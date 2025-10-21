The critical role that utilities play in their local communities make them an essential part of U.S. resilience against modern cyber threats. And when it comes to which utilities might become victims of sophisticated cyberattacks, size doesn’t matter.

The increasing digital connectivity of infrastructure systems and interdependencies between critical sectors increases both the potential vulnerabilities in U.S. critical infrastructure and the consequences of a successful disruption. While large utilities serving millions of customers across multiple states or regions may be some of the most impactful targets, attackers have demonstrated both the intent and capability to compromise small U.S. utilities to further their strategic interests. As a result, in addition to the critical role small utilities in many critical infrastructure sectors play in the economy, public health, and safety, these utilities can play an important role in the security of the nation by being resilient to cyberattack.

The cyber threat environment for U.S. utilities is continuously evolving. Foreign nation-states, state-affiliated actors, hacktivists, cyber criminals, and other threat actors have targeted U.S. critical infrastructure, including small utilities. These attackers pose a host of risks to domestic systems, and their capabilities and motivations can vary significantly. For example, profit-seeking attackers often attempt to extort victims or steal and sell valuable information. Other attackers might try to gain access to sensitive networks to conduct espionage or steal intellectual property to advance corporate or national interests. Geopolitical tensions or conflicts may also motivate threat actors to target utilities of all types and sizes in the U.S., often defacing websites or leaking sensitive information to further their political aims.

It is important for utilities of all sizes to strengthen their defenses against these common attacks, which could have significant financial or reputational consequences. But while these types of attacks could mean a bad day or tough week for a utility’s IT team, they are less likely to disrupt the flow of critical services to customers.

However, a range of threat actors are improving their capabilities to carry out disruptive attacks on U.S. systems and well-resourced attackers pose more than just a nuisance-level risk to critical infrastructure entities. Unclassified threat assessments from the Office of the Director of National Intelligence continue to state that our key adversaries can disrupt U.S. critical infrastructure systems via cyberattack. Recent cyber campaigns have also demonstrated that threat actors — including nation-state or state-affiliated groups — are carrying out more sophisticated attacks, including attempts to disrupt critical infrastructure by manipulating industrial control systems.

While these attackers may choose to refrain from more disruptive breaches during times of relative peace to avoid provoking a significant U.S. response, government threat assessments indicate that U.S. adversaries are trying to gain a covert foothold in utility systems and use that access to prepare for more disruptive attacks on U.S. critical infrastructure at a time of their choosing.

These more serious attacks could be deployed amid, or in the lead-up to, future conflicts. For example, in 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory cautioning that state-sponsored cyber actors in China “are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

While attacks against U.S. critical infrastructure in future conflicts may purposefully target systems with high strategic value, that doesn’t limit the targets to utilities serving large populations. For example, foreign attackers could target entities that support the U.S. military, including communities adjacent to bases or other facilities. While many facilities that support national security will have backup resources (e.g., backup generation, secondary and tertiary communications systems, stored water), attacks that disrupt the normal flow of these essential services can still degrade operations — especially if the outage is prolonged.

A threat actor may also attempt to disrupt a utility in one sector (e.g., power, water, communications, transportation) to disrupt essential services in another due to the interdependencies between critical sectors. Alternatively, attackers may be less pointed and more focused on disrupting whatever systems they can access — and they might see smaller systems as easier targets.

Any disruption of essential services and functions to communities can still ultimately support the attacker’s strategic goals by bringing the cost of American participation in the conflict home for U.S. citizens. Cyber-induced disruptions of critical infrastructure could create public pressure on the government from within the U.S. to avoid intervening or limiting its participation in a conflict.

In the face of these growing threats, the nation’s utilities are an important line of defense against cyber threats from U.S. adversaries. Many critical infrastructure entities are leveraging industry and government support to secure utility systems and keep their communities safe from cyber-induced disruptions. This includes an increased focus on both preventative controls to limit the likelihood of compromise and improving incident response capabilities to reduce the consequences associated with successful attacks.

Utilities and other critical infrastructure entities of all sizes should acknowledge that they could be the next target of a sophisticated cyber campaign. While many large utilities have teams of staff dedicated to increasing the resilience of their systems, smaller utilities often have significantly fewer resources to achieve similar goals. Because this resource gap will remain a challenge in the future, small utilities must focus on pragmatic, cost-effective measures to help mitigate risks from major and emerging threats.

Utilities can start by connecting with and obtaining resources from their Sector Risk Management Agency and CISA. Other partners — including sector information sharing and analysis centers, trade associations, the cybersecurity industry, and federal, state, and local government agencies — can also support resilience and capacity-building efforts. Cybersecurity is ultimately a team sport, and critical infrastructure entities of all sizes will continue to be key players.

Adapted from an article originally published in Public Power Magazine.