<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> Utilities Under Threat: Why Providers Need Layered Cybersecurity

Utilities Under Threat: Why Providers Need Layered Cybersecurity

TABLE OF CONTENTS

    See Virtru In Action

    { content.featured_image.alt }}

    We know that critical infrastructure is a prime target for cyber attacks: In March 2024, the White House issued a letter to warn state governors of mounting, "disabling" cyber attacks on water and utilities companies around the nation. 

    Today, American Water, a New Jersey-based utilities company serving over 14 million people, announced a cybersecurity incident including unauthorized system access. At the time of writing, the American Water's billing systems and customer portals are offline in order to prevent further harm to the organization's environment or data. 

    American Water is not alone: The Office of the Director of National Intelligence reports that, in just six months — between November 2023 and April 2024 — there were more than 35 cyber attacks on U.S. industrial control systems (ICS) by Iran-affiliated and pro-Russia cyber actors. These attacks targeted U.S. systems managing agriculture, food, water, healthcare, schools, local governments, and more. 

    ODNI Report Cyber Attacks on Utilities

    Image Source: Office of the Director of National Intelligence

    Why Do Cyber Attackers Target Utilities?

    In a recent Virtru utilities security case study, BVU Authority, a which serves 16,000 electric customers and nearly 8,000 water and wastewater customers in southwestern Virginia, explained why utilities companies are such a high-value target for cyber criminals."Our industry is very heavily attacked… it's an industry many people don't realize is a target," IT Director Todd Jones emphasized. That's because utilities companies don't just manage critical infrastructure that communities rely on for day-to-day living, but they also manage a wealth of personally identifiable information (PII): Addresses, phone numbers, social security numbers, and much more. 

    So, depending on the cyber attacker's motivations, they can achieve multiple goals:

    1. Monetary Incentive: Utilities companies manage vast amounts of PII, which can be sold for profit or used for espionage. 
    2. Supply Chain Compromise: Small utilities companies are often connected to a web of supply chain partners, including state, local, and municipal governments, as well as providers of other types of utilities. 
    3. Disruption: By manipulating utilities systems, hackers can upend U.S. citizens' lives. The downstream impacts of disruption include societal disarray and the erosion of public trust in the institutions that serve them. 
    4. Harm: Manipulation of water sources and healthcare systems, in particular, can cause physical harm to the population. Furthermore, communities can suffer financial harm and resource depletion in the aftermath of an attack on critical infrastructure.  

    Why Utilities Companies Need Layered Cybersecurity

    Just like any other organization, utilities providers need multiple layers of protection to fortify their security. Here are some examples of how these layers come to life for a utilities company. 

    Layer Description

    Identity Management

    Governing the individuals and systems that can access utility information, and authenticating that those entities are who they say they are (e.g., identity and access management; multi-factor authentication)

    Endpoint and Device Security

    Protecting the physical devices that can access a utility company's information (e.g., IoT-connected water quality sensors; employees' laptops and cell phones; actuators; smart meters)  

    Network (Perimeter) Security

    Defensively protecting the data that an organization possesses internally (e.g., firewalls, intrusion detection systems, intrusion detection, incident response)

    Application Security

    Protecting the apps used across your organization (e.g., water management software; analytics processed via third-party platforms like Snowflake or Tableau; Salesforce or Zendesk CRM)

    Data Security (Defense)

    Protecting data possessed internally (e.g., file encryption, preventing business email compromise, data loss prevention) 

    Data Security (Offense)

    Protecting sensitive data that must be shared externally: End-to-end encryption, easy-to-use email and file security, fine-grained access controls, admin visibility and controls.  

     

    CISOs have tough jobs — especially when the well-being of their community is directly impacted by their organization's success and security. That's why these layered protections are critical: Should one layer fail — or should a bad actor gain access to a company's systems — these layers can provide additional peace of mind and mitigate risk. 

    A Nationwide Call to Prioritize Critical Infrastructure Security 

    In the aforementioned White House letter to the water sector, the imperative for strong security is clear:

    Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks, carried out by countries and criminals, have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.

    Utilities providers must act quickly, leveraging government programs and grants available via the EPA and other entities, to implement robust security measures for data possessed internally and data shared externally. It's the only way for communities to remain resilient in an escalating threat landscape. 

    If your utilities company, local government, or energy company needs to quickly deploy stronger security measures, we hope you'll consider Virtru. Our email and file encryption solutions protect your sensitive data with end-to-end encryption and granular access controls for Zero Trust data sharing, allowing you to share sensitive information with supply chain and government partners without compromising on security or control. And with the Virtru Private Keystore, you can manage your own encryption keys for heightened data sovereignty and control. 

    Virtru is trusted by over 10 state governments, including the State of West Virginia, the State of Utah, and the State of Maryland. We also serve hundreds of local municipalities, energy providers, schools, and more: You can read — and watch — our customer stories here

    Ready to learn more? Contact our team to start the conversation.

    Megan Leader

    Megan Leader

    Megan is the Director of Brand and Content at Virtru. With a background in journalism and editorial content, she loves telling good stories and making complex subjects approachable. Over the past 15 years, her career has followed her curiosity — from the travel industry, to payments technology, to cybersecurity.

    View more posts by Megan Leader

    See Virtru In Action