Energy Cybersecurity
The Electricity, Environment, & Water sectors
It is needless to highlight the criticality of energy and water infrastructures to the well-functioning of people and the health of the economy. It is even a matter of national security: power down electricity or take control of water plants, and you master a whole territory. That is precisely why they are a chosen target for cybersecurity attacks. Everybody keeps in mind the cyberattack against de Colonial Pipeline in the US in 2021 – to mention only one.
An essential industry, main target of cybersecurity attacks
Many papers, from the industry itself, and from government or security agencies, clearly state the cybersecurity stake for the energy and water industry in all regions:
- Globally: Electricity Cybersecurity: Safeguarding the Energy Sector, Electricity Subsector:
Interesting to note the « all hazards” approach recommended by the governments for this sector, which is so critical for the day-to-day life of the citizens and the businesses. Nothing must be left behind.
- European Union: Critical infrastructure and cybersecurity and Cyber Europe tests the EU Cyber Preparedness in the Energy Sector | ENISA
In 2023 alone, over 200 reported cyber incidents targeted the energy sector and more than half of them were directed specifically at Europe. The Network and Information Security (NIS) Investments in the EU report by ENISA found that 32% of operators in the energy sector do not have a single critical Operation Technology (OT) process monitored by a Security Operations Center (SOC). Operational Technology and Information Technology are covered by a single SOC for “only” 52% of operators of essential services in the energy sector.
- France: The cyberthreat landscape report published early 2025 by the national cybersecurity agency (ANSSI)
Mentions cyberattacks specifically targeted to water treatment and electricity power plants in 2024, leveraging the vulnerable applications and systems exposed to the Internet. Therefore, “the ANSSI organization considers that the actions put in place to secure the OT equipment’s and reduce their exposition to Internet significantly lower the attack opportunities”.
- USA: Energy Sector | Cybersecurity and Infrastructure Security Agency CISA and Energy Sector Cybersecurity Preparedness | Department of Energy
Regarding the water segment, the attached infographics by CISA highlights very well the cybersecurity challenges of the industry (Cyber Risks & Resources for the Water and Wastewater Systems Sector – Supply Water National Critical Function Infographic): Network complexity, system maintenance, network segmentation, data theft and ransomware.
There has been an inflexion point in 2023, with the awareness that “the cost of cleaning the effect of an attack is so much higher than the cost of preventing it”. The availability and the continuity of service of these critical infrastructures (water, gas, electricity) require high protection of the industrial SCADA/ICS systems and strong BCP/DRP plans, with often two separate infrastructures in case of a complete breakdown of one of them.
Information and Communication Technology (ICT) plays a pivotal role in enabling and managing smart grids, those smart networks which leverage digital technologies for enhanced efficiency, reliability, and sustainability – for smart metering, as an example. These “side networks” leveraging IT technology and connecting OT, IoT and IT, play a key role in optimizing energy production, distribution and consumption, while facilitating the balance between sustainable and traditional energy sources and the energy trade between countries. These networks must be highly protected from cyberattacks, because they are the “nervous system” of the energy ecosystem. Any administration action on these networks must be monitored with a high level of control. Identities of third-party contractors intervening on these networks must be highly protected, with strong authentication (MFA) mechanisms and strong access controls (JIT policy enforcement).
A customer business case: a water treatment factory
As a CISO of a regional water treatment organization, one must tackle both the human side and the technical side of the equation, and for the latter, both IT security and OT security.
Compliance such as NIS2 leads to very demanding requirements, and sometimes the challenge to know which activity is or should be under the mandate of this directive. As an example, often the control/command part of the industrial infrastructure is considered as a system of vital importance, whereas the maintenance is considered as less sensitive.
Such organizations may also handle personal data from the citizens, hence under the GDPR regulation, such as knowing that, at a certain street address, lives a sick person with a long-lasting illness, who can never be short on electricity or water at risk of putting her life in jeopardy.
Another characteristic of this industry is that it calls on contractors and third-party service providers, whether on the IT side or on the OT side. Cases of attacks have been reported such as: a malicious employee from a subcontractor who managed to change the configuration of a pump; a hacker who could leverage the use of a remote desktop control tool to a SCADA application by a contractor’s employee. Supply chain attacks are one of the main threats for this industry. Attacks have also been reported because smaller cities have deployed an infrastructure with a direct exposition to the Internet: but larger cities and counties usually don’t take the risk of exposing anything on the Internet.
cyberelements Delivers Key Features for Energy Cybersecurity
- Secure remote access for remote maintenance and remote MSPs/contractors ‘operations
Electricity and gas industries make extensive use of subcontracting. On the business/OT side, it leads to remote access from contractors’ employees to critical assets, often from simple tablets. On the IT side, it leads to leveraging cloud infrastructures, to offload IT management and optimize IT costs.
As an example, in the water industry, water quality is often managed by third-party laboratories, which need to get data from the water plants to make their tests. Even if they are not considered as essential or important operators, they have access to critical assets, and this access must be closely monitored and controlled.
cyberelements has been designed natively for secure remote access: it provides authorized users with a zero-trust access and creates a security barrier for those who are not granted any access. Il enables clientless web access, avoiding the obligation to deploy client updates. It provides generic tunneling to enable MSPs and contractors to use their own applications and licenses to remotely access IT or OT systems.
- Organizational and network segmentation
Malicious actors may use IT networks as a vector to target non-segmented OT networks and systems. Proper network segmentation is a very effective way to prevent cyberattacks against OT networks (and lateral movements). Businesses of this industry need to separate IT and OT, while sometimes leverage the same solution for the remote access to both IT and OT systems (IT-OT convergence).
Energy and water enterprises are also often spread in large geographic sectors, with many sites. They are heavily dependent upon network communication between the sites, while looking to have a certain autonomy within each site.
Organizationally, larger businesses of this industry often have many different entities, regulated and non-regulated. Cyberelements multi-tenant architecture allows deploying a unique platform while isolating entities. It allows to segment organizations (IT/OT, regulated/non-regulated, sites) and segment networks (thanks to the double barrier architecture, with Edge Gateways deployed in the LANs where the accessed resources sit). Network segmentation limits lateral movements. And cyberelements also prevents lateral movements within an IT or OT LAN, with a very fine-grained access control. As a matter of fact, cyberelements allows for server firewall configuration per user, depending on the user and the context of the user access.
- Zero-trust by design
Zero-trust, as a new paradigm for managing workforces ‘access to IT/OT systems, is well suited to the requirements of the energy and water industry. Making no difference between “internal” and “external” access, matches well the organization and network distribution. Default multi-factor authentication, conditional/contextual access (user, device, network), continuous identity verification, user behavioral analysis, are typical zero-trust features which greatly secure access from anywhere. Feeding the SIEM of a SOC with all the audit data, to track “who has done what, when, on which application, from which context?”, is also critical to complete upstream proactive prevention by downstream reactive detection and response and meet compliance mandates. The ability to consider users and accounts as “privileged” and assets as “critical”, enables to trigger an extensive monitoring and control over them.
A Highly Regulated Industry
Energy and water industries are amongst the most regulated everywhere in the world, given the importance of electricity, gas and water in the day-to-day life of the citizens.
Each country has its own energy regulation body or commission (each with its own name, CRE for France, Bundesnetzagentur for Germany, Ofgem for UK, FREC for the USA, CER for Canada, etc.). The EU has established ACER as the European body to coordinate the regulators across Europe. It has also recently (2024) published a report to better Coordinate the Energy Infrastructure across Europe (CEI), because more and more industries become intertwined, through digital networking. Energy is amongst the highest critical industries for NIS2 compliance. And this drives for them a series of mandates, especially re: Identity and Access Management (IAM). The obligation to fully manage identities and entitlements, to manage access in every detail, to monitor and control closely privileged users and accounts. More concretely, in a regulated IT system, NIS2 mandates that:
- administration IT system must be separated from business IT system, up to the terminal used by the employees to access either environment; administration accounts must be different from business accounts;
- only individual accounts must be used; and tracked; and credentials must follow policies, be changed on a regular basis or after each use, and, at best, non-disclosed to the end user;
- access, and connection, to IT resources, should be granted based on the least privilege, for the duration of the need to use the resource (JIT), leaving neither right nor connection behind;
The cyberelements zero-trust IAM platform helps meet all these obligations at the speed, cost and with the security demanded by the regulation bodies. The best way to be convinced is to try yourself: click on “start now” and, in three minutes, you can start off configuring the platform and experience an unprecedented time to compliance.