When the streets of Muleshoe, Texas, flooded with water in January, most people probably didn’t blame Russian hackers.
But that’s exactly who was at blame, according to a report published this week by Google-owned cybersecurity firm Mandiant, which said Russia was responsible for hacks of water utilities in Texas as well as in France and Poland.
The January attack was far from the first to hit U.S. utilities. In December, Fast Company reported on U.S. National Security Council concerns that critical infrastructure providers could pose easy targets for hackers.
But why are they so vulnerable to cyberattacks in the first place?
“They have proven to be a little vulnerable because they are private companies and hence the profit motive prevails,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “Security is seen as a cost center.” That’s borne out by data compiled by the International Energy Agency (IEA) on the power sector, which found that there were more than 1,100 targeted attacks launched across the world in 2022.
The utilities sector seems uniquely understaffed, according to the IEA’s analysis: While the finance and insurance sector accounted for nearly 1% of all cybersecurity job postings in September 2022, and public administration 0.57%, power utilities languished behind at 0.49%. The average wage offered by the utility sector also pales into comparison to competing industries, which could mean it’s losing out on quality candidates.
The U.S. government has also failed to pass a number of legislative attempts to force utilities to adopt minimal cybersecurity standards. As a result, U.S. utilities are comparatively underprotected in comparison to their peers. “Compare that to the U.K. where we have a specialist government agency that focuses on such service providers and assesses them regularly,” Woodward says.
