Essential Now: Unified Cyber-Physical Grid Security

US energy industry regulators and analysts are increasingly repeating the same message: Grid operators need to unify their cybersecurity and physical security strategies.

Power plants and transmission/distribution system operators (TSOs and DSOs) have long focused on maintaining uptime and enhancing the resilience of their services; keeping the lights on is always the goal. That’s especially true as the past few years have seen the rise of OT/OT convergence, wherein formerly siloed equipment that runs physical processes for critical infrastructure (operational technology, or OT) has been hooked up to the IT network and the Internet in some cases, exposing it to more cyberthreats. Now, another type of convergence been forcing a new conversation.

On one hand, cyber threat actors increasingly look to cause actual operational disruption in the field. It’s awkward, as “operations teams that once focused solely on hardware and uptime are now being asked to scan logs, document evidence of compliance and assess threats,” analysts from Black & Veatch wrote in an industry report published today. In a survey, they found that grid operators expressed equal worry over ransomware, miscellaneous malware, and cloud vulnerabilities.

And growing nearly as fast as cyber threats is a strange trend toward physical attacks on grid infrastructure. Since 2020, plants and system operators have suffered hundreds of incidents, ranging from random shootings to intrusions and vandalism, the Black & Veatch report pointed out.

Related:US Stands Out in Refusal to Sign UN Cybercrime Treaty

In this new world, both industry regulators and analysts, like those at Black & Veatch, are arguing the same point: that where once keeping the lights on might have just meant maintaining equipment and avoiding fallen trees, today’s grid operators need a robust, integrated physical and cybersecurity strategy to maintain continuous service.

A “Juice”-y Target: Rising Threats to the US Power Grid

Last year, Check Point Research (CPR) tracked the rate of change in weekly cyberattacks in different US industries. It found that threats to retailers were way down, along with those against Internet and managed service providers (ISPs and MSPs). Communications and health care attacks remained steady. The sector with the single greatest rise in weekly attacks, by no small margin, was utilities — up 69%, from an average of 689 attacks per week in H1 2023 to 1,162 in H1 2024.

In the same vein, last January Trustwave researchers found that ransomware attacks against global energy and utilities organizations rose 80% year over year (YoY), with nearly half of all attacks affecting the US. 

Related:Data Security Posture Management — What Does ‘Best in Class’ Look Like?

On the physical attack front, in February 2023, the Electricity Information Sharing and Analysis Center (E-ISAC) disclosed that physical attacks on the power grid had risen a full 71% in 2022 (and 20% over 2020 numbers). Between 2020 and 2022, 4,493 incidents were reported to authorities. Some portion of those 4,500 cases involved petty theft of machine parts and copper, but a significant number were violent, featuring politically and racially motivated attacks.

As if to underscore the point, that same month E-ISAC shared its data, two neo-Nazis were indicted for plotting to attack five substations in Maryland and Pennsylvania. The goal — as in many similar cases — was to bring darkness to the city of Baltimore, which the conspirators hoped would “completely destroy this whole city,” as reported in court documents. Black & Veatch reports that substation attacks in general rose 50% that year.

Ian Bramson, vice president of global industrial cybersecurity for Black & Veatch, attributes the rising threats on grid infrastructure — both cyber and physical — to “a convergence of factors.”

He hypothesizes that “while the grid has always been a target, the frequency and sophistication of attacks on critical infrastructure have escalated since the Colonial Pipeline incident in 2021. That attack demonstrated to a wide range of threat actors the global impact they could achieve by disrupting essential services, sparking increased interest and activity in targeting the grid.”

Related:From Power Users to Protective Stewards: How to Tune Security Training for Specialized Employees

He adds, “This momentum has only grown amid ongoing global conflicts, which have further amplified both the motivations and capabilities of adversaries. Mix in grid modernization, digitalization, and remote operation efforts that expand the attack surface, and you have the right combination of motivation and opportunity to perpetuate the frequency and severity of attacks.” He notes that he expects these trends to continue into 2026.

IT-OT-Physical Convergence in Today’s Critical Infrastructure

In the face of rising kinetic and Internet attacks, Black & Veatch asked grid operators to what extent they integrate physical and cybersecurity measures and teams. A third of participants didn’t know the answer. The rest were split roughly evenly: some used a single team to manage and monitor both physical and cyber threats, some used specialized teams for each, and some used different teams but still managed them under a single incident response strategy.

The report authors took issue with these results. They wrote that the third who didn’t know whether their cyber and physical security operations overlapped or not “don’t fully understand how physical and cyber risks intersect,” and that the respondents who don’t totally integrate physical and cyber are facing “a dangerous gap.”

Bramson tells Dark Reading that “the gap comes from having more than one team owning cybersecurity, and the potential opportunity for assumptions of ‘the other side’ covering some aspect of the system.” IT and OT might involve different machinery, but ever since cyber-physical attacks rose to prominence in the late 2000s and 2010s, the considerations of each have affected both.

For instance, an IT operation might primarily concern itself with firewalls, or network monitoring; but “in many cases, cyberattacks can often involve physical access to sites, whether by malicious insiders or unwitting employees and contractors. Understanding who is present on-site, when and why, is critical to investigating and mitigating attacks on operations,” Bramson explains.

The same point is increasingly being echoed across the industry. Last year, when the Department of Energy announced $45 million of funding for energy sector security, it chose to distribute a chunk of that money to a research project focused on preventing cyber-physical threats to distributed energy resources (DER) using zero-trust authentication. The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard 003‑11 (CIP‑003‑11) states in repeated, clear terms that bulk energy systems (BES) must incorporate both cyber and physical security controls into their cybersecurity plans. And in June, when the Federal Energy Regulatory Commission (FERC) approved CIP-015-1 — a standard expressly focused on cybersecurity monitoring — it nonetheless directed NERC to modify the document “to extend internal network security monitoring to include” physical controls.

As IT and OT grow closer together, Bramson says, there will be clear organizational upsides to unifying threat strategies to sweeten the pot. Those upsides will vary depending on the organization, but importantly, he concludes that “each team also brings a level of institutional knowledge that benefits the other, expanding the eyes on the security, both cyber and physical, of the organization as a whole.”