024 that the Black Basta ransomware group accessed company networks and stole personal data. Meanwhile, the UK’s National Cyber Security Centre warned in late 2023 that “state-aligned actors” were emerging as a “new class of cyber adversary.”
Sixty-two percent of respondents said their organisations had been targeted by cyber threat actors in the past year
“Ransomware criminals have a propensity to go after locally and municipally operated critical infrastructure, including water treatment facilities and electricity grids,” said Ciaran Martin, Managing Director at Paladin Capital Group and founding Chief Executive of the UK’s National Cyber Security Centre. “Frankly, with low IT and security budgets staring at operators, threat actors have the upper hand.”
One of the report’s most pressing concerns is the vulnerability of identity systems — the core infrastructure that authenticates users and controls access. “From post-attack engagements in breached environments, we know that 90 percent of the time, identity systems are targeted and successfully compromised,” said Semperis CEO Mickey Bresman. “Unfortunately, many organizations lack the tools needed to gain visibility into those compromises, preventing them from restoring trust in their identity systems.”
Former bp CISO and Semperis advisor Simon Hodgkinson added: “Embracing an assume-breach mindset is crucial for rapid recovery from cyberattacks. At the same time, implementing identity forensics and incident response (IFIR) capabilities enhances operational resilience.”
The findings suggest many organisations remain under-prepared. Only about one-third of respondents identified identity system compromise as a top cybersecurity risk, despite the fact that Active Directory and similar systems were compromised in 67% of confirmed attacks.
Utilities are advised to move beyond prevention alone. “Cyber resilience is about people, processes, and the ability to respond in a timely fashion when everything is on the line,” said Martin. “Organizations must be prepared to respond swiftly and decisively when cyber threats strike.”
Bresman echoed this: “Response times to cyberthreats will be faster if organizations assume that adversaries are already in their networks and have a documented and tested recovery and resilience plan that is ready to deploy at a moment’s notice.”
The stakes are high. As the report makes clear, utilities play a unique role in maintaining national health and safety. A single prolonged outage could have cascading effects across economies and societies. As Hodgkinson put it, “It starts with leadership. When leadership at an organization takes an interest in improving operational resilience, it will happen, and budgets will be allocated to projects that improve the protection of critical infrastructure.”
