In an era where cyber threats are evolving faster than ever, U.S. utility companies face unprecedented challenges in safeguarding critical infrastructure. These entities, from energy grids to water systems, are prime targets for sophisticated attacks that could disrupt operations, compromise sensitive data, and endanger public safety. At the heart of their defense strategy lies the security of their data centers—repositories of operational intelligence and customer information vital to day-to-day functionality.
As cyber criminals increasingly exploit vulnerabilities in industrial control systems (ICS) and operational technology (OT), utilities must adopt cutting-edge strategies to protect their data and systems. This exclusive Q&A interview delves into the unique cybersecurity hurdles facing utility companies, the role of robust data center security, and how industry leaders are addressing emerging threats. We’ll explore the intersection of technology, policy, and risk management, uncovering insights from top experts tasked with defending our nation’s most critical infrastructure.
SecurityInfoWatch (SIW) editorial director Steve Lasky talked to David Redekop, the founder and CEO of ADAMnetworks, and David Stapleton, a cybersecurity risk professional with over a decade of experience in the public and private sectors and is the CISO at Process Unity.
(Note: This executive Q&A was edited for clarity and length.)
SIW: What specific cyber threats could utility companies face when working with data centers to meet energy demands?
Redekop: The vectors of attack are multiple: contractual and financial transactions, network integrations, and mutually dependent cost-savings measures are part of such deals, which is opportunistic for Business Email Compromise (BEC) on either side of the transaction. We’ve observed this in municipal dealings, for example, when property purchases are part of the agreement (see this blog). While this wasn’t related to Infrastructure/Utility overlap, it is a perfect example of a successful cyber-attack when the seller expects a buyer.
Stapleton: Growth and change can leave gaps in security safeguards if not meticulously monitored through business transformations. The power demand from AI-focused tech organizations presents a potential boon for utilities. Security teams representing both parties must be involved to ensure security is considered in any operational, technical, or general management changes from this new business.
It is possible that cybercriminal gangs with an activist (hacktivist) motivation may pay closer attention to utilities providing services to large tech companies that the hacktivists have issues with. For example, companies that make statements about geopolitical conflict can find themselves targets for these types of threat actors.
On a positive note, security-minded tech companies will focus on data confidentiality, integrity, and availability (the CIA triad). The availability piece of the triad can often depend on things as basic as continuous power to data centers. These new business interactions have the potential to bring new scrutiny on utilities' security programs to ensure that the valuable electricity they produce for their new customers is not disrupted.
SIW: How can the interconnected nature of utility infrastructure and data centers make both sectors more appealing targets for cybercriminals?
Redekop: Modern-day cybercriminal organizations are often run as efficiently as organized crime units. The intersection of two high-value targets (utility and infrastructure) is a lucrative two-for-one disruption opportunity for the adversary seeking maximum disruption.
Stapleton: Utilities already provide power to data centers, so I don't see a particularly material increase in connectivity that would make them less attractive to cybercriminals.
SIW: What lessons can be learned from recent cyberattacks on data centers better to protect utility companies and their potential business future?
Redekop: While no solution is 100% effective, exhausting the attackers’ resources is essential, so they have no choice but to move on to other targets.
Stapleton: One of the reasons data centers can be an attractive target for threat actors is that they process, transmit, and store massive amounts of the world's most valuable asset - data. Motivations for attacks might be financial (e.g., ransom/extortion), espionage or IP theft, or general disruption. As utilities increasingly become critical assets for data centers, these threats can be passed down to them. For example, a nation-state actor whose primary target for a DDoS attack was a data center may determine that the utility is a softer target with the same ultimate outcome: disruption of the data center functionality.
SIW: Are there current gaps in cybersecurity protocols that utility companies should address before engaging in deals with target-rich environments? Or vice versa?
Redekop: At the risk of using an overused marketing term, the actual root of Zero Trust applies. In other words, when the Principle of Least Privilege is applied, the vast majority of attacks—at least remotely operated—are neutralized without even knowing of vulnerabilities.
Stapleton: It always comes back to the basics. As changes develop, risk professionals should evaluate each major decision or action to understand if there is exposure to new threats. These can be subtle. For example, entering new or significantly expanding existing business relationships opens the door to many social engineering attacks. Individuals are less familiar with each other as teams are being brought together, so phishing and financial fraud campaigns are more likely to succeed.
SIW: What steps should utility companies and data center operators take to mitigate the shared risk of cyberattacks in these situations?
Redekop: The NIST Cyber Security Framework (CSF) is an excellent starting point that requires action on behalf of operators of both organization types. Applying Zero Trust principles in every configuration strengthens security until the attackers’ resources are exhausted.
SIW: How can utility companies and data centers enhance collaboration to ensure cyber-resilience while meeting growing energy demands?
Redekop: Focus on the need for cross-sector cooperation between utilities and tech infrastructure. The principle of Least Privilege necessarily requires an inventory of assets and connection requirements. This requirement audit, along with lifecycle management of all network assets, has tremendous value, as it ensures that all potential vulnerabilities are known, leading to adequate security posture.
Encourage strategies around shared threat intelligence, incident response protocols, and risk mitigation frameworks. While threat intelligence, threat detection and response are essential, the consequence of preventive maintenance is exponentially valuable compared to post-breach response. The boring Principle of Least Privilege wins. In real life, the challenge is usually found in the [lack of] budgetary appetite for preventive posture, which is often difficult to quantify.
Stapleton: Engaging with public sector partners like the Cybersecurity and Infrastructure Security Agency (CISA) is a great way to tap into highly vetted standards and best practices and connect to an excellent source of threat intelligence and incident response support specializing in critical infrastructure.
SIW: What cybersecurity frameworks and best practices should critical infrastructure providers adopt to defend against advanced persistent threats (APTs) targeting energy and telecom systems?
Redekop: Explore the importance of frameworks like the NIST Cybersecurity Framework (CSF) or ISO 27001 for securing critical infrastructure. The challenge today isn’t the how; it’s the doing. The political will to insist on applying the financial and human and commercial resources to secure what has already been deployed.
Highlight proactive strategies for identifying and mitigating APTs. Most network devices have a finite list of resource needs, but in the interest of “making it work,” applying the Principle of Least Privilege is often skipped, and that is exactly what allows an APT to wreak havoc upon gaining a foothold in the infrastructure space.
Stapleton: The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) framework has existed for some time and should be considered the bare minimum for these utility and data center partnerships.
SIW: How can physical security systems integrate with cybersecurity measures to protect power grids and data centers from blended attacks (cyber-physical threats)?
Redekop: Focus on combining physical and cyber security for critical assets. By their nature, insider threats and remote social engineering typically require physical access by a real person and/or compromised device. When all remote/network security measures are considered, the “analog hole” is often abused. It is essential to understand that a sophisticated adversary will look for the weakest link, which may be the physical access to infrastructure. Usually, this is the domain of a separate discipline and organization that addresses physical security. For this reason, having an auditable physical network access protocol is essential for a comprehensive security approach.
Promote solutions like access control, surveillance monitoring, and secure industrial control systems (ICS). An effective approach is that a single organization with an all-inclusive Service Level Agreement can address all critical monitoring and control areas. The depth and breadth of this space have reached a stage such that multiple areas of discipline are required to offer a high level of security competence in each respective area. The overlap, however, is to the advantage of the protection provider.
Stapleton: We've seen physical security solutions increasingly integrated with more traditional cyber security systems over the years. For example, a physical access monitoring tool that sends access logs in near real time to a security information and event management (SIEM). Those physical security logs can be collated with event logs from applications and devices to expose potentially anomalous activity in an environment (e.g., an administrator whose workstation records user-initiated interactions with sensitive systems while the administrator is not physically present).
