Utilities Under Threat: Why Providers Need Layered Cybersecurity

We know that critical infrastructure is a prime target for cyber attacks: In March 2024, the White House issued a letter to warn state governors of mounting, "disabling" cyber attacks on water and utilities companies around the nation. 

Today, American Water, a New Jersey-based utilities company serving over 14 million people, announced a cybersecurity incident including unauthorized system access. At the time of writing, the American Water's billing systems and customer portals are offline in order to prevent further harm to the organization's environment or data. 

American Water is not alone: The Office of the Director of National Intelligence reports that, in just six months — between November 2023 and April 2024 — there were more than 35 cyber attacks on U.S. industrial control systems (ICS) by Iran-affiliated and pro-Russia cyber actors. These attacks targeted U.S. systems managing agriculture, food, water, healthcare, schools, local governments, and more. 

Image Source: Office of the Director of National Intelligence

Why Do Cyber Attackers Target Utilities?

In a recent Virtru utilities security case study, BVU Authority, a which serves 16,000 electric customers and nearly 8,000 water and wastewater customers in southwestern Virginia, explained why utilities companies are such a high-value target for cyber criminals."Our industry is very heavily attacked… it's an industry many people don't realize is a target," IT Director Todd Jones emphasized. That's because utilities companies don't just manage critical infrastructure that communities rely on for day-to-day living, but they also manage a wealth of personally identifiable information (PII): Addresses, phone numbers, social security numbers, and much more. 

So, depending on the cyber attacker's motivations, they can achieve multiple goals:

1. Monetary Incentive: Utilities companies manage vast amounts of PII, which can be sold for profit or used for espionage. 
2. Supply Chain Compromise: Small utilities companies are often connected to a web of supply chain partners, including state, local, and municipal governments, as well as providers of other types of utilities. 
3. Disruption: By manipulating utilities systems, hackers can upend U.S. citizens' lives. The downstream impacts of disruption include societal disarray and the erosion of public trust in the institutions that serve them. 
4. Harm: Manipulation of water sources and healthcare systems, in particular, can cause physical harm to the population. Furthermore, communities can suffer financial harm and resource depletion in the aftermath of an attack on critical infrastructure.  

Why Utilities Companies Need Layered Cybersecurity

Just like any other organization, utilities providers need multiple layers of protection to fortify their security. Here are some examples of how these layers come to life for a utilities company. 

CISOs have tough jobs — especially when the well-being of their community is directly impacted by their organization's success and security. That's why these layered protections are critical: Should one layer fail — or should a bad actor gain access to a company's systems — these layers can provide additional peace of mind and mitigate risk. 

A Nationwide Call to Prioritize Critical Infrastructure Security 

In the aforementioned White House letter to the water sector, the imperative for strong security is clear:

Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks, carried out by countries and criminals, have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.

Utilities providers must act quickly, leveraging government programs and grants available via the EPA and other entities, to implement robust security measures for data possessed internally and data shared externally. It's the only way for communities to remain resilient in an escalating threat landscape. 

If your utilities company, local government, or energy company needs to quickly deploy stronger security measures, we hope you'll consider Virtru. Our email and file encryption solutions protect your sensitive data with end-to-end encryption and granular access controls for Zero Trust data sharing, allowing you to share sensitive information with supply chain and government partners without compromising on security or control. And with the Virtru Private Keystore, you can manage your own encryption keys for heightened data sovereignty and control. 

Virtru is trusted by over 10 state governments, including the State of West Virginia, the State of Utah, and the State of Maryland. We also serve hundreds of local municipalities, energy providers, schools, and more: You can read — and watch — our customer stories here. 

Ready to learn more? Contact our team to start the conversation.