Semperis, a leader in AI-powered identity security and cyber resilience, today published results of a new study looking at cyberattacks against water and electricity operators across the U.S. and UK. Sixty-two percent of operators have been targeted by cyberattacks in the past year and of those, the vast majority (80%) have been targeted multiple times.
Recent cyberattacks by nation-state groups on water and electricity utilities underscore the vulnerability of critical infrastructure. In the U.S., a recent advisory from the Environmental Protection Agency (EPA) to water utilities recommended measures to detect, respond and recover from cyberattacks. In October, American Water Works, the largest U.S. water and wastewater utility, detected unauthorised activity in its computer network, disrupting customer service and billing. In the UK, Southern Water suffered a data breach initiated by hacker group Black Basta, who gained access to the company’s server infrastructure and compromised a significant amount of personal data.
Cybersecurity industry experts believe the fact that over one-third (38%) of utilities didn’t think that they had been targeted in cyberattacks is troubling. According to the experts, it’s likely that a good portion of these operators simply don’t have the technology or the expertise to detect malicious activity.
“Many public utilities likely don’t realise that China has infiltrated their infrastructure. For instance, Chinese-sponsored threat actors like Volt Typhoon are known to prefer Living off the Land attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information or waiting to strike for months or even years,” said Chris Inglis, Semperis Strategic Advisor and first U.S. National Cybersecurity Director.
The report, The State of Critical Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities, found that nearly 60% of attacks were carried out by nation-state groups. In addition, 54% of utilities suffered permanent corruption or destruction of data and systems in the attack. In 67% of cyberattacks, attackers compromised identity systems, such as Active Directory, Entra ID and Okta. Another 15% of companies were unsure whether those systems were affected.
The potential public impacts of being without electricity, heat or clean water for even a short period can be significant. Semperis’ study indicates that utility customers in the U.S. and UK have been relatively fortunate — so far.
The Age of Resilience
“If you don’t improve resilience, attackers keep coming. Utilities have an opportunity to address this challenge. They need to assume breaches will happen, and through tabletop exercises, they can practise attack scenarios that could be a reality in the future,” said Mickey Bresman, CEO, Semperis.
What sets utility operators apart from many other industries is the critical nature of their work. If an electricity or water operator is compromised, the potential risks to public health and safety can put an entire nation at risk. Resilience to cyberattacks that threaten operations should be the top priority for every organisation involved in critical infrastructure.
“The systems that supply our power grids and our clean drinking water are the underpinning of everything we do. And yet we go about our business, confident that somebody else is going to handle it. Somebody else isn’t going to handle it. We need to harden our systems and extract criminal elements — now,” added Inglis.
To improve their operational resilience against cyberattacks, utilities should:
– Identify Tier 0 infrastructure components that are essential for recovery from a cyberattack;
– Prioritise incident response and recovery for these systems, followed by mission-critical (Tier 1) functions, business-critical (Tier 2) functions, and then all other (Tier 3) functions;
– Document response and recovery processes and practice them using real-world scenarios that involve people and processes beyond the IT department;
– Focus not just on fast recovery but on secure recovery. Attackers often attempt to compromise backups to maintain persistence in the environment, even after recovery attempts. Implement solutions that support speed, security and visibility in crisis situations.
The full cyber threat study, which includes breakdowns of responses by country, is available at: https://www.semperis.com/the-state-of-critical-infrastructure-resilience.
For more information about how Semperis helps global organisations improve cyber resilience, visit the Semperis Identity Resilience Platform page at https://www.semperis.com/identity-resilience-platform/.
About Semperis
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis’patented technology protects over 100 million identities from cyberattacks, data breaches and operational errors. The world’s leading organizations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada and Israel.
Semperis hosts the award-winning Hybrid Identity Protection conference and podcast series (www.hipconf.com) and built the community hybrid Active Directory cyber defender tools, Purple Knight (www.semperis.com/purple-knight/) and Forest Druid (www.semperis.com/forest-druid/). The company has received the highest level of industry accolades, recently named to Inc. Magazine’s list of best workplaces for 2024 and ranked the fastest-growing cybersecurity company in America by the Financial Times. Semperis is a Microsoft Enterprise Cloud Alliance and Co-Sell partner and is a member of the Microsoft Intelligent Security Association (MISA).
Learn more: https://www.semperis.com
