Artificial intelligence may be helping employees streamline a variety of tasks, but AI also is making work easier for threat actors plotting cyber attacks against electric utilities, experts said during a WECC webinar. 

And the AI influence comes as utilities are facing cyber threats from multiple directions.  

“Sophisticated state actors” are trying to access electricity networks for future disruptive attacks, according to Phil Tonkin, field chief technology officer at cybersecurity firm Dragos. Tonkin was a panelist during the June 4 cybersecurity webinar, part of WECC’s Reliability in the West discussion series.  

According to the federal Cybersecurity and Infrastructure Security Agency (CISA), cyber actors sponsored by the People’s Republic of China want to pre-position themselves on IT networks “for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” 

In addition, Tonkin said, there are activists looking for low-hanging cybersecurity fruit and criminals who are eyeing organizations to target in ransom attacks. 

Dragos has been tracking a group called Voltzite that targets electrical infrastructure.  

“This is not a hypothetical threat,” Tonkin said. “We have seen this organization knocking on the door of many power utilities across the U.S., and through the Pacific as well. On top of that, we’ve seen actual successful intrusions into utilities.” 

Treigh Pedroche, senior security architect at WECC, said generative AI can help a threat actor figure out how to exploit a cybersecurity vulnerability that previously might have required advanced reverse-engineering software skills. 

“Prior to these tools, I had to be maybe [an] expert-level software engineer,” Pedroche said. “Now I just have to be good at using a Gen AI tool.” 

Another issue is when employees use AI for tasks such as summarizing data or writing executive summaries. The information provided to AI is loaded into public models, Pedroche said, and threat actors may then be able to extract it. 

AI also can help attackers devise phishing emails, identifying employees to whom to direct the messages and crafting convincing language, which is especially helpful for foreign adversaries. 

Tonkin gave an example of an email sent to a utility employee by a “customer” who was worried about a buzzing power pole in their yard. They even attached a photo. 

“That’s the sort of thing people are going to fall for,” Tonkin said. “And that’s what’s happened in a number of countries around the world. There’s a European utility which was exploited just like that.” 

In 2024, four cybersecurity intrusions in the Western Interconnection were reported through the Department of Energy’s Electric Emergency Incident and Disturbance Report, according to WECC’s most recent State of the Interconnection report.  

In 2023, Dragos helped Littleton Electric Light and Water, a public utility in Massachusetts, root out Voltzite hackers who had gotten into the utility’s network. It was Voltzite’s first known intrusion into a U.S. electric utility’s computer system. (See Dragos Outlines Voltzite Electric Utility Breach.)  

Working Together

Tonkin said the industry thus far has been keeping pace with cyber threats. But he noted that continuous efforts are needed to stay one step ahead of adversaries. 

Electric utilities have an advantage in that regard, he said, because their service territories largely are distinct. Because they’re not competing against each other, it’s easier for utilities to share information and help each other out. 

Pedroche pointed to resources available to utilities, such as intelligence reports from Dragos and CISA. 

“For us, the defenders, we’re almost always on that back foot,” Pedroche said. “Utilizing those [resources] as best we can to the fullest is really going to be key.” 

In addition to its cybersecurity webinar, WECC will be hosting a Power Systems Security Conference on Aug. 12-14 in Salt Lake City.