Is The Water Safe? New Report Delves Into Cyber Threats Against Critical Infrastructure Utilities

A new report from Semperis looks at how threat actors are compromising utilities, and how they and other organizations can shore up their cyber resilience.

In October 2024, one of the largest water utilities in the U.S. — New Jersey-based American Water — disclosed that it had been subject to a cyberattack.

“On Thursday, October 3, 2024, American Water learned of unauthorized activity in our computer networks and systems. This activity has since been determined to be the result of a cybersecurity incident,” American Water said in a post on its site at the time.

While the company assured customers that their water was safe to drink, the attack caused major disruption, temporarily shutting down customer services, billing and other operations.

Threats to critical infrastructure continue to increase. A new report from Semperis, which provides defenses for threats against Microsoft AD and Entra ID systems, reveals how vulnerable two critical utilities, water and electric, are to cyberattacks and how they and other organizations can shore up their cyber resilience.

Cyber Threats Against Utilities Report’s Key Findings

Semperis’ report, “The State of Critical Infrastructure Resilience, Evaluating Cyber Threats to Water and Electric Utilities,” revealed several key findings related to cyber threats against utilities. Among a survey of IT and “security professionals at 350 water treatment plants and electricity operators in the US and UK,” according to the report, here are the major takeaways:

• Sixty-two percent said their organizations had been targeted by threat actors in the past 12 months. Eighty percent of them said they were targeted multiple times.

Although American Water is a large utility, it’s the smaller ones that are most vulnerable.

Often, “the small water utility in the town ... the infrastructure is old. The technology that they’re using is old,” Sean Deuby, principal technologist, North America at Semperis, told MES Computing.

• Among those surveyed, 59 percent confirmed that nation-state threat actors were behind the attacks.

“Nation-states have increasingly realized that not just the routines of daily life but the engine of commerce and the nation’s confidence depend on digital infrastructure working as expected,” said Chris Inglis, former U.S. national cyber director and Semperis strategic adviser, in a statement in the report.

“By penetrating our critical infrastructure,” nation-state threat actors including China and North Korea, can further “their strategic goals, the theft of intellectual property. [Attacks] jump starts their technology and their economy, because they don’t have to invent the technology. They simply steal it,” Deuby said.

• Fifty-seven percent said that the attacks disrupted operations, and 54 percent said the attacks caused permanent destruction or corruption of data or systems.

Majority Of Attacks Involved Compromising Identity Systems

The reports also revealed that among those utilities attacked, 82 percent were compromised via an identity platform like Active Directory, Entra ID and Okta.

“Active Directory’s primary role in most cyberattacks likely makes it a key factor in every other risk that respondents identified,” the report stated.

“Active Directory is as of February 17, a quarter of a century old ... it has shown a few wrinkles in its age,” Deuby said.

“One of the reasons [AD] is targeted by the bad guys, because it’s everywhere ... it’s a foundational component to this day of companies’ infrastructure,” he added.

Microsoft Active Directory use “is so common that approximately 90% of the Global Fortune 1000 companies use it as a primary method to provide seamless authentication and authorization,” according to a report from business consulting firm Frost & Sullivan.

How Utilities (And Midmarket Companies) Can Harden Their ID Platform Security

Semperis, of course, offers a platform to protect AD and Entra ID systems.

“What we do is we protect the Microsoft ecosystem, the Microsoft identity ecosystem ... Active Directory on premises and Entra ID in the cloud ... all the way the NIST cybersecurity framework, in other words, before an attack, during an attack and after an attack,” Deuby said.

"Before the attack, you want to obviously reduce the vulnerabilities that are in your environment. We have both a commercial solution, Directory Services Protector and a community tool that analyzes Active Directory for more than 150 different indicators of exposure or indicators of compromise,” he continued.

The report authors also offered ways organizations can up their cyber resilience:

• Identify Tier 0 infrastructure components, what is essential to recover after an attack?
• Prioritize incident response and recovery; identity which functions are mission critical (Tier 1), which are business critical (Tier 2), and then the rest of the business functions (Tier 3).
• Document response and recovery processes but also practice them.
• Focus on secure recovery, not just fast recovery.

“Cyber resilience isn’t just about technology — it’s about people, processes, and the ability to act decisively when everything is on the line,” said Semperis CEO Mickey Bresman in a statement. “Response times to cyberthreats will be faster if organizations assume that adversaries are already in their networks and have a documented and tested recovery and resilience plan that is ready to deploy at a moment’s notice,” the statement also read.