81% of cyberattacks on utilities compromise identity systems such as Active Directory, Entra ID, and Okta.
HOBOKEN, NJ – April 3, 2025 – Semperis, a leader in AI-powered identity security and cyber resilience, today released a new study analyzing cyberattacks targeting water and electricity operators across the U.S. and U.K. 62% of utility operators were targeted by cyberattacks in the past year, and of those, 80% were attacked multiple times. More than half (54%) suffered permanent corruption or destruction of data and systems.
Recent high-profile cyberattacks by nation-state groups on water and electricity utilities underscore the vulnerability of critical infrastructure. A public utility in Littleton, MA, was recently compromised by a group linked to Volt Typhoon, the Chinese state-sponsored threat group. American Water Works —the largest U.S. water and wastewater utility—also detected unauthorized activity in its computer network that disrupted customer service and billing. In response to escalating threats such as these, the EPA issued an advisory urging water utilities to improve their ability to detect, respond to, and recover from cyberattacks.
Surprisingly, more than one-third (38%) of utility operators believed they had not been targeted by cyberattacks. Cybersecurity experts view this figure as alarmingly high, suggesting that many of these organizations may have been breached without realizing it.
“Many public utilities likely don’t realize that China has infiltrated their infrastructure,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor. “Chinese-sponsored threat actors like Volt Typhoon are known to prefer Living off the Land attacks, which are difficult to detect and can remain dormant, planting backdoors, gathering information, or waiting to strike for months or even years.”
The report, The State of Critical Infrastructure Resilience: Evaluating Cyber Threats to Water and Electric Utilities, found that nearly 60% of attacks were carried out by nation-state groups. In addition, in 81% of cyberattacks, attackers compromised identity systems such as Active Directory, Entra ID, and Okta.
The potential public impacts of being without electricity, heat, or clean water for even a short period can be significant. Our study indicates that utility customers in the U.S. and U.K. have been relatively fortunate—so far.
The Age of Resilience
“If you don’t improve resilience, attackers keep coming. Utilities have an opportunity to address this challenge. They need to assume breaches will happen and, through tabletop exercises, they can practice attack scenarios that could be a reality in the future,” said Mickey Bresman, CEO, Semperis.
What sets utility operators apart from many other industries is the critical nature of their work. If an electricity or water operator is compromised, the potential risks to public health and safety can put an entire nation at risk. Our experts note that resilience to cyberattacks that threaten operations should be the top priority for every organization involved in critical infrastructure.
“The systems that supply our power grids and our clean drinking water are the underpinning of everything we do,” added Inglis. “And yet we go about our business, confident that somebody else is going to handle it. Somebody elseisn’tgoing to handle it. We need to harden our systems and extract criminal elements—now.”
To improve operational resilience against cyberattacks, utilities should:
-Identify Tier 0 infrastructure components that are essential for recovery from a cyberattack.
-Prioritize incident response and recovery for these systems, followed by mission-critical (Tier 1) functions, business-critical (Tier 2) functions, and then all other (Tier 3) functions.
-Document response and recovery processes and practice them using real-world scenarios that involve people and processes beyond the IT department.
-Focus not just on fast recovery but on secure recovery. Attackers often attempt to compromise backups to maintain persistence in the environment, even after recovery attempts. Implement solutions that support speed, security, and visibility in crisis situations.
The full cyber threat study analyzes survey responses from IT and security professionals at 350 utility companies and includes breakdowns by country. Free download is available at:https://www.semperis.com/the-state-of-critical-infrastructure-resilience.
For more information about how Semperis helps global organizations improve cyber resilience, visit the Semperis Identity Resilience Platform page at: https://www.semperis.com/identity-resilience-platform/.
About Semperis
Semperis protects critical enterprise identity services for security teams charged with defending hybrid and multi-cloud environments from cyberattacks, data breaches, and operational errors. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis’ AI-powered technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.
As part of its mission to be a force for good, Semperis offers a variety of cyber community resources, including the award-winning Hybrid Identity Protection (HIP) Conference, HIP Podcast, and free identity security tools Purple Knight and Forest Druid. Semperis is a privately owned, international company headquartered in Hoboken, New Jersey, supporting the world’s biggest brands and government agencies, with customers in more than 40 countries.
Learn more: https://www.semperis.com
Follow us: Blog / LinkedIn / X / Facebook / YouTube
Media Contact:
Bill Keeler
Senior Director, PR & Comms