Cyber attacks on water and electricity operators on the rise: study

Identity security company Semperis has published the results of a study looking at cyber attacks against water and electricity operators across the US and UK, which it says has important implications for the Australian industry.

The report, titled ‘The State of Critical Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities’, revealed:

• 62% of operators have been targeted by cyber attacks in the last year.
• The vast majority (80%) have been targeted multiple times in the past.
• Nearly 60% of attacks were carried out by nation-state groups.
• 54% of utilities suffered permanent corruption or destruction of data and systems following an attack.
• In 67% of cyber attacks, attackers compromised identity systems, such as Active Directory, Entra ID and Okta. Another 15% of companies were unsure whether those systems were affected.
   

Recent cyber attacks by nation-state groups on water and electricity utilities underscore the vulnerability of Australia’s critical infrastructure. A US public utility in Littleton, MA, was recently breached by a group linked to Volt Typhoon, the Chinese state-sponsored threat group. In addition, American Water Works, the largest US water and wastewater utility, recently detected unauthorised activity in its computer network, disrupting customer service and billing.

More than one-third (38%) of surveyed utility operators believe they’ve never been targeted by cyber attacks, which is a troubling statistic: according to the experts, it’s likely that a good portion of these operators simply don’t have the technology or the expertise to detect malicious activity.

“Many public utilities likely don’t realise that China has infiltrated their infrastructure. For instance, Chinese-sponsored threat actors like Volt Typhoon are known to prefer ‘Living off the Land’ attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information, or waiting to strike for months or even years,” said Chris Inglis, Semperis Strategic Advisor and first US National Cybersecurity Director.

These findings reflect similarities in Australia, where the electricity, gas, water and waste services sector reported the sixth-highest number of cyber incidents out of all sectors, according to the 2023–2024 ASD Cyber Threat Report. Additionally, it accounted for 30% of all the attacks on critical infrastructure specifically, beating education and training (17%) and transport, postal and warehousing (15%).

The economic consequences of a major cyber attack on Australian utilities are substantial. Ausgrid, one of the country’s largest energy network operators, has estimated that a worst-case scenario cyber-induced shutdown of its infrastructure could result in an economic impact of up to $2.9 billion per day.

Recent incidents have also highlighted the vulnerability of Australian energy providers. In 2022, cyber attacks impacted both Energy Australia and AGL, leading to the exposure of sensitive customer data, while in 2021, a ransomware attack targeted Queensland-owned electricity generator CS Energy.

While Australian utility providers have been relatively fortunate so far, the potential impacts of being without electricity, heat or clean water for even a short period can significantly impact public safety.

The age of resilience

“The systems that supply our power grids and our clean drinking water are the underpinning of everything we do. And yet we go about our business, confident that somebody else is going to handle it. Somebody else isn’t going to handle it. We need to harden our systems and extract criminal elements — now,” Inglis added.

What sets utility operators apart from many other industries is the critical nature of their work. If an electricity or water operator is compromised, the potential risks to public health and safety can put an entire nation at risk. Resilience to cyber attacks that threaten operations should be the top priority for every organisation involved in critical infrastructure, according to Semperis.

“If you don’t improve resilience, attackers keep coming,” said Mickey Bresman, CEO, Semperis, “Utilities have an opportunity to address this challenge. They need to assume breaches will happen, and through tabletop exercises, they can practice attack scenarios that could be a reality in the future.”

To improve operational resilience against cyber attacks, utilities should:

• Identify Tier 0 infrastructure components that are essential for recovery from a cyber attack.
• Prioritise incident response and recovery for these systems, followed by mission-critical (Tier 1) functions, business-critical (Tier 2) functions, and then all other (Tier 3) functions.
• Document response and recovery processes and practise them using real-world scenarios that involve people and processes beyond the IT department.
• Focus not just on fast recovery but on secure recovery, since attackers often attempt to compromise backups to maintain persistence in the environment, even after recovery attempts. Implement solutions that support speed, security and visibility in crisis situations.
   

The full cyberthreat study, which includes breakdowns of responses by country, is available here.

Image credit: iStock.com/BeyondImages