U.S. energy companies have invested more than $1.3 trillion in grid infrastructure over the past decade. Another $1.1 trillion is projected in the next five years, effectively doubling the sector’s investment. The industry is transforming. For two decades, demand was stagnant as efficiency gains offset growth. Now, the surge in AI data centers and electrification is driving exponential load growth. While the grid is rapidly expanding, security isn’t keeping pace.
In my discussions of the challenges utility companies face combatting this vulnerability, I refer to the 2021 hack of the Oldsmar, FL water system. To simplify its administration, a remote desktop service was enabled on a control Windows station with shared credentials. Poor password hygiene was cited as the breach’s likely cause, and the attacker could have manipulated the chemicals going into the water supply with catastrophic results. Fortunately, an operator saw the desktop session and reversed the changes. Even though the plant infrastructure may have been secure, poor system controls and authentication hygiene opened the system up to attackers.
How the grid became a cybersecurity problem
Energy used to flow in one direction from utility plants to consumers. With rooftop solar, virtual power plants, EVs and battery storage, it now goes both ways. And from a security perspective, the grid operator doesn’t own most of these new connected assets.
Supporting that shift required networking OT devices that were never designed for large, heterogeneous networks. They were built to support point-to-point serial connections with physical security like fences or locks. When utilities centralized monitoring, they first added Ethernet adapters that had no authentication or encryption and were not designed to handle unexpected network traffic. And then, to enable AI analytics and cloud management, they removed the air gaps and strict segmentation, which provided the basis for device security and put them on much more broadly connected networks.
Simply replacing those legacy devices isn’t viable. Unlike IT equipment, which gets depreciated and refreshed every 3 to 5 years, OT products in the energy sector are expected to be operational for decades. Funding upgrades requires rates to increase, making it difficult to replace equipment that works simply because it’s not secure.
Adding to this is a cultural disconnect that, from my perspective, is one of the hardest issues to solve. Traditional OT teams are in the field wearing hard hats and fixing power lines and are very focused on continuous availability. IT security departments operate in a different world and are accustomed to software updates at the pace of Microsoft’s “Patch Tuesday” and, frankly, the occasional outage. And who owns the security of the converged network remains cloudy.
Identity and access management is a prime example of how OT cybersecurity capabilities have not kept up with IT threats. Many legacy devices only support a single login username and password, as it was assumed they could rely on adequate physical security. As a result, all technicians share the same device credentials. I’ve even seen operators implement password management systems where technicians “check out” the logins for a given device over the phone, so there is some level of tracking who requested access to a system. However, because the password never changes, any technician or attacker can access the device later without adequate access logging (to say nothing of former employees).
The threat actors aren’t waiting
Chinese-linked Volt Typhoon operators were active inside a Massachusetts utility’s network for nearly a year without detection. No known damage was caused. Instead, worryingly, they were mapping the environment, learning to move data in and out, most likely as reconnaissance for future operations.
The Ukrainian grid has been targeted by Russian-backed Sandworm operators. The U.S. has stronger cyber defenses and greater automation; however, operators in Ukraine can manually reset systems using physical switches. In North America, newer systems lack this type of override, removing a failsafe when issues occur.
Security experts’ concerns extend beyond these isolated incidents. They fear a cyberattack in combination with kinetic events like a war, natural disaster, financial crisis or a geopolitical incident. Dormant malware has been found repeatedly in U.S. infrastructure, waiting to be activated.
Compounding the threat, the attack surface for cybercriminals to exploit has expanded. EV charging stations create Ethernet connections between vehicles and the grid. An infected charger could spread malware to a car, which may then be propagated to public chargers and into other grid systems.
Addressing these vulnerabilities and complying with regulations requires monitoring hackers’ lateral movement across networks. What concerns me is not just the sophistication of threats but also how the sector is having to rethink detection in the post-Mythos world. I’ve seen organizations move away from backhauling all network data to a central site for monitoring and attack detection, as the rapid adoption of connected devices and escalating data volumes make that approach unsustainable. As a result, there is a shift toward pushing intelligent analytics, often AI-based, out to the edge for faster detection and alerting, with only critical event-driven data sent back to a central collection point. This improves security posture and detection speed while reducing detection latency, network consumption and storage requirements.
What security leaders should prioritize now
Regulatory frameworks are starting to catch up. NERC CIP-015-1 regulation went into effect in September 2025 with phased compliance through 2030. It mandates internal network security monitoring for high and medium-impact systems, marking a shift from perimeter-only defense. CIP-003-11, effective May 2026, extends protections to lower-impact facilities, recognizing that coordinated attacks on smaller targets can have an aggregate impact.
However, regulations are a baseline. The real priority is network awareness, and in OT environments, that means thinking differently, as traditional antivirus software can’t be installed on a smart inverter or a PLC. Similarly, OT endpoints can’t be rapidly (or, sometimes, ever) updated, unlike a laptop or server. Security depends on traffic, packet capture and anomaly detection across the entire grid network.
In my view, understanding the attack surface is the most critical capability that a utility security team should focus efforts on building. To obtain this visibility requires rigorous, proactive testing of OT devices, operationalized firmware analysis to identify embedded vulnerabilities and network security assessments of IT/OT boundaries. The goal is to understand exposure before hackers rather than waiting for an alert.
None of this works, however, without solving the people problem I described earlier. The ownership debate must give way to cross-functional governance. In my experience, this usually requires reengineering the organizational structure. Simulation technologies, such as digital twins, can unlock insights into energy networks, enabling operators to model scenarios and understand the impact of an intrusion. For example, what happens if an attacker gains access to the network through a compromised Virtual Power Plant (VPP) provider and moves laterally into substation controls? Scenario planning turns insights into resilience across distributed infrastructure.
Grid security needs a better forecast
The days of estimating energy demand by sticking your head out the window to check the weather are long gone. The same is true for security. The grid has been transformed from an isolated, physically secured system into a cloud-enabled, bidirectional, device-dense network. But many grid operators, generator owners, and other responsible entities are still defending it as if it were a physical building with a fence around it.
Cybercriminals already have their tentacles in utility networks and infrastructure, waiting to strike. The energy sector can’t view cybersecurity as a compliance exercise or an IT problem that OT teams can defer. The organizations able to weather what’s coming are those that prioritize lateral awareness and proactive validation. In today’s cyber environment, the question for the energy sector is, will you have the visibility to detect an attack and the resilience to recover?
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
Read More from This Article: The power grid runs on decades-old devices — and attackers know it
Source: News