The cyber and physical threat landscape facing electric utilities remains “as dynamic and complex as ever,” especially in light of recent “geopolitical and economic developments,” officials from the Electricity Information Sharing and Analysis Center (E-ISAC) told members of NERC’s Board of Trustees.
Speaking at the quarterly open meeting of the board’s Technology and Security Committee on May 7, E-ISAC Vice President of Security Operations and Intelligence Matt Duncan cited recent threat assessments from the U.S. and Canadian governments that found “a growing cast of malicious and unpredictable actors” posing potential dangers to electric reliability. China, Russia, Iran and North Korea continue to represent major cyber threats, with more concern arising from criminals, political activist groups and other non-state actors.
China’s cyber warfare group “remains the dominant threat,” Duncan said, pointing to an assessment from security vendor CrowdStrike that espionage and reconnaissance activities against U.S. financial services, media, manufacturing and industrial organizations by Chinese actors increased 300% in 2024 from the previous year. This indicates that “all of the naming and shaming that has gone on with … U.S. foreign policy has not deterred the adversary from continuing to scan and … preposition in [U.S.] networks.”
Recent years also have seen a rise in malicious cyber activity by “hacktivists,” which Duncan described as a catch-all term for activity by groups not officially affiliated with state actors but associated with various causes, including conflicts between Russia and Ukraine, Israel and Palestine, and India and Pakistan. The last of these conflicts erupted the same week as the TSC meeting and already has seen Pakistani cyber criminals claim to have breached Indian defense systems.
“While they are not as sophisticated or as capable as a nation-state actor or even a criminal gang, they employ a lot of the same tactics and can impact folks’ reputation and cause disturbances to business operations,” Duncan said. “No electric outages have been caused by these groups, but they certainly have caused some website outages and some other, higher-profile events related to websites facing the electricity industry.”
Duncan devoted a significant part of his presentation to reviewing physical threats and the E-ISAC’s response to them. He noted that information sharing across the industry improved significantly in 2024, with utilities voluntarily sharing 45% more physical security incident data with the E-ISAC than in the previous year.
Despite the greater information volume, Duncan emphasized that the number of incidents that affected the grid remained low in 2024. The E-ISAC uses a four-level system for assessing security threat levels: level 0 indicates non-criminal activity; level 1 is criminal activity resulting in no outages; level 2 is criminal activity that results in outages for fewer than 10,000 customers; and level 3 is criminal activity resulting in at least outages for at least 10,000 customers.
The last two categories comprised around 3% of the physical incidents recorded for the entire year, around the average for the past five years. Of these incidents, the four most common types were theft, vandalism, ballistic damage and intrusion, representing 35, 27, 25 and 12%, respectively.
While theft of copper wire is a longstanding problem for electrical facilities, Duncan said the E-ISAC has also seen significant reports of optical fiber being cut. He called this phenomenon “a very concerning development” for both the energy and the telecommunication sectors, because it could lead to loss of communication with control centers.
He added that perpetrators may be motivated not by sabotage but simple greed, because “the coating [on the fiber optic cables] looks very similar to the untrained eye” to that on copper cables. Nevertheless, the E-ISAC continues “to ring the bell with government and our telecommunications partners.”
Duncan also pointed out the significant number of incidents in which the apparent motive was to cause damage, noting that “those are the types of attacks you want to focus a little bit more on, because … somebody was actually trying to cause an impact, and it wasn’t an accident.” He noted that a large amount of violent rhetoric online discusses sabotaging the grid to achieve political gains.
Bluma Sussman, the E-ISAC’s vice president of stakeholder engagement, hinted at the “challenging times” facing U.S.-Canada relations while promising that nothing would change the organization’s engagement with its Canadian partners.
“Our ISAC is not just here for U.S. utilities, but for all of the North American electricity industry, and our partnership with Canadian utility members and government partners is a critical one,” Sussman said. “Our shared commitment to the reliability and security of the North American power grid is paramount, and its foundation lies in these strong relationships.”
