Power grids, water treatment facilities, and natural gas pipelines represent infrastructure whose compromise does not stay in a server room. When CISA issued an alert in May 2025 about unsophisticated actors targeting ICS/SCADA systems in U.S. oil and natural gas facilities, the agency was not raising a theoretical concern; it was documenting active intrusions against operational technology that controls physical processes. The energy and utilities sector is the intersection of critical infrastructure, geopolitical tension, and aging industrial systems, a combination that makes it one of the most consequential cybersecurity battlegrounds. Check Point Research documented 1,162 cyberattacks on utilities in 2024, a 70% year-over-year increase. Ransomware targeting energy and utilities rose 80% in that same period, and the average cost of a cyberattack in the energy sector reached $4.8 million, up 10% from 2023.
TL;DR
- Cyberattacks on utilities rose 70% year over year in 2024, with ransomware specifically up 80%.
- Internet-exposed ICS devices increased 40% between 2024 and 2025.
- 21% of all ICS vulnerabilities discovered in 2024-25 affected energy systems; nation-state APTs are a persistent threat.
- The average cost of a cyberattack in the energy sector reached $4.8 million in 2024, up 10% from 2023.
- NERC CIP compliance is a floor, not a ceiling; E-ISAC and WaterISAC offer free sector-specific threat intelligence.
"As we look at the threats to our nation, none is more serious than Chinese cyber actors that are burrowing deep into our critical infrastructure to prepare to launch disruptive and destructive attacks in the event of a major conflict."
Jen Easterly Director, Cybersecurity and Infrastructure Security Agency (CISA), testimony before the House Appropriations Subcommittee on Homeland Security, April 30, 2024, as quoted in CyberScoop
The distinctive challenge in this sector is the presence of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that were not designed with cybersecurity in mind. Internet-exposed ICS devices increased 40% between 2024 and 2025, and 21% of all discovered ICS vulnerabilities in 2024-25 affected energy systems, placing energy second only to manufacturing in ICS vulnerability exposure. CISA's vulnerability advisories for ICS products from vendors including Siemens, Schneider Electric, and Rockwell Automation have become a regular fixture in the security community's reading list. The most common vulnerability categories are improper input validation, out-of-bounds memory operations, and insecure remote access configurations. These are not novel weaknesses; they are decades-old software defects in systems that cannot simply be patched on a monthly cadence without careful coordination to avoid disrupting operations. Two threat categories dominate the risk profile: ransomware operators who see operational disruption as leverage, and nation-state APT groups with long-term persistence objectives that have nothing to do with collecting a ransom.
Energy and utilities organizations at the leading edge of their sector's security posture share a disciplined approach to the IT/OT boundary. They treat their operational technology networks as classified environments with strict access controls, maintain network diagrams that are current and accurate, and run tabletop exercises that specifically model OT disruption scenarios, not just IT breach scenarios. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards provide a regulatory baseline for bulk electric system operators, but the most security-mature utilities treat CIP compliance as a floor, not a ceiling. For smaller municipal utilities without dedicated OT security teams, CISA's ICS-CERT advisories and sector-specific information sharing organizations such as E-ISAC (Electricity Information Sharing and Analysis Center) and WaterISAC provide actionable threat intelligence that can inform prioritization even without a large internal security organization.
Expert Tip: Run an OT-Specific Tabletop Exercise Before Your Next Audit
Most incident response tabletop exercises are written from an IT perspective: assume a breach, contain the endpoint, restore from backup. OT scenarios require different questions. What happens when the HMI is unreachable? Can operations continue in manual mode? Who has authority to take a system offline? How long can the facility operate before safety margins are breached? Running a tabletop that specifically models an OT disruption scenario, with operations staff present alongside IT and security teams, will expose gaps that no penetration test or compliance checklist will find.
Key Takeaways
- Attacks surged in 2024: Cyberattacks on utilities rose 70% year over year, with ransomware specifically up 80%.
- Internet-exposed ICS is growing: Internet-facing ICS devices increased 40% between 2024 and 2025, expanding the attack surface significantly.
- State actors are a unique threat: Nation-state APT groups target energy infrastructure for long-term persistence, not just financial gain.
- Legacy systems cannot be quickly patched: ICS/SCADA vulnerabilities in products from major vendors require careful, coordinated remediation to avoid operational disruption.
- Free sector resources exist: E-ISAC and WaterISAC provide threat intelligence sharing specifically for energy and water utility operators at no cost.
Sources: CISA Alert: Unsophisticated Cyber Actors Targeting Operational Technology, Resecurity: Cyber Threats Against Energy Sector Surge, Asimily: Top Utilities Cyberattacks of 2025, CyberScoop: Easterly appeals to Congress on CISA funding
