Compliance

Utility Cybersecurity: NERC CIP, CISA, and the Water Sector

How utilities defend against cyber attacks. NERC CIP for power, CISA guidance for water, and the practical realities of small utility security.

Utility cybersecurity is a top tier national security concern. Ransomware, state actors like Volt Typhoon, and unsecured control systems all threaten grid and water reliability. This guide covers NERC CIP for power utilities, CISA guidance for water, and the practical realities of small utility security.

Scale of the threat

400+
reported cyber incidents at US utilities 2024
Volt Typhoon
Chinese threat actor targeting US infrastructure
100,000+
small water systems, most under resourced

The regulatory framework

RegulatorFocus
NERC (via FERC)Bulk power system reliability including CIP standards
CISAAll critical infrastructure guidance including water
EPAWater sector including cybersecurity in sanitary surveys
TSAPipeline cybersecurity (post Colonial Pipeline)
State PUCsUtility oversight including cybersecurity
DOEGrid security research and support

NERC CIP standards

NERC Critical Infrastructure Protection (CIP) standards are mandatory for bulk power system operators (BES). Cover asset identification, personnel training, electronic security perimeters, physical security, incident response, and recovery.

StandardFocus
CIP-002BES cyber system categorisation
CIP-003Security management controls
CIP-004Personnel and training
CIP-005Electronic security perimeters
CIP-006Physical security
CIP-007Systems security management
CIP-008Incident reporting and response
CIP-009Recovery plans
CIP-010Configuration change management
CIP-011Information protection
CIP-013Supply chain risk management
CIP-014Physical security of transmission stations

Water sector: harder problem

Common trap. The water sector lacks a NERC equivalent mandatory cybersecurity framework. EPA sanitary survey now includes cybersecurity but enforcement is limited. Over 100,000 US water systems, most with under 10,000 customers and minimal IT staff, are extremely vulnerable. The Oldsmar Florida incident (2021) where an attacker tried to poison water via unsecured remote access is a warning about what can go wrong.

CISA and Water ISAC

CISA (Cybersecurity and Infrastructure Security Agency) provides guidance across sectors. Water Information Sharing and Analysis Center (WaterISAC) shares threat intelligence with member utilities. Both are voluntary participation.

The threat landscape

ThreatNotes
RansomwareFinancial extortion; increasingly targeting utilities
State actors (Volt Typhoon, others)Persistent access for future disruption
HacktivistsPolitical motivation, opportunistic targets
Insider threatsDisgruntled employees, contractors
Vendor supply chain compromiseThird party software or hardware
Unsecured internet exposed devicesShodan search finds many US SCADA

Operational technology vs IT

Utility operational technology (SCADA, PLCs, RTUs) runs on different systems than corporate IT. Historically air gapped, now increasingly network connected. OT security requires different expertise and practices. Many utilities treat OT as afterthought to IT security, which is dangerous.

Notable incidents

  • Ukraine 2015 and 2016. Russian state actors caused grid blackouts.
  • Colonial Pipeline 2021. Ransomware disrupted US fuel supply.
  • Oldsmar Florida 2021. Attacker attempted water contamination via remote access.
  • Aliquippa Pennsylvania 2023. Water utility attacked via unsecured Israeli made device.
  • Change Healthcare 2024. Ransomware disrupting healthcare payments.
  • Multiple undisclosed intrusions at US utilities attributed to Volt Typhoon.
Key insight. The Volt Typhoon disclosure in 2024 revealed that Chinese state actors had gained persistent access to US utility control systems for potential future disruption. This shifted the debate from "if" attack to "when" and forced utility investment in detection and response capabilities.

Water sector specifics

The AWIA requirement

America's Water Infrastructure Act (2018) requires community water systems serving over 3,300 people to conduct risk assessments and emergency response plans. Cybersecurity is one required domain but enforcement varies.

Water ISAC

Voluntary information sharing with about 12,000 member utilities. Provides threat intelligence, best practices, and drills. Small utilities can join for modest fees.

Recent EPA rulemaking

EPA has proposed mandatory cybersecurity practices for water systems but has faced legal challenges. Ongoing regulatory uncertainty leaves gaps.

Power sector specifics

NERC CIP is mandatory and enforced through significant financial penalties. Recent updates include supply chain, virtualization, and cloud considerations. Distribution utilities largely not subject to NERC CIP (only bulk power system), creating gap.

Practical cybersecurity for utilities

Basic hygiene

  • Change default passwords.
  • Enable multi factor authentication.
  • Update software regularly.
  • Segment OT networks from IT.
  • Monitor and log activity.
  • Have incident response plans.
  • Regular backups tested for restoration.

OT specific

  • Understand what OT assets you have.
  • Assess network exposure.
  • Deploy OT specific monitoring (Nozomi, Claroty, Dragos).
  • Vendor security assessment.
  • Physical access controls.
  • Staff training on OT security.

Federal funding

Bipartisan Infrastructure Law includes cybersecurity funding for utilities. State Cybersecurity Grant Program provides grants. Rural Utilities Service programme supports rural utility cybersecurity. Combined multi hundred million dollar annual pool.

Cybersecurity workforce

Significant utility cybersecurity workforce shortage. OT security expertise particularly scarce. Growing university programmes and certifications. Managed security service providers (MSSPs) increasingly used to fill gaps.

Notable OT security vendors

  • Nozomi Networks.
  • Claroty.
  • Dragos.
  • Tenable OT.
  • SCADAfence (acquired by Honeywell).

Global context

EU NIS2 directive expanded cybersecurity requirements including utilities. UK Cyber Assessment Framework for essential services. Global harmonisation of critical infrastructure cybersecurity requirements progressing but uneven.

Where utility cybersecurity is going

  • Mandatory requirements expanding to water and distribution.
  • AI powered attack and defence acceleration.
  • Zero trust architecture adoption.
  • Continued state actor sophistication.
  • Small utility support programmes.
  • OT specific tooling maturation.

Frequently asked questions

Is my utility hacked?

Likely not currently. But probably targeted or under reconnaissance.

What is NERC CIP?

Mandatory cybersecurity standards for bulk power system operators.

Are water utilities regulated?

Less than power. AWIA requires risk assessment. EPA proposed rules facing legal challenges.

What is Volt Typhoon?

Chinese state actor pre positioning in US critical infrastructure.

Can attackers cause harm?

Yes. Ukraine grid attacks and Oldsmar attempt demonstrate risk.

What can small utilities do?

Basic hygiene, join Water ISAC, use free CISA resources, request state grant funding.

Is it a compliance or safety issue?

Both increasingly.

Does cyber insurance help?

Partially. Growing exclusions for state actors.

What if my utility is attacked?

Report to CISA and law enforcement. Follow incident response plan.

Where can I read more?

CISA, WaterISAC, NERC, EPA cybersecurity resources.

Summary

Utility cybersecurity spans mandatory NERC CIP for bulk power, voluntary and evolving requirements for water, and CISA guidance across sectors. Small water utilities particularly vulnerable. Volt Typhoon disclosure raised awareness of state actor threat. Basic hygiene (MFA, patching, segmentation) prevents most attacks. Growing federal funding and workforce development. Evolving regulatory landscape as utilities increasingly recognised as critical infrastructure requiring active defence.

Next reading

See the assets in this article

Explore 177,000+ utility infrastructure sites

Locations, capacity, operators, and permits across 24 sectors: the same records our writers pull from.

Start browsing
UT
Written by
UtilityRadar Team

Compliance guides from the UtilityRadar team.

← Previous
Heat Pump vs Gas Boiler: Which Should I Buy in 2026?
UtilityRadar
More
Press Esc to close · Browse by sector