Security for Energy and Utilities
Energy and utilities cybersecurity is the practice of protecting the operational technology (OT) systems, information technology (IT) infrastructure, and the critical interfaces between them that keep electricity flowing, fuel moving through pipelines, water treated and distributed, and natural gas
# Security for Energy and Utilities
Definition
Energy and utilities cybersecurity is the practice of protecting the operational technology (OT) systems, information technology (IT) infrastructure, and the critical interfaces between them that keep electricity flowing, fuel moving through pipelines, water treated and distributed, and natural gas delivered at pressure. It is among the most consequential domains in the cybersecurity landscape because the failure modes are not measured in data loss or financial impact alone; they are measured in blackouts, fuel shortages, water contamination, and, in the most severe scenarios, physical destruction of equipment that can take months or years to replace.
The defining characteristic of energy sector security is the IT/OT convergence problem. For most of the twentieth century, industrial control systems operated on isolated, proprietary networks using specialized protocols that general-purpose IT tools could not reach. That isolation provided a form of security through obscurity that, while never ideal, was functionally effective. Over the past two decades, the economics of digital transformation drove energy companies to connect OT systems to IT networks, cloud services, and the internet. The security benefits of isolation disappeared. The OT systems, designed with reliability and safety as primary objectives and cybersecurity as an afterthought, were now exposed to adversaries who had spent years developing sophisticated attack capabilities against IT infrastructure.
The consequences of this convergence were not theoretical. In 2015 and 2016, Russian military intelligence (GRU) demonstrated that cyberattacks could cause physical power outages at national scale, targeting Ukrainian electricity distribution companies and leaving hundreds of thousands of customers without power in winter. In 2021, the Colonial Pipeline ransomware attack shut down 45 percent of East Coast fuel supply for six days, leading to fuel shortages and panic buying across the southeastern United States. In 2021, an attacker accessed the control systems of a water treatment facility in Oldsmar, Florida, and attempted to increase sodium hydroxide to dangerous levels. Each of these incidents reflected a different threat actor, a different attack method, and a different operational effect, but all shared a common architecture: attackers who found a path from the internet or an IT network into control systems that were never designed to be defended.
The energy sector is now the target of sustained, sophisticated pre-positioning campaigns by nation-state adversaries who are not attempting disruption today but are establishing the access and persistence necessary to cause maximum disruption at a time of geopolitical conflict.
---
Threat Landscape
Volt Typhoon: Pre-Positioning for Conflict
Volt Typhoon is a People's Republic of China state-sponsored actor that has become the most significant long-term threat to U.S. critical infrastructure, including the energy sector. Unlike ransomware operators who seek financial gain or even prior Chinese espionage campaigns that targeted intellectual property, Volt Typhoon's documented activity is oriented toward pre-positioning: establishing persistent, low-observable access to critical infrastructure that could be activated to cause disruption in the event of conflict over Taiwan or another triggering event.
CISA's March 2024 advisory confirmed that Volt Typhoon had compromised IT environments of critical infrastructure organizations, including in the energy sector, and in some cases had been present for five or more years without detection. The tradecraft is deliberately designed to blend with normal network activity: living-off-the-land (LOTL) techniques using legitimate administrative tools rather than custom malware, minimal footprint, slow lateral movement, and the avoidance of techniques that generate distinctive signatures in standard detection tools.
The strategic implication is that energy sector security programs cannot be designed only against threats seeking immediate effect. The most dangerous adversary is already inside and is waiting. Detection programs must be explicitly designed to find low-and-slow activity that looks like normal administrative behavior, which requires behavioral baselines, anomaly detection tuned to operational technology environments, and threat hunting programs that actively search for indicators of Volt Typhoon tradecraft specifically.
Sandworm and the Ukraine Precedent
Russia's Sandworm unit (GRU Unit 74455) conducted the BlackEnergy attacks against Ukrainian power distribution companies in December 2015 and the Industroyer/Crashoverride attack against the Ukrainian transmission system in December 2016. These attacks are the definitive proof-of-concept that cyberattacks can cause physical power outages at scale. Industroyer contained modules designed to directly communicate with industrial control systems using SCADA protocols (IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA), bypassing IT infrastructure entirely and interacting with physical grid control systems directly.
The significance for U.S. energy sector security is not that Sandworm will replicate these attacks against U.S. targets, though that capability exists. The significance is that the attack tooling exists, has been demonstrated operationally, and has been analyzed by adversaries worldwide who can adapt its techniques. The ICS-specific attack capability that required nation-state resources to develop in 2015 is now a documented template. Security programs must address the specific protocols and control system architectures that Industroyer exploited, even if the immediate threat actor is different.
Colonial Pipeline: The Ransomware Disruption Model
The May 2021 Colonial Pipeline ransomware attack by DarkSide did not compromise the pipeline's operational technology systems. The pipeline was shut down as a precautionary measure because the IT network, which included billing and business systems, was compromised, and the operator could not safely account for the OT network's integrity without isolating it. The physical disruption was a consequence of an IT security failure, not an OT attack.
This distinction is important and consistently misunderstood. DarkSide encrypted Colonial's IT systems and demanded $4.4 million, which Colonial paid. The operational shutdown was a decision made in the absence of confidence that the OT network was clean. It demonstrates that even without a direct OT attack, an IT compromise in an energy sector company can have immediate operational and public consequences. The Colonial Pipeline attack prompted the Transportation Security Administration to issue a series of emergency security directives for pipeline operators, including mandatory network segmentation, MFA deployment, detection capabilities, and incident response planning requirements that had not previously been mandatory.
Physical-Cyber Convergence: The Distributed Infrastructure Problem
Energy infrastructure is geographically distributed in ways that create unique security challenges. A transmission system operator manages hundreds of substations across thousands of square miles. A pipeline company monitors compressor stations, pump stations, and metering facilities distributed along hundreds of miles of right-of-way. Each of these remote facilities has control systems that must communicate with central operations, and many of those communications links run over public networks or use wireless technologies that introduce exposure.
Remote access to these distributed assets is not optional; operational staff cannot physically visit every substation or compressor station to diagnose an issue. The remote access architecture, including the authentication controls governing who can reach those systems and what they can do, is therefore a primary attack surface. Poorly secured remote access was a factor in the Oldsmar water treatment attack and has been a consistent vulnerability in energy sector incident investigations.
---
Industry-Specific Challenges
NERC CIP: Mandatory Baseline, Not Best Practice
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are mandatory, enforceable requirements for operators of the bulk electric system in North America. Unlike most cybersecurity frameworks, which are voluntary guidance, NERC CIP violations can result in fines of up to $1 million per day per violation. The standards cover electronic security perimeters, physical security of critical cyber assets, access management, configuration change management, system security management, incident reporting and response planning, recovery, and personnel and training.
NERC CIP compliance is a baseline, not a ceiling. The standards define minimum required controls for systems that meet specific applicability criteria, with higher-impact systems subject to more stringent requirements. The challenge is that NERC CIP compliance has historically been interpreted narrowly: meet the letter of the standard, document the evidence, pass the audit. Compliance-as-ceiling thinking has produced organizations that satisfy auditors but are not defensible against sophisticated adversaries, because sophisticated adversaries are not constrained by what the audit checklist measures.
Critical distinctions within NERC CIP: the standards apply to bulk electric system assets, which means distribution-only utilities (those that do not own transmission assets) have historically been outside scope. This is a significant gap, as distribution infrastructure is increasingly important to grid reliability and increasingly targeted. State-level regulation is beginning to fill this gap in some jurisdictions, but coverage is uneven.
TSA Security Directives: Post-Colonial Pipeline Mandates
Following the Colonial Pipeline attack, the Transportation Security Administration issued a series of Security Directives for pipeline operators, creating mandatory cybersecurity requirements that did not exist before. The directives (collectively referred to as SD-02C and subsequent revisions) require pipeline operators to implement network segmentation to prevent lateral movement between IT and OT networks, deploy MFA for access to OT systems, implement detection capabilities for cybersecurity threats across both IT and OT networks, and develop and implement a cybersecurity incident response plan.
The TSA directives were emergency rulemaking under administrative authority and have been renewed and revised, moving toward notice-and-comment rulemaking that will make the requirements permanent. The directives also established reporting requirements: pipeline operators must report cybersecurity incidents to CISA within 12 hours, a significantly tighter timeline than most sector-specific reporting requirements.
OT Asset Lifecycle: The Unpatched Equipment Problem
Industrial control systems have operating lifetimes measured in decades, not years. A substation relay installed in 2005 may still be operational in 2035, running firmware that was designed when the threat landscape was entirely different and for which no security updates are available because the manufacturer has moved to a different product line or no longer exists. A distributed control system managing a gas processing plant may run Windows XP embedded because the process automation vendor has not validated newer operating systems, and the process engineering team cannot accept the operational risk of an unvalidated software change on running equipment.
This is not a problem that can be solved by patching. Patching is either unavailable, contractually prohibited, or would require downtime that operational constraints will not allow. The security solution for legacy OT assets must be architectural: network segmentation that limits the lateral movement potential from a compromised OT device, monitoring that detects anomalous behavior from systems that cannot be hardened, and compensating controls that reduce risk without requiring modification of the systems themselves.
The Purdue Model for industrial network segmentation provides the architectural reference: Level 0 (physical process) through Level 5 (enterprise network), with demilitarized zones (DMZs) between Level 3 (site operations) and Level 4 (business logistics) enforcing unidirectional data flows where possible and strict access controls everywhere else. Modern implementations increasingly use data diodes, unidirectional security gateways that physically enforce one-way communication from OT to IT, eliminating the possibility of bidirectional attack paths.
Smart Grid and Distributed Energy Resources (DERs)
The modernization of the electric grid is expanding the attack surface faster than the security program can track it. Advanced metering infrastructure (AMI), smart meters deployed to millions of residential and commercial customers, creates a two-way communication network that connects customer premises to utility back-end systems. Distributed energy resources, including residential solar panels, battery storage systems, and electric vehicle chargers, add millions of internet-connected devices to the distribution grid that the utility does not own, cannot directly control, and must interact with for grid balancing purposes.
The DER aggregation problem is particularly acute: aggregated DER platforms that combine thousands of small distributed resources into virtual power plants must communicate with those resources over public networks, using protocols (typically HTTP/S APIs or proprietary cloud platforms) designed for internet applications rather than control system security. An adversary who compromises a large DER aggregator could theoretically dispatch or withhold thousands of megawatts of capacity in a coordinated manner, creating grid stability impacts similar to a physical attack on a large generating station.
Nuclear Cybersecurity: NRC Requirements
Nuclear power plants operate under Nuclear Regulatory Commission (NRC) cybersecurity requirements (10 CFR 73.54) that are among the most stringent in any sector. The requirements mandate a cybersecurity program that protects critical digital assets (CDAs) associated with safety-related systems, security systems, emergency preparedness systems, and support systems. The NRC cybersecurity framework requires site-specific cybersecurity plans, periodic assessments, and protections that are specifically designed to prevent nuclear safety and security functions from being compromised by cyberattacks.
Nuclear cybersecurity compliance is technically demanding in ways that go beyond NERC CIP: the consequences of failure include not just operational disruption but potential radiological release, which places the compliance obligations in an entirely different risk category. Nuclear operators must maintain separation between CDAs and plant systems with a potential to impact CDAs, implement significant logging and monitoring for CDAs, and ensure that security mitigations do not create new failure modes that could affect safety functions.
---
CDA Perspective
The energy sector is the sector where cybersecurity failures most directly translate into physical consequences, economic disruption, and national security impact. CDA's Energy and Utilities FRM reflects this: it is built around operational continuity as the primary objective, with compliance as a necessary structural element rather than the organizing principle.
DPS: Sovereign Data Protocol (SDP) "Your data lives where you decide. Period."
In energy, "data sovereignty" is not primarily about privacy; it is about operational data integrity. SCADA historian data, energy management system state estimates, and control system configurations represent operational assets whose compromise or manipulation has physical consequences. SDP applies through DPS-R01 (Data Asset Discovery) extended to OT data flows, identifying where operational data crosses network boundaries and what controls govern those crossings. DPS-B04 (Backup and Recovery Architecture) takes on heightened importance in OT environments: control system configurations and historian data must be backed up with recovery procedures that have been validated to restore operational capability, not just file integrity. DPS-H02 (Data Sovereignty Mapping) documents the data flow architecture between IT and OT networks for both security analysis and NERC CIP evidence purposes.
VSD: Continuous Surface Reduction (CSR) "Every surface you expose is a surface we eliminate."
CSR in energy requires an OT-fluent attack surface inventory. VSD-R01 (External Attack Surface Discovery) must include the remote access infrastructure serving distributed field assets: VPN concentrators, cellular gateways, vendor remote access platforms, and the jump servers that provide pathways to OT systems. VSD-B03 (Attack Surface Reduction) focuses on eliminating unnecessary connectivity between IT and OT zones, enforcing DMZ architectures, and removing direct internet-facing exposure from OT-adjacent systems. VSD-H02 (Cloud Surface Hardening) addresses the growing cloud footprint in energy: SCADA-as-a-service platforms, DER aggregation systems, and AMI head-end systems that run in cloud environments and require different hardening approaches than on-premises OT.
SPH: Autonomous Posture Command (APC) "Your posture adapts. Your hygiene never sleeps."
Configuration management in OT environments is among the hardest security disciplines to implement. SPH-R02 (Configuration Baseline Assessment) establishes the secure baseline for both IT and OT systems, accounting for OT-specific constraints where standard hardening guidance does not apply. SPH-B02 (Endpoint Hardening Standards) requires OT-specific variants: Windows Server 2003 running a historian application cannot be hardened like a modern server, but it can be hardened within its constraints. SPH-B04 (Asset Management System) is foundational, and in OT environments it must encompass industrial control system assets that are typically invisible to standard IT asset discovery tools. APC's continuous adaptation principle applies through monitoring rather than through patching in OT contexts: when you cannot change the system, you must monitor it more intensively.
IAT: Zero Possession Architecture (ZPA) "Trust nothing. Possess nothing. Verify everything."
Third-party remote access is the most prevalent high-risk access category in energy sector OT environments. Vendors, integrators, and OEM support staff routinely require remote access to control systems for maintenance, troubleshooting, and updates. IAT-R02 (Privileged Access Audit) must specifically capture all vendor remote access pathways, many of which were established years ago and have never been reviewed. IAT-B02 (Privileged Access Management) applies ZPA principles to OT remote access: just-in-time access windows, session recording, multi-party authorization for access to the most sensitive control systems, and automatic revocation when work is complete. TSA Security Directive compliance for pipeline operators maps directly to ZPA: MFA for OT access, privileged access management, and audit logging are explicit requirements that ZPA operationalizes.
TID: Predictive Defense Intelligence (PDI) "See the threat before it sees you."
Volt Typhoon detection requires PDI applied specifically to OT-adjacent activity. TID-R01 (Threat Landscape Assessment) for an energy sector client must explicitly address state-sponsored pre-positioning campaigns, providing specific Volt Typhoon indicators of compromise and the LOTL techniques that characterize this adversary. TID-B01 (SIEM Deployment and Tuning) in OT environments requires OT-aware SIEM capabilities: passive OT network monitoring (active scanning OT networks is dangerous and often prohibited by operations teams), protocol parsers for industrial protocols like Modbus, DNP3, and IEC 61850, and behavioral baselines tuned to the predictable, cyclical communication patterns of control systems. TID-H01 (Detection Engineering Program) should include specific detection logic for the known Volt Typhoon and Sandworm techniques documented in CISA advisories.
RGA: Perpetual Compliance Assurance (PCA) "Compliance is not an event. It is a state."
NERC CIP compliance is continuous by design: the standards require ongoing evidence collection, quarterly reviews of access lists, and annual training, not point-in-time assessments. PCA's continuous compliance model aligns with how NERC CIP actually works. RGA-R01 (Compliance Landscape Mapping) produces the multi-framework matrix covering NERC CIP, TSA Security Directives (for pipeline operators), NRC requirements (for nuclear facilities), state utility commission requirements, and any applicable NIST frameworks. RGA-B02 (Compliance Program Build) must be modular by regulatory scope: NERC CIP applies to bulk electric system operators, TSA directives to pipeline operators, and NRC requirements to nuclear licensees. RGA-H01 (Multi-Framework Compliance Alignment) finds the significant overlap between NERC CIP standards, NIST SP 800-82, and the TSA directives, creating unified control implementations that satisfy multiple frameworks without maintaining separate compliance programs.
CDA's SDVOSB entity is directly relevant to energy sector clients with federal contracts or classified programs. DOE national laboratories, federal power marketing administrations (Bonneville, Southwestern, Western), and defense contractor-operated energy facilities represent federal market opportunities where SDVOSB set-aside vehicles apply.
Energy and Utilities FRM: Five First Actions
- Conduct a comprehensive OT asset inventory using passive network monitoring (not active scanning), producing a complete picture of all industrial control system assets, their network connectivity, and their communication patterns.
- Map and audit all remote access pathways to OT systems, with specific focus on vendor and third-party access, and implement MFA and session recording for all remote OT access.
- Implement or validate network segmentation between IT and OT zones, enforcing the Purdue Model DMZ architecture and reviewing firewall rules for any rules that allow bidirectional IT-to-OT connectivity.
- Deploy Volt Typhoon-specific detection logic based on current CISA advisory indicators, explicitly covering living-off-the-land techniques and anomalous use of legitimate administrative tools.
- Validate backup and recovery procedures for control system configurations, confirming that operations can be restored from backup within the recovery time objectives required by operational and regulatory requirements.
---
Key Takeaways
- Volt Typhoon, the PRC state-sponsored pre-positioning campaign, has confirmed access to U.S. energy sector networks and represents a long-dwell, low-observable threat that standard detection programs are not designed to find.
- The Colonial Pipeline attack demonstrates that an IT-only ransomware incident can cause operational shutdown of critical energy infrastructure as a precautionary response, without any OT compromise.
- OT systems have 15-to-25-year lifecycles and cannot be patched; the security architecture must compensate through network segmentation, monitoring, and compensating controls rather than endpoint hardening alone.
- NERC CIP compliance is mandatory and enforceable with fines up to $1 million per day per violation, but compliance with the standards does not constitute a sufficient defense against nation-state adversaries.
- The expanding DER ecosystem, including smart meters, residential solar, and EV charging infrastructure, is growing the energy sector attack surface faster than traditional OT security programs are designed to address.
---
Related Articles
- Security for Industrial Control Systems and SCADA
- NERC CIP Compliance: A Practitioner's Reference
- Volt Typhoon: Anatomy of a Pre-Positioning Campaign
- The Purdue Model for OT Network Segmentation
- Security for Water and Wastewater Utilities
---
Sources
- CISA. "Volt Typhoon: People's Republic of China State-Sponsored Cyber Actor Living Off the Land." Advisory, March 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- NERC. "Critical Infrastructure Protection (CIP) Standards Version 7." North American Electric Reliability Corporation, 2023. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
- CISA/FBI/USSS. "Colonial Pipeline Cyber Incident: Lessons Learned for Critical Infrastructure Owners and Operators." 2021.
- National Institute of Standards and Technology. "SP 800-82 Rev. 3: Guide to Operational Technology Security." 2023. https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
- CISA/FBI/NSA. "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure." Advisory AA22-011A, 2022.
- Idaho National Laboratory. "Consequence-Driven Cyber-Informed Engineering (CCE)." 2023. https://inl.gov/cce/
Sources
- CISA: Volt Typhoon Advisory, March 2024
- NERC CIP Standards: Critical Infrastructure Protection, Version 7
- ICS-CERT: Colonial Pipeline Ransomware Incident Analysis, 2021
- NIST SP 800-82 Rev. 3: Guide to Operational Technology Security
- CISA/FBI/NSA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- Idaho National Laboratory: Defending Industrial Control Systems, 2023
Related Articles
Format-Preserving Encryption
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
HTTP/2 Security
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Written by Evan Morgan
Found an issue? Help improve this article.