We know that critical infrastructure is a prime target for cyber attacks: In March 2024, the White House issued a letter to warn state governors of mounting, "disabling" cyber attacks on water and utilities companies around the nation.
Today, American Water, a New Jersey-based utilities company serving over 14 million people, announced a cybersecurity incident including unauthorized system access. At the time of writing, the American Water's billing systems and customer portals are offline in order to prevent further harm to the organization's environment or data.
American Water is not alone: The Office of the Director of National Intelligence reports that, in just six months — between November 2023 and April 2024 — there were more than 35 cyber attacks on U.S. industrial control systems (ICS) by Iran-affiliated and pro-Russia cyber actors. These attacks targeted U.S. systems managing agriculture, food, water, healthcare, schools, local governments, and more.
Image Source: Office of the Director of National Intelligence
In a recent Virtru utilities security case study, BVU Authority, a which serves 16,000 electric customers and nearly 8,000 water and wastewater customers in southwestern Virginia, explained why utilities companies are such a high-value target for cyber criminals."Our industry is very heavily attacked… it's an industry many people don't realize is a target," IT Director Todd Jones emphasized. That's because utilities companies don't just manage critical infrastructure that communities rely on for day-to-day living, but they also manage a wealth of personally identifiable information (PII): Addresses, phone numbers, social security numbers, and much more.
So, depending on the cyber attacker's motivations, they can achieve multiple goals:
Just like any other organization, utilities providers need multiple layers of protection to fortify their security. Here are some examples of how these layers come to life for a utilities company.
| Layer | Description |
|---|---|
|
Identity Management |
Governing the individuals and systems that can access utility information, and authenticating that those entities are who they say they are (e.g., identity and access management; multi-factor authentication) |
|
Endpoint and Device Security |
Protecting the physical devices that can access a utility company's information (e.g., IoT-connected water quality sensors; employees' laptops and cell phones; actuators; smart meters) |
|
Network (Perimeter) Security |
Defensively protecting the data that an organization possesses internally (e.g., firewalls, intrusion detection systems, intrusion detection, incident response) |
|
Application Security |
Protecting the apps used across your organization (e.g., water management software; analytics processed via third-party platforms like Snowflake or Tableau; Salesforce or Zendesk CRM) |
|
Data Security (Defense) |
Protecting data possessed internally (e.g., file encryption, preventing business email compromise, data loss prevention) |
|
Data Security (Offense) |
Protecting sensitive data that must be shared externally: End-to-end encryption, easy-to-use email and file security, fine-grained access controls, admin visibility and controls. |
CISOs have tough jobs — especially when the well-being of their community is directly impacted by their organization's success and security. That's why these layered protections are critical: Should one layer fail — or should a bad actor gain access to a company's systems — these layers can provide additional peace of mind and mitigate risk.
In the aforementioned White House letter to the water sector, the imperative for strong security is clear:
Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks, carried out by countries and criminals, have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.
Utilities providers must act quickly, leveraging government programs and grants available via the EPA and other entities, to implement robust security measures for data possessed internally and data shared externally. It's the only way for communities to remain resilient in an escalating threat landscape.
If your utilities company, local government, or energy company needs to quickly deploy stronger security measures, we hope you'll consider Virtru. Our email and file encryption solutions protect your sensitive data with end-to-end encryption and granular access controls for Zero Trust data sharing, allowing you to share sensitive information with supply chain and government partners without compromising on security or control. And with the Virtru Private Keystore, you can manage your own encryption keys for heightened data sovereignty and control.
Virtru is trusted by over 10 state governments, including the State of West Virginia, the State of Utah, and the State of Maryland. We also serve hundreds of local municipalities, energy providers, schools, and more: You can read — and watch — our customer stories here.
Ready to learn more? Contact our team to start the conversation.