U.S. energy infrastructures face intensifying cyber threats in 2024, marked by a series of targeted attacks.
According to Thales’ “Data Threat” 2024 report, 42% of critical infrastructure companies, including those in the energy sector, suffered data breaches this year.
These attacks, often orchestrated by state actors or organized criminal groups, highlight the increased vulnerability of systems using increasingly interconnected technologies and obsolete equipment.
Growing threats to critical infrastructures
The data shows a sharp rise in ransomware attacks against energy infrastructure, with a quarter of organizations reporting this type of attack in the last 12 months.
The motivation behind these attacks is clear: malicious actors know that companies in the energy sector are more likely to pay ransoms to avoid costly disruptions to their operations.
Furthermore, the complexity and diversity of the technologies used in this sector create a wide range of risks, from human error to the exploitation of known vulnerabilities, to the lack of multi-factor authentication.
The Thales report also highlights the growing threat of insider threats, with 30% of companies reporting incidents linked to employees or contractors.
This highlights the need to improve access management and strengthen security awareness programs within organizations.
Coordinated attacks and vulnerabilities in industrial control systems
Between November 2023 and April 2024, 29 cyberattacks specifically targeting the industrial control systems of US energy infrastructures were reported.
These attacks, including ransomware and intrusions, were aimed at compromising critical security systems.
Rapid digitization and the growing integration of new technologies into energy infrastructures are increasing the number of potential entry points for cyber attacks, exposing more systems to the risk of intrusion.
Experts stress that securing industrial control systems, often built on old, interconnected technologies, has become a priority.
The challenge is made all the more complex by the fact that the sector struggles to find and retain qualified cybersecurity professionals, which weakens its ability to respond.
New guidelines and greater resilience
In response to these growing threats, the U.S. Department of Energy (DOE) issued new cybersecurity guidelines for electric distribution systems and distributed energy resources (DER) in 2024.
These guidelines, developed in collaboration with the National Association of Regulatory Utility Commissioners (NARUC), aim to provide a common framework for reducing risk and improving the cyber resilience of critical infrastructure.
The aim is to encourage the voluntary adoption of uniform cybersecurity practices, and to strengthen defense against sophisticated threats from state actors or criminal groups.
Industry players are called upon to strengthen their cybersecurity strategy by focusing on improving cyber resilience, reducing human error, and effectively managing internal threats.
By adopting a more proactive and coordinated approach, the energy sector can hope to mitigate the risk of future attacks, while protecting America’s critical infrastructure from potentially devastating disruptions.
