Cyberattacks against U.S. utilities spiked 70 percent in 2024, and that trend continued on a sharp upward trajectory in 2025. The utilities sector remains a top target of cybercriminals and nation-state actors due to geopolitical tensions and vulnerabilities in operational technology.
Ransomware attacks against the utilities sector surged by 80 percent year-over-year in 2025, with attackers seeking financial gain and to disrupt critical infrastructure. According to some reports, half of all attacks in 2025 targeted critical infrastructure, with ransomware gangs exploiting weaknesses in industrial control systems and smart grid technology.
However, experts warn that such overt attacks with immediate consequences are only the tip of the iceberg. The primary objective of groups such as Volt Typhoon is to gain long-term, covert access to critical infrastructure. Once inside, they can collect information such as network diagrams and control system procedures to commit acts of sabotage during a future geopolitical crisis.
State-Sponsored Cybercriminals Are Lurking in Utilities Systems
Volt Typhoon is a state-sponsored cyber threat group linked to the People’s Republic of China. The group targets various critical sectors, including electric utilities, water and wastewater systems, communications, transportation, government, and IT.
Typically, Volt Typhoon gains initial access by exploiting known or zero-day vulnerabilities in public-facing network appliances. The group then uses “living off the land” techniques, exploiting legitimate network tools and vulnerabilities in unpatched devices to remain undetected. Their specific targets are hard to pinpoint until they decide to act.
There is increasing concern that groups such as Volt Typhoon could exploit vulnerabilities in solar panels and inverters. Researchers have identified numerous high-severity vulnerabilities in solar power systems, many of them manufactured in China. They have also uncovered communication devices such as cellular radios in some inverters and batteries from Chinese suppliers.
These vulnerabilities can provide a backdoor for attackers to disrupt power grids. CISA and other agencies have issued warnings and guidance for securing critical infrastructure against such threats.
Addressing the Threat of the Expanded Attack Surface
The activities of Volt Typhoon and other state-sponsored actors point to the increased attack surface in the utilities sector. The massive growth in smart meters, IoT sensors and other connected devices significantly expands the potential entry points for attackers. Attackers can use these devices to spread malware and hijack them to create botnets. Vulnerabilities in hardware and software can create wide security gaps, causing a cascading risk throughout connected systems and supply chains.
To address these threats, utilities need a strategic, multilayered approach to security that integrates both IT and operational technology (OT). Utilities must understand their entire attack surface, including all connected equipment and devices. This starts with continuous discovery and mapping of IT and OT assets to identify unknown vulnerabilities.
Outdated OT and SCADA systems are significant vulnerabilities. While a full overhaul may be a long-term goal, a phased upgrade strategy is essential to reduce risk and ensure compatibility with modern security tools.
Reducing the Risk of a Widespread Security Breach
Utilities should segment IT and OT networks to limit an attacker’s ability to move laterally across systems if one area is compromised. They should also adopt a zero trust framework —no user, device or network connection should be trusted by default, even those inside the network. Strict access controls and multifactor authentication (MFA) should be enforced for all remote and privileged access.
Weak security controls in network-connected devices are another threat. Utilities should map the vendor ecosystem and assess their security practices. They should require supplier certifications and integrate third-party oversight into the enterprise risk program.
Traditionally, utilities have relied on information sharing and free assessments from the federal government, but the Cybersecurity Information Sharing Act was allowed to lapse on Oct. 1, 2025. A qualified managed security services provider (MSSP) can help close the gap with an array of monitoring, consulting and incident response services. Our next post will delve into the MSSP services that can benefit the utilities sector.
