Over the past year there has been a rising level of concern around IoT and OT assets within an organization becoming the most vulnerable part of the attack surface. IoT and OT represent a broad set of systems, with everything from building automation systems, routers, IP cameras, and manufacturing systems. Today’s blog is focused on what arguably is the most serious type of OT system should it be exploited or fall under a cyber criminal’s control: the energy grid.
The energy grid faces escalating cyber threats that demand a robust, multi-layered defense across both physical and cybersecurity. There have been several notable examples and warnings regarding cyber vulnerabilities in the energy grid and bulk energy transfer in 2024 and 2025. While a widespread, catastrophic blackout caused by a cyberattack is the scenario that grabs headlines, the reality is a landscape of constant, lower-level intrusions, documented vulnerabilities, and urgent warnings from government agencies.
As noted in the Viakoo blog last year (Forget About Hurricanes, Enterprises Must Prepare for Typhoons – Viakoo, Inc), the state-sponsored Chinese hacking group known as Volt Typhoon was highlighted as a key example of how threat actors target energy. Throughout 2024, U.S. federal agencies, including CISA, the NSA, and the FBI, issued repeated, urgent warnings about Volt Typhoon. This group has been identified as a significant threat to U.S. critical infrastructure, including the energy sector. Unlike typical espionage, Volt Typhoon’s primary objective is to preposition itself within critical networks for potential future disruptive or destructive attacks. They gain access and remain dormant, securing a foothold that could be activated during a geopolitical conflict. Their techniques often involve “living off the land,” using built-in network administration tools that make their activity difficult to distinguish from normal operations. This represents a major vulnerability for energy and utility companies.
Another reason for concern over energy grid security is that similar systems have increasingly been targeted using similar exploits to what can cause damage to energy systems. This includes the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that manage the physical processes of energy generation and distribution. In early 2024, several U.S. water and electric utilities were targeted by hackers associated with Russia and Iran. For example, multiple municipalities in Texas reported that hackers linked to the Russian state had attempted to compromise their systems. While these specific attacks were often thwarted before causing major disruption, they highlight the persistent vulnerabilities at the local and municipal level.
The persistent threats have led to increased scrutiny and proposed legislation. In 2024, discussions in Congress have centered on the Cybersecurity for Energy Grids Act, which aims to establish a grant and technical assistance program to help smaller, often rural, utilities modernize their cybersecurity defenses. This legislative push is a direct response to the acknowledged gap in security between large power providers and smaller co-ops that are often less resourced but still connected to the bulk energy system.
The North American Electric Reliability Corporation (NERC), which enforces reliability standards for the bulk power system, continues to update its Critical Infrastructure Protection (CIP) standards to address evolving cyber threats, including those related to supply chain security and cloud services. The most recent change is the addition of CIP-015 which defines cybersecurity measures that must be taken, and complements the CIP-014 standard on physical security. The very existence and constant updating of these standards point to the recognized and ongoing vulnerabilities.
What can organizations in the energy sector do to prepare? Implementing new standards like CIP-015 rely on having solutions (such as Viakoo) in place that can provide advanced discovery and fast remediation when vulnerabilities are detected. Knowing (in detail) all assets and the applications that manage them is the starting point. Once all devices are visible they can then be analyzed to see if vulnerabilities are present in them, and ultimately to then be remediated with firmware updates, password changes, or certificates being deployed. Time is of the essence once a remediation is defined; using automated methods is required, given the scale of devices and systems. Want to dig deeper? Reserve time with a Viakoo expert by clicking here: Request a Viakoo Demo – Viakoo, Inc
