Executive Summary
– A recent cyberattack targeting American Water — the US’s largest water utility provider —resulted in a breach of American’s personal information and a customer service portal shutdown, raising concerns about an increasing use of ransomware and disruption to attack critical utility infrastructure.
– The increasing number of attacks on American infrastructure has many causes, but at the core of the problem is a lack of skilled security workers in the industry and the use of relatively old security systems of most utility providers.
– While utility providers must address these issues, policymakers could inadvertently prevent providers from implementing AI threat monitoring and detection tools if restrictive AI regulations designed to protect Americans’ standard data privacy and civil rights stifle development and implementation of AI cybersecurity tools.
Introduction
In October 2024, American Water, the largest water utility provider in the US, was the target of a cyberattack that forced the company to shut down its customer service portal, causing the company to waive late fees while the system is down. A current class action alleges that the system breach resulted from the water utility company’s failure to follow industry norms for protecting consumer data, such as encrypting or redacting sensitive information. While this attack has only impacted the customer service portal and did not cause water outages, similar malicious attacks on other utility providers, particularly those in the water and water management infrastructure, have increased in intensity and damage in recent years. Twenty years ago, national security revolved around countering terrorism, but cyberattacks have now become the main concern in terms of American security. As attacks rise in intensity and sophistication, national infrastructure could be in jeopardy.
Cyberattacks are nothing new, but with artificial intelligence (AI) increasing the efficiency of technological systems, attacks could become increasingly efficient and widespread. Even just two years ago there were 1101 cyberattacks a week on utility companies, and a recent report pointed to a 70 percent surge in attacks as compared to 2023. Utility companies are a common target for cyberattacks due to a widespread lack of cyber security personnel and old or nonexistent protections such as encryptions and security protocols. As a result, providers will likewise need to implement AI technologies to supplement organizations’ ongoing cybersecurity efforts. Policymakers must ensure that companies can implement AI in their security systems to counter threat actors’ use of AI while maintaining control of internal deployment strategies and commitments.
This research analyzes the context behind the increase in cyberattacks, examines why attacks on utilities are increasing, and provides recommendations to organizations and policymakers on the need to implement AI in cybersecurity efforts.
Cyberattacks
A cyberattack is an intentional and malevolent attempt by one person or group to compromise the information system of another person or group by altering, disrupting, deceiving, degrading, or destroying computer systems or networks. Alongside technological development, cyberattacks have grown in numbers, severity, and sophistication, with 2013 emerging as a year when cyber threats became a larger concern for the Pentagon than terrorism. The most common types of cyberattacks include ransomware, a malware that denies companies access to systems and demands a ransom for their return, or disruption attacks, attacks that aim to suspend operations of an organization. In 2024, the average weekly cyberattacks per organization in the U.S. grew the most in utilities, followed by software vendors, consultants, and education. ISP/MSP, retail, and hospitality noted the most significant decreases.
AI’s Dual Role in Cybersecurity
AI has become a critical tool in leveraging and defending against cyberattacks. AI-powered cyberattacks use advanced automation, efficient data gathering, hyper-personalized customization, real-time adaptation, and targeted employee profiling to increase their effectiveness and sophistication. These attacks include AI-driven social engineering, phishing, deepfakes, adversarial AI/ML, malicious GPTs, all of which enable attackers to streamline processes and evade detection.
But AI could also play a key role in defending against cyberattacks by enhancing threat detection, response and prevention. By incorporating AI tools, companies can supplement security officers with monitoring and recognition patterns to patch existing system issues and prepare for future attacks, optimizing the workforce and allowing more time to source and recruit security employees. AI-powered risk analysis can automate threat identification and support identification of system vulnerabilities. Beyond threat response, AI tools provide general monitoring capabilities that scan for abnormal data access and generate alerts of suspicious behavior. Given that a number of recent cyberattacks have only been spotted days after entering systems, quicker identification would significantly decrease attack fallout. Finally, AI tools based on behavioral data help prevent system entrance attempts by identifying phishing and other malicious activities, securing the systems. However, it is important to remember that increased use of technology opens additional and new avenues for cyber criminals to enter the system. AI tools should not be the sole guardrail against cyberattacks and should instead be used as a support tool operated and monitored by workers.
Cyberattacks on Utilities
In 2022, the average weekly number of cyberattacks on utilities was 1101, a 365-attack increase from 2021. Utility providers are a unique target for cyberattacks due to their essential role as critical infrastructure providers and their immediate and highly visible impact of service disruptions. As utility providers increase their use of technology to support the operation of their organizations, making management, planning, and organization more efficient, it also expands vulnerabilities, exposing providers to more sophisticated and varied cyberattacks targeting management tools and information. As majority of utility providers are private entities, there is significant monetary motivation behind attacks further aggravated by existing vulnerabilities due to outdated systems. While attacks on military organizations tend to focus on spying and gathering information by adversaries, utility providers tend to receive ransomware and disruption attacks.
Additionally, as critical infrastructure is required for citizens’ daily lives, utility providers do not have the time and space to negotiate with hackers regarding ransomware. Extensive outages or system downtime required to identify and expulse a hacker from the system have a significant impact on daily operations and citizens and could lead to dissatisfaction among clients. Instead, ransomware is often paid to ensure people have access to necessary utilities such as water and power.
Finally, the US has approximately 3,000 electric utility companies and 50,000 drinking water utility providers. Due to a significant number of utility providers, finding and employing skilled security professionals to maintain companies’ cyber security efforts is challenging. While programs and outside providers exist to fill the gap, the security systems remain outdated and increasingly prone to attacks. The lack of robust security systems, paired with the inability to retain skilled security professionals, allows cyber attackers to infect systems and remain within them for extended periods of time. In August 2021, hostile cyber criminals targeted a California water and wastewater system plant with Ghost variant ransomware. The ransomware had been present in the system for nearly a month before displaying a ransomware message to the three supervisory control and data acquisition servers.
American utility providers are not the only ones experiencing a growth in cyberattacks. In October, Finnish utility provider Fortum reported increased cyberattacks and drone surveillance around its plants, pointing to malicious activity from Russia. In 2021, pro-Iran hackers caused a two-day water outage on the Irish west coast when they exploited a third-party programmable logic controller, also used by some American utility providers.
Policymaking
With a growing threat context, organizations should invest in attracting skilled workers and implementing AI tools to supplement their cybersecurity practices. To ensure that organizations are prepared for the increase in cyberattacks, policymakers need to focus on practices that encourage utility companies to implement AI. Nevertheless, the government needs to recognize that restrictive AI legislation could have tradeoffs.
In the US, the salary for a security specialist in the utilities sector is significantly lower than in sectors such as finance and insurance or public administration, driving skilled workers to pursue opportunities in other markets and furthering the shortage of professionals. Without security specialists and outdated detection systems, utilities will remain at the receiving end of an increasing number of cyberattacks. As such, utility organizations must invest in strengthening detection capabilities and retaining skilled personnel. That, however, could be a lengthy and costly process, bringing AI tools into the discussion.
A key component of that strategy will be investments in AI tools to help supplement the ongoing cybersecurity practices of these firms and allow for some tools to pick up personnel roles. As AI tools become more widely used by threat actors, such as in phishing attacks or deepfakes, it is vital to ensure that cybersecurity efforts stay up to date on AI and its applications. Including machine learning in utility systems is necessary to prepare for the future increase in the sophistication and amount of attacks and is the only way to support outdated systems that lack security personnel.
Nevertheless, data privacy and quality must be kept in mind to ensure that AI benefits utility companies’ operations without opening new avenues for exposure to hackers. Congress is considering a number of legislations to protect privacy and civil rights in the context of data and AI. While federal policies are a way to create uniform and applicable policies that would protect citizens, restrictive AI legislation could have significant tradeoffs, affecting performance of AI tools and the utility providers.
Further, there are over 120 AI bills in Congress currently, and policymakers focus on regulating every single area of technological concern. Policies like the NO FAKES Act of 2024, which penalizes the creation of unsanctioned deepfakes and requires social media sites to take down flagged content, or the NSF AI Education Act of 2024, which focuses on supporting education and professional development relating to artificial intelligence, are important to the regulatory practices. While these policies could be worth pursuing, Congress should first prioritize encouraging the use of AI to strengthen the protection tools among utility providers or mitigate the specific harms associated with the misuse of models. With the unprecedented growth of AI, its application in planning and undertaking cyberattacks is imminent. Policies focusing on detecting and deterring cyberattacks need to follow the same timeline.
Conclusion
Threat actors will maintain disruptive and extortive practices during times of transition and instability. Paired with technological advancement and the widespread use of AI tools, threat actors will increase the severity and frequency of attacks. Due to their lack of security experts, and old security systems, utility companies will remain exposed to increasing cyberattacks. Applying AI tools to supplement cybersecurity efforts opens space for more efficient detection and monitoring capabilities. To ensure deterrence, the government should balance the implementation of regulations that support the implementation of AI by utility providers while ensuring that the companies’ development is not stifled by restrictive policing.
Policy Interns 