The executive playbook: 7 strategic priorities to safeguard utilities from cyber threats

Every day, a cyber actor attempts to breach some part of a utility’s system — from IoT devices and substations to corporate networks. In PwC’s May 2025 Pulse Survey, 83% of energy, utilities and resources (EUR) executives identified cyber attacks as a serious or moderate risk — compared to 77% of executives in other sectors.

Threat actors — ranging from ransomware groups to nation-state affiliates — are increasingly targeting energy infrastructure, testing for vulnerabilities. So how can utilities reduce their risk?

We recommend initiating a 100-day cybersecurity review. This review is not about addressing every vulnerability but rather about resetting your baseline and taking a fresh look at your cybersecurity. The results can help align strategies and next steps to better address current and emerging threats.

Here are seven priority areas for utility leaders to focus on to improve resilience and better protect the grid.

The utilities sector is poised for record growth, driven by decarbonization, grid modernization and digital transformation. Yet as capital investment in infrastructure and technology accelerates, many cybersecurity strategies — and budgets — remain locked.

This mismatch can pose a growing risk. Emerging technologies, such as advanced metering infrastructure, AI-driven grid automation and distributed energy resources, can impact the attack surface in ways that traditional security models weren’t built to manage. If cybersecurity investment doesn’t keep pace with innovation, the sector could unintentionally scale its vulnerabilities alongside its assets.

Some nations, and threat actors within them, are actively targeting important US infrastructure. Their tactics often go beyond data theft — they usually aim to disrupt, disable and destabilize. These attacks are increasingly sophisticated, leveraging geopolitical tensions and advanced tools to target the grid.

Continuous cyber defense investment, cross-sector collaboration and regulatory evolution are often necessary to stay ahead of state-backed threats.

Utilities often operate with fragmented security models: Information technology (IT) and operational technology (OT) security remain separated, cybersecurity is confined to narrow functions, and responsibility can often be unclear. These gaps typically result in blind spots that attackers can exploit.

Many leading organizations are moving to enterprise-wide models that can:

• Integrate IT and OT security under one accountable function
• Align cybersecurity with core business risk
• Prioritize high-impact investments rather than broad controls
• Embed the chief information security officer (CISO) into strategic decision-making

Fragmentation can create exposure. Integration helps build resilience.

Smart grid initiatives, legacy infrastructure and growing Distributed Energy Resources (DERs) adoption have introduced new complexities. AI-led forecasting and connected assets introduce both operational value and cyber risk.

This is in addition to geopolitical conflicts, which have dramatically increased the number of cyber threats to the North American power grid. For example, US power grids are increasingly vulnerable to cyberattacks, with the number of susceptible points in electrical networks increasing by about 60 per day in 2024, according to the North American Electric Reliability Corporation (NERC).¹

Key contributors to increased cyber risk include:

• DERs
• Connected grid devices and smart meters
• New entrants such as energy companies and private equity firms
• Legacy infrastructure lacking segmentation
• AI tools being leveraged by bad actors to introduce new vulnerabilities
• Growth behind the meter with commercial and industrial customers but still connected and dependent on the regulated utilities

Utilities are beginning to respond. The US Department of Energy has committed $45 million to modernize cybersecurity in the sector. Large utilities are making multi-year investments in grid security.

Cybersecurity should evolve in parallel with modernization efforts — not follow them.

Supply chain risk is one of the more pressing challenges in utility cybersecurity. Equipment and platforms from multiple vendors, many outside the US, can introduce vulnerabilities such as unverified code or insecure firmware.

Attackers are increasingly targeting distributed energy resources (DERs) and third-party infrastructure through:

• Malicious firmware updates
• DER spoofing and data manipulation
• Botnet attacks using IoT-connected DERs
• Man-in-the-middle attacks and supply chain compromise

Cyberattacks on US utilities are projected to rise by 70% in 2024, driven largely by third-party exposure.²

To help manage third-party risk, utilities should:

• Map their vendor ecosystem and assess risk exposure
• Implement network segmentation and system validation protocols
• Require supplier certifications and secure development practices
• Integrate third-party oversight into the enterprise risk program

Third-party cyber risk is operational risk. It should be governed accordingly.

Without total visibility into important systems, utilities can be exposed. Many lack real-time awareness of OT assets or cannot detect anomalies across connected infrastructure. The risk is heightened due to the growth of aging infrastructure that previously was set to be decommissioned but is now being extended.

Building visibility requires:

• Deployment of OT-specific threat monitoring platforms
• Integration of asset management with cybersecurity tooling
• A use-case-driven approach to investment
• Enhanced reporting and response capabilities

Executives should ask themselves: Do we know what’s connected, where and how it’s behaving?

Regulatory compliance helps provide a baseline — but it’s not enough. A compliance mindset can delay investment in emerging threats or create a false sense of security.

Many leading organizations treat cybersecurity as a business enabler. They measure progress against operational outcomes, not audit readiness. They move first, not just fast.

Cybersecurity maturity is a differentiator in a risk-conscious market.