Energy utilities are critical to production and performance for both public organizations and private companies. This industry has been historically insular — Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems were typically secured on internal networks with no outside-facing connectivity. Thanks to the evolution of industrial IoT devices and the need for always-connected monitoring and reporting tools, the energy sector has undergone significant changes over the past decade to boost accessibility and improve operational agility. The caveat? Malicious actors now recognize the potential in disrupting utility IT to wreak havoc, steal data, or demand ransomware payouts. Just as energy companies have embraced the need for next-gen technologies to empower business success, they now must upgrade utility cybersecurity to short-circuit IT attacks.

Current Affairs

Cyberattacks in the energy and utilities sector are on the rise. In fact, recent data found that lateral movement and internal reconnaissance behaviors were seen at higher rates across energy networks than in other industries on average. Two factors conspire to drive this increase. One is the rapidly expanding interconnections across utility systems as companies look to leverage data from mobile and IoT devices. The other is the historic lack of high-level cybersecurity for electric utilities. This creates a perfect opportunity for hackers. Systems that are considered secure now offer ease of movement across utility networks to access key operational systems. At the same time, many energy enterprises lack the IT infrastructure necessary to detect, isolate, and remediate new threats. Insider risks are also on the rise as individuals with privileged access offer a secondary route to utility compromise. Phishing attacks, business email compromise, and a lack of encryption of critical data conspire to reduce overall network security.

AI and Cybersecurity Risk: Energy and Utilities

The Energy and Utilities industry is experiencing one of the largest technology shifts in its history. Grids, pipelines, water systems, and renewable-energy networks are becoming digitized, interconnected, and in many cases automated with the assistance of AI and machine-learning (ML) tools. These solutions are used to forecast load demand, manage distributed energy resources, optimize grid performance, support predictive maintenance, and enable faster restoration after outages and service disruptions.

But these advantages do not come without new and growing cyber and operational risks. Legacy industrial control systems now often interconnect to AI-enabled monitoring platforms, cloud analytics, and remote access and management systems. That expands the attack surface and creates new potential vulnerabilities that simply did not exist even five years ago.

To make matters worse, adversaries know how critical these systems are to the nation’s economy and security. Ransomware groups, financially motivated criminal gangs, and state-sponsored actors are regularly targeting energy infrastructure. Threat activity is also shifting to be faster, more automated, and more targeted as adversaries use AI for reconnaissance and malware generation.

This evolution is putting pressure on utilities to harden security not only in traditional IT environments but also in AI systems, operational technology (OT), and the supply chain.

Key Considerations and Regulations

The Energy and Utilities industry must walk a tightrope between modernization and meeting compliance and regulatory requirements. These include:

NERC CIP Standards (North American Electric Reliability Corporation Critical Infrastructure Protection)

Electricity providers and grid operators that own or operate bulk electric systems must comply with NERC CIP. These requirements include mandates around secure remote access, incident reporting, logging and monitoring, workforce training, supply-chain risk management, vulnerability testing, and more. If AI is being used for grid monitoring or equipment, or control systems, those tools may also come under CIP guidelines if they interact with a regulated system in any way.

DOE and CISA Guidelines

The Department of Energy (DOE) and the Cybersecurity and Infrastructure Security Agency (CISA) have published guidance on securing critical infrastructure. Key expectations include:

• secure configurations
• OT network segmentation
• AI model integrity
• threat monitoring and incident reporting

State Utility Commissions

Some states have started to impose cybersecurity requirements or reporting obligations on utilities, especially those that manage drinking-water systems and gas operations.

EPA and Water-Sector Guidance

Water and wastewater utilities are under increasing cybersecurity scrutiny as researchers find that many water systems do not even have the most basic protections in place, leaving them exposed to hostile foreign actors.

As the adoption of AI-based tools increases, regulators are expected to introduce new requirements around model governance, third-party risks, and vulnerability reporting.

Energy and Utilities Organizations Must Adapt

Energy and utility leaders need to adapt their thinking around security in order to address the convergence of new challenges from AI tools, modern IT systems, and fragile legacy OT infrastructure. To address the risk, they should focus on the following areas:

Treating AI as Critical Infrastructure

AI systems that are used for forecasting, load balancing, asset health scoring, or supporting control-room analytics should be treated, secured, monitored, and governed like traditional operational technology.

Hardening OT Cybersecurity

Utilities should segment networks and restrict remote access, as well as harden older SCADA and ICS components to reduce vulnerabilities. The organizations must also ensure that AI applications or cloud platforms cannot create new entry points into core operational systems.

Monitoring for AI-Enabled Adversaries

Attackers now use AI for everything from mimicking operator behavior to creating phishing emails, malicious scripts, and probing for misconfigurations. Companies will need logging, behavior analytics, and anomaly detection that can detect AI-driven threats.

Assessing Supply-Chain and Vendor Risk

A modern grid environment depends on a wide range of vendors for everything from sensors and hardware to cloud analytics and AI model hosting. Contracts, monitoring, and auditing are required to ensure vendor systems do not expose critical OT assets.

Conducting Incident Response Exercises

Energy organizations should regularly conduct exercises to see how an attack could impact grid operations, restoration, gas flow, or water treatment. Testing must include AI-related risks and show how the teams would respond to attacks that intersect digital and physical environments.

Powering up Cyber Security for Electric & Gas Utilities

To address the growing impact of malicious external threats and accidental internal compromise, organizations need purpose-built cybersecurity for energy & utilities. At HALOCK Security Labs, we can provide services including:

• Penetration testing — Where are your weak points? What, if any, vulnerabilities have new devices or open-source solutions introduced? Our experts can assess your internal and external networks, web applications, and wireless connections to develop key security strategies. Test to see if your controls and team can respond appropriately in the event of a breach with an Assumed Breach or Adversary Simulation penetration test. Incorporate a remediation verification pen test to confirm everything is fixed. Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach. Learn about new vulnerabilities with the HALOCK Exploit Insider – updates on what our pen testers have discovered.

• External Attack Surface Management (EASM) service provides continuous discovery, exploit validation, and risk-based prioritization to keep you ahead of threats. With an evolving attack surface, get the visibility and insight to prioritize your security controls.

• Risk Based Threat Assessment: Improve protection against the five MITRE ATT&CK Types. Prioritize security controls to enhance or implement using the best threat data the cybersecurity community offers, leveraging the HALOCK Industry Threat (HIT) Index, a model for estimating the most likely (and least likely) ways your organization will be hit by a cybersecurity or information security attack.

• Cloud Security Assessment: Gain insight into your risks. The assessment provides a review of Azure, AWS, and Google (GCP) cloud environments to identify risk and recommends how to remediate them.

• Security engineering — What’s your “as-is” security posture? What’s your “to-be” security aim? We have the industry experience and expertise necessary to help design and implement utility cyber security that addresses current issues and speaks to emerging needs for cyber security in the energy sector. Conduct security architecture reviews, threat monitoring, or sensitive data scanning. Ensure you have the security safeguards required by compliance requirements like multi-factor authentication (MFA) or a web application firewall (WAF). An ongoing review of your threat landscape is a best practice for your industry through a managed detection and response program (MDR) or Threat Hunting Program.

• Workforce management — Finding the right talent isn’t easy, and it’s getting harder as the cybersecurity skills gap widens. Our executive, full-time, and contract hiring services help find the best-fit professionals for your needs.

• Incident Response – When a breach does occur, you need to address the attack immediately, contain it, and remediate the threat. Having a trusted, expert incident response team to stop, fix, and an ongoing incident response plan (IRP) to keep your data secure, including training (tabletop exercises), run books, and live breach response teams. HALOCK’s incident response management, process, and planning provide comprehensive coverage in the event of a security breach. Cyber insurance requires you to have a written information security program (WISP) and incident response plan (IRP). Conduct a forensic analysis. Explore an ongoing program that gets in front of any potential threats or attacks. You can be response-ready with an Incident Response Readiness as a Service (IRRaaS) program.

• Third Party Risk Management (TPRM)/Vendor Risk Management – Ensure third-party partners are aligned with your organization’s risk controls. Vendors and contractors serve as an extension of your group. They represent you and should operate under your specific energy/utilities business requirements. A required best practice is to always conduct a supplier risk assessment to keep your vendors on point with your security posture. HALOCK can help build and manage a specific program for your secure environment.

• Risk Assessments – Regulations require your safeguards to be reasonable to your organization, customers, and partners. With many frameworks available, how do you establish your acceptable risk? The Duty of Care Risk Assessment (DoCRA) helps you define a balanced security strategy factoring in compliance and safeguards based on your specific business and objectives. With the adoption of AI, it is essential to understand your security and risk profile and establish reasonable controls to protect critical assets.

• Risk Management & Security System Management: Our experts have the industry knowledge you need to prioritize and optimize security investments while keeping you compliant. An ongoing risk management program provides continuous maintenance and insight into your risk profile and how to enhance your security. Establish ‘reasonable security’ as regulations require. Mitigate your risk and prepare for your cyber insurance underwriting process.

• Privacy – CCPA is the most sweeping legislation to date in the U.S. that concerns the protection of personal information. It broadens the definition of what constitutes personal information and gives California citizens greater control over what companies can do with their personal data. This includes the right to exempt their own personal information from being shared or purchased on the open market. Understand the impact this change and other states’ requirements have on your organization, on personal information, and medical data such as biometric or genetic records. Know what private information you manage and where it is located to properly secure it – conduct Sensitive Data Scanning as a Service (SDSaaS) to ensure you have a current data inventory of sensitive information.

• Policies and Procedures – The industry is changing, and so should your security protocols. According to the 2020 Midstream Oil and Gas Cybersecurity Survey, “40% reported an attempted or successful data breach in the past year, but only 7% updated their written security policy during the same period.” It is best practice to reassess your processes for any new cyber threat or attack. Proactive efforts are what will help navigate potential breaches.

• Cybersecurity Maturity Model Certification (CMMC) Readiness – Prepare for the new CMMC certification requirement to continue working with the Department of Defense (DoD) or to bid on projects with the DoD.

• Compliance – Achieve your regulatory compliance requirements for HIPAA, PCI DSS, CPRA, GDPR, and more. Ensure you have implemented the proper standards for your specific cardholder data environment (CDE). Understand changes in password requirements, training, Targeted Risk Analysis (TRA), scanning, outsourcing eCommerce, automation, and more. We can help you achieve and maintain PCI Compliance. Learn how these requirements impact your program.

Cybersecurity in the power sector now lags behind industry implementation of new technologies. While digital transformation empowers real-time energy monitoring and power controls, it introduces the potential for IT security shocks as attackers leverage insecure infrastructure to exploit newly connected networks.

“HALOCK always met our project goals.”

– Energy Services Company

HALOCK Security Labs helps prevent security short circuits by combining thought leadership and diagnostic capabilities to build purpose-driven solutions. The actionable outcome is reasonable security and appropriate risk management that protects critical assets without negatively impacting performance. Learn about our comprehensive approach to risk with our Risk Management Program. If you want to safeguard critical infrastructure and empower your operations with improved utility cyber security that’s reasonable and appropriate, let’s talk.

Developing Model Governance Controls

AI models that are used for operational planning or grid management must be tested for data poisoning, model drift, and unauthorized changes. If these models are tampered with, it could lead to adverse outcomes in the real world.

Why It Matters

Energy and utility companies provide the power that runs the modern world. Grid disruptions or service outages can impact hospitals, financial systems, transportation, communications, and public health. As more AI and automation are integrated into core operations, the risk and potential impact of a cyber incident only grow.

Companies that invest now in AI governance, regulatory compliance, OT security, and supply-chain visibility and controls will be better prepared for the increasingly complex and evolving threat environment. On the other hand, companies that put off making investments face growing operational, legal, and reputational risks.

A robust, risk-based, defensible cybersecurity program is no longer optional. It is a foundational requirement for service reliability, regulatory compliance, and public trust. With HALOCK, organizations can establish a legally defensible security and risk program through Duty of Care Risk Analysis (DoCRA). This balanced approach provides a methodology to achieve reasonable security as the regulations require.

Review Your Security and Risk Profile