Utility cybersecurity is a top tier national security concern. Ransomware, state actors like Volt Typhoon, and unsecured control systems all threaten grid and water reliability. This guide covers NERC CIP for power utilities, CISA guidance for water, and the practical realities of small utility security.
Scale of the threat
The regulatory framework
| Regulator | Focus |
|---|---|
| NERC (via FERC) | Bulk power system reliability including CIP standards |
| CISA | All critical infrastructure guidance including water |
| EPA | Water sector including cybersecurity in sanitary surveys |
| TSA | Pipeline cybersecurity (post Colonial Pipeline) |
| State PUCs | Utility oversight including cybersecurity |
| DOE | Grid security research and support |
NERC CIP standards
NERC Critical Infrastructure Protection (CIP) standards are mandatory for bulk power system operators (BES). Cover asset identification, personnel training, electronic security perimeters, physical security, incident response, and recovery.
| Standard | Focus |
|---|---|
| CIP-002 | BES cyber system categorisation |
| CIP-003 | Security management controls |
| CIP-004 | Personnel and training |
| CIP-005 | Electronic security perimeters |
| CIP-006 | Physical security |
| CIP-007 | Systems security management |
| CIP-008 | Incident reporting and response |
| CIP-009 | Recovery plans |
| CIP-010 | Configuration change management |
| CIP-011 | Information protection |
| CIP-013 | Supply chain risk management |
| CIP-014 | Physical security of transmission stations |
Water sector: harder problem
CISA and Water ISAC
CISA (Cybersecurity and Infrastructure Security Agency) provides guidance across sectors. Water Information Sharing and Analysis Center (WaterISAC) shares threat intelligence with member utilities. Both are voluntary participation.
The threat landscape
| Threat | Notes |
|---|---|
| Ransomware | Financial extortion; increasingly targeting utilities |
| State actors (Volt Typhoon, others) | Persistent access for future disruption |
| Hacktivists | Political motivation, opportunistic targets |
| Insider threats | Disgruntled employees, contractors |
| Vendor supply chain compromise | Third party software or hardware |
| Unsecured internet exposed devices | Shodan search finds many US SCADA |
Operational technology vs IT
Utility operational technology (SCADA, PLCs, RTUs) runs on different systems than corporate IT. Historically air gapped, now increasingly network connected. OT security requires different expertise and practices. Many utilities treat OT as afterthought to IT security, which is dangerous.
Notable incidents
- Ukraine 2015 and 2016. Russian state actors caused grid blackouts.
- Colonial Pipeline 2021. Ransomware disrupted US fuel supply.
- Oldsmar Florida 2021. Attacker attempted water contamination via remote access.
- Aliquippa Pennsylvania 2023. Water utility attacked via unsecured Israeli made device.
- Change Healthcare 2024. Ransomware disrupting healthcare payments.
- Multiple undisclosed intrusions at US utilities attributed to Volt Typhoon.
Water sector specifics
The AWIA requirement
America's Water Infrastructure Act (2018) requires community water systems serving over 3,300 people to conduct risk assessments and emergency response plans. Cybersecurity is one required domain but enforcement varies.
Water ISAC
Voluntary information sharing with about 12,000 member utilities. Provides threat intelligence, best practices, and drills. Small utilities can join for modest fees.
Recent EPA rulemaking
EPA has proposed mandatory cybersecurity practices for water systems but has faced legal challenges. Ongoing regulatory uncertainty leaves gaps.
Power sector specifics
NERC CIP is mandatory and enforced through significant financial penalties. Recent updates include supply chain, virtualization, and cloud considerations. Distribution utilities largely not subject to NERC CIP (only bulk power system), creating gap.
Practical cybersecurity for utilities
Basic hygiene
- Change default passwords.
- Enable multi factor authentication.
- Update software regularly.
- Segment OT networks from IT.
- Monitor and log activity.
- Have incident response plans.
- Regular backups tested for restoration.
OT specific
- Understand what OT assets you have.
- Assess network exposure.
- Deploy OT specific monitoring (Nozomi, Claroty, Dragos).
- Vendor security assessment.
- Physical access controls.
- Staff training on OT security.
Federal funding
Bipartisan Infrastructure Law includes cybersecurity funding for utilities. State Cybersecurity Grant Program provides grants. Rural Utilities Service programme supports rural utility cybersecurity. Combined multi hundred million dollar annual pool.
Cybersecurity workforce
Significant utility cybersecurity workforce shortage. OT security expertise particularly scarce. Growing university programmes and certifications. Managed security service providers (MSSPs) increasingly used to fill gaps.
Notable OT security vendors
- Nozomi Networks.
- Claroty.
- Dragos.
- Tenable OT.
- SCADAfence (acquired by Honeywell).
Global context
EU NIS2 directive expanded cybersecurity requirements including utilities. UK Cyber Assessment Framework for essential services. Global harmonisation of critical infrastructure cybersecurity requirements progressing but uneven.
Where utility cybersecurity is going
- Mandatory requirements expanding to water and distribution.
- AI powered attack and defence acceleration.
- Zero trust architecture adoption.
- Continued state actor sophistication.
- Small utility support programmes.
- OT specific tooling maturation.
Frequently asked questions
Is my utility hacked?
Likely not currently. But probably targeted or under reconnaissance.
What is NERC CIP?
Mandatory cybersecurity standards for bulk power system operators.
Are water utilities regulated?
Less than power. AWIA requires risk assessment. EPA proposed rules facing legal challenges.
What is Volt Typhoon?
Chinese state actor pre positioning in US critical infrastructure.
Can attackers cause harm?
Yes. Ukraine grid attacks and Oldsmar attempt demonstrate risk.
What can small utilities do?
Basic hygiene, join Water ISAC, use free CISA resources, request state grant funding.
Is it a compliance or safety issue?
Both increasingly.
Does cyber insurance help?
Partially. Growing exclusions for state actors.
What if my utility is attacked?
Report to CISA and law enforcement. Follow incident response plan.
Where can I read more?
CISA, WaterISAC, NERC, EPA cybersecurity resources.
Summary
Utility cybersecurity spans mandatory NERC CIP for bulk power, voluntary and evolving requirements for water, and CISA guidance across sectors. Small water utilities particularly vulnerable. Volt Typhoon disclosure raised awareness of state actor threat. Basic hygiene (MFA, patching, segmentation) prevents most attacks. Growing federal funding and workforce development. Evolving regulatory landscape as utilities increasingly recognised as critical infrastructure requiring active defence.
Next reading
See the assets in this article
Explore 177,000+ utility infrastructure sites
Locations, capacity, operators, and permits across 24 sectors: the same records our writers pull from.
Start browsingCompliance guides from the UtilityRadar team.