
Power and utilities: US Deals 2025 midyear outlook
Resurgence and recalibration: power and utilities M&A heats up amid shifting policy and demand pressures.
Every day, a cyber actor attempts to breach some part of a utility’s system — from IoT devices and substations to corporate networks. In PwC’s May 2025 Pulse Survey, 83% of energy, utilities and resources (EUR) executives identified cyber attacks as a serious or moderate risk — compared to 77% of executives in other sectors.
Threat actors — ranging from ransomware groups to nation-state affiliates — are increasingly targeting energy infrastructure, testing for vulnerabilities. So how can utilities reduce their risk?
We recommend initiating a 100-day cybersecurity review. This review is not about addressing every vulnerability but rather about resetting your baseline and taking a fresh look at your cybersecurity. The results can help align strategies and next steps to better address current and emerging threats.
Here are seven priority areas for utility leaders to focus on to improve resilience and better protect the grid.
The utilities sector is poised for record growth, driven by decarbonization, grid modernization and digital transformation. Yet as capital investment in infrastructure and technology accelerates, many cybersecurity strategies — and budgets — remain locked.
This mismatch can pose a growing risk. Emerging technologies, such as advanced metering infrastructure, AI-driven grid automation and distributed energy resources, can impact the attack surface in ways that traditional security models weren’t built to manage. If cybersecurity investment doesn’t keep pace with innovation, the sector could unintentionally scale its vulnerabilities alongside its assets.
Some nations, and threat actors within them, are actively targeting important US infrastructure. Their tactics often go beyond data theft — they usually aim to disrupt, disable and destabilize. These attacks are increasingly sophisticated, leveraging geopolitical tensions and advanced tools to target the grid.
Continuous cyber defense investment, cross-sector collaboration and regulatory evolution are often necessary to stay ahead of state-backed threats.
Utilities often operate with fragmented security models: Information technology (IT) and operational technology (OT) security remain separated, cybersecurity is confined to narrow functions, and responsibility can often be unclear. These gaps typically result in blind spots that attackers can exploit.
Many leading organizations are moving to enterprise-wide models that can:
Fragmentation can create exposure. Integration helps build resilience.
Smart grid initiatives, legacy infrastructure and growing Distributed Energy Resources (DERs) adoption have introduced new complexities. AI-led forecasting and connected assets introduce both operational value and cyber risk.
This is in addition to geopolitical conflicts, which have dramatically increased the number of cyber threats to the North American power grid. For example, US power grids are increasingly vulnerable to cyberattacks, with the number of susceptible points in electrical networks increasing by about 60 per day in 2024, according to the North American Electric Reliability Corporation (NERC).1
Key contributors to increased cyber risk include:
Utilities are beginning to respond. The US Department of Energy has committed $45 million to modernize cybersecurity in the sector. Large utilities are making multi-year investments in grid security.
Cybersecurity should evolve in parallel with modernization efforts — not follow them.
Supply chain risk is one of the more pressing challenges in utility cybersecurity. Equipment and platforms from multiple vendors, many outside the US, can introduce vulnerabilities such as unverified code or insecure firmware.
Attackers are increasingly targeting distributed energy resources (DERs) and third-party infrastructure through:
Cyberattacks on US utilities are projected to rise by 70% in 2024, driven largely by third-party exposure.2
To help manage third-party risk, utilities should:
Third-party cyber risk is operational risk. It should be governed accordingly.
Without total visibility into important systems, utilities can be exposed. Many lack real-time awareness of OT assets or cannot detect anomalies across connected infrastructure. The risk is heightened due to the growth of aging infrastructure that previously was set to be decommissioned but is now being extended.
Building visibility requires:
Executives should ask themselves: Do we know what’s connected, where and how it’s behaving?
Regulatory compliance helps provide a baseline — but it’s not enough. A compliance mindset can delay investment in emerging threats or create a false sense of security.
Many leading organizations treat cybersecurity as a business enabler. They measure progress against operational outcomes, not audit readiness. They move first, not just fast.
Cybersecurity maturity is a differentiator in a risk-conscious market.
1 Citation: "US electric grid growing more vulnerable to cyberattacks, regulator says", Laila Kearney, Reuters 4/4/24 accessed on Factiva...
https://www.reuters.com/technology/cybersecurity/us-electric-grid-growing-more-vulnerable-cyberattacks-regulator-says-2024-04-04/
2 Cyberattacks on US utilities surged 70% this year, says Check Point Seher Dareen and Vallari Srivastava," Reuters, 9/11/24 Accessed on Factiva 5/15/25
Resurgence and recalibration: power and utilities M&A heats up amid shifting policy and demand pressures.
Power and utilities industry trends and insights to help meet surging energy demand, lower costs and continue a path to sustainability for the industry.
Safeguard your organization from data risks with these five key steps. Stay ahead of the threat landscape and safeguard your business with expert strategies.
Check out the latest findings of PwC’s 2025 Global Digital Trust Insights Survey, reflecting the views of over 4,000 executives.
Alan Conkle
Principal, Energy, Utilities and Resources Cyber, Risk and Regulatory Leader, PwC US