Board Series · Cyber Risk · Energy Infrastructure

When the lights go out

Cyber threats to energy infrastructure and the companies that depend on it — a business risk most boards are still underpricing.

Alex Kruzel Alex Kruzel February 2026 Telesto Insight
Cyber threats to energy infrastructure

Not long ago, a board I advise received a cyber threat briefing for the first time. The company — a mid-size industrial manufacturer, privately held, PE-backed — was being walked through the results of a third-party security audit. The exposure was substantial. Their operational technology systems, the machines on the shop floor and the software managing energy intake from the grid, had not been assessed as a cyber risk. Ever.

When I asked the CEO afterward what concerned him most, he said:

"I had no idea our machines were connected to anything that someone could reach from the outside."

That moment captures something I encounter in boardrooms with striking regularity: energy-related cyber risk is categorically underweighted. Not because executives are complacent, but because the threat has been framed too narrowly — as a utility sector problem, as an IT problem, as something abstract until the lights literally go out. It is none of those things, and it is all of them at once.

In my work advising boards and leadership teams through Telesto, I spend considerable time helping companies understand risks that sit at the intersection of geopolitics, infrastructure, and operations. Cyber threats to energy infrastructure sit squarely in that intersection. What follows is not a technical briefing. It is an attempt to frame a genuinely complex business risk in terms that are useful to those who have to govern it — and to surface the questions that, in my experience, remain unresolved even in the most sophisticated boardrooms.

01 — The attack surface has expanded far beyond the utility sector

The conversation about cyber threats to energy often begins and ends with utilities — power grids, pipelines, water systems. That framing misses the more consequential business story. The real exposure is downstream, in the thousands of companies whose operations, margins, and continuity are silently tethered to energy infrastructure they do not own and cannot control.

+0%
Increase in cyberattacks on US utility companies, 2023→2024
Check Point Research
+0%
Surge in ransomware attacks on energy & utilities in 2024 alone
TrustWave Risk Radar 2025
0
Confirmed ransomware attacks on the energy sector globally in 2025
Cyble Energy Threat Report
60/day
New vulnerability points added to the US electrical grid every day
NERC

Energy & utilities lead the attack acceleration curve

Year-on-year change in average weekly cyberattacks by sector, 2023–2024

Utilities
+70%
Education / Research
+57%
Healthcare
+47%
Government
+38%
Manufacturing
+31%
Software Vendors
+22%
Banking / Finance
+14%
Transportation
−8%

Source: Check Point Research · Reuters · 2024 data

What has changed structurally is the convergence of IT and operational technology (OT). For decades, a factory floor or a refinery's industrial control systems were physically and logically separate from the internet. That separation provided a meaningful buffer. That buffer is largely gone. The drive toward efficiency, remote monitoring, and grid integration has connected OT systems to enterprise networks and, through them, to the broader internet. A 2025 survey by Siemens Energy and the Ponemon Institute found that 77% of companies in oil and gas, utilities, petrochemicals, and manufacturing reported a successful cyberattack that compromised OT in the previous twelve months. Average recovery time: seven months.

The asymmetry that keeps me up at night: attackers need to succeed once. Companies need to succeed every single day. That asymmetry doesn't change with more investment — it requires a fundamentally different governance posture.

02 — Who is attacking, and why it matters for business strategy

One of the most important things I try to help boards understand is that the threat actor landscape for energy infrastructure is not monolithic. The strategic implications differ substantially depending on who is attacking and what they want. Getting this wrong leads to misallocated defenses and, more dangerously, to governance frameworks that address the wrong risk.

4
Distinct attack motivations

Source: PwC Energy Sector Threat Intelligence · 2024–2025

Largest Share · Nation-State

Espionage

China and Russia pre-positioning in critical infrastructure or extracting commercially valuable data — reservoir data for oil & gas, process IP for manufacturers, architectural data for data center operators. This is the most consequential long-run risk and the hardest to detect.

Most Visible · Financial

Cybercrime

RansomHub, Akira, and Play led in 2025, collectively responsible for nearly a third of energy sector ransomware. Halliburton's $35M event is the benchmark — but privately held companies have no comparable SEC disclosure obligation, masking true sector-wide cost.

Highest Consequence · Physical

Sabotage

Operations intended to degrade or destroy physical systems. Pro-Russian hackers remotely opened a Norwegian dam valve for four hours in August 2025. Sector 16 claimed access to US oil & gas control systems, including shutdown interfaces. These are no longer theoretical scenarios.

Escalating · Geopolitical

Hacktivism

Politically motivated operations that have surged since Russia's invasion of Ukraine. Groups like Noname057(16) and Sector 16 execute DDoS attacks and infrastructure probes. Volume is high, severity is variable — but hacktivist activity creates cover for more sophisticated concurrent intrusions.

03 — The industries carrying the most concentrated risk

I find it useful to distinguish between companies for whom energy is an operational input and companies for whom energy is the business. Both face cyber risk from energy infrastructure, but the nature and magnitude differ in ways that matter for governance and capital allocation.

Where cyber-energy risk concentrates

Heat map of exposure intensity by sector and consequence type

Sector Operational Financial Safety Regulatory Reputational
Energy Producers & Utilities Critical Critical Critical Critical High
Heavy Mfg & Chemicals Critical High Critical High Elevated
Data Centers & Tech High High Moderate Elevated Critical
Healthcare & Life Sciences High Elevated Critical Critical High
Oil & Gas Services High Critical High Elevated Elevated
Risk Level:
Moderate → Critical

Telesto synthesis · Siemens Energy / Ponemon Institute · KPMG ENRC 2025 · CISA Sector Profiles

● Critical Exposure
+69%
YoY attack increase, utilities 2023–24
$35M
Halliburton disclosed loss, Aug 2024
CIP-015
FERC new standard, July 2025

Oil and gas producers, utilities, pipeline operators, and energy services firms face direct exposure — their own OT systems are the primary target. Colonial Pipeline, Halliburton, Suncor Energy, ENGlobal Corporation. These are not outliers; they are representative of a sector under sustained, sophisticated attack.

  • FERC's July 2025 approval of CIP-015-1 requires utilities to monitor traffic inside control networks — a significant baseline uplift. Companies behind the curve face operational, regulatory, and liability exposure simultaneously.
  • For PE-sponsored energy companies, cyber posture is now a material factor in asset value and exit optionality — not a compliance footnote.
  • The EU NIS2 Directive imposes mandatory cybersecurity standards for energy operators across all member states, raising the global compliance floor.
  • ENGlobal Corporation's November 2024 ransomware attack disrupted operations for roughly six weeks, limiting a company serving both energy and US government to essential functions only.
● Critical Exposure
+61%
Ransomware surge in manufacturing, 2025
77%
Firms hit by successful OT attack in past 12 months
7 mo
Average OT recovery time post-breach

These are among the most energy-intensive industries in the world, running on OT infrastructure designed decades before cybersecurity was a consideration. The convergence of legacy industrial control systems with modern connectivity has created an expanded attack surface with no clear perimeter.

  • For a large chemical plant or steel producer, a disruption to energy intake can mean days of production loss, equipment damage from abrupt shutdowns, and safety incidents whose regulatory and reputational consequences dwarf the initial cyber event.
  • The average time to discover a successful OT attack exceeds one month; recovery averages seven months — operational paralysis, not a brief interruption.
  • Attackers frequently weaponize known vulnerabilities within 72 hours of disclosure. The average remediation time in industrial environments exceeds 21 days, creating a chronic and widening exposure window.
● High Exposure
80%
Solar system vulnerabilities rated high or critical
46
New vulnerabilities in top solar inverter vendors (2025)
40B
IoT devices projected by 2030

Data centers are among the fastest-growing energy consumers in the world, and their dependence on uninterrupted power makes them targets of strategic interest. AI-driven demand is accelerating this exposure — rapid growth in compute infrastructure is stretching grid capacity in ways that create new fragility.

  • A cyberattack that disrupts energy supply to a hyperscale data center affects not just the operator but every company and consumer whose services run on that infrastructure.
  • The October 2025 outages affecting AWS and Microsoft Azure — while not cyber events — illustrated the cascading dynamic with clarity. Boards with significant cloud dependencies should be asking: what is our exposure if our cloud provider's energy supply is disrupted?
  • Chinese-manufactured devices on government and critical infrastructure networks — including explicitly FCC-banned vendors — remain connected and internet-exposed across 43 small utilities alone.
● High Exposure
+47%
Increase in Chinese OT devices on healthcare networks
Direct
Patient safety implications from power disruption
CMS
Integrating power continuity into compliance

Hospitals and life sciences facilities are relentlessly targeted, and their energy dependencies are acute. A hospital without reliable power is not merely an operational inconvenience — it is a patient safety event. Yet energy-related cyber risk is rarely incorporated into healthcare operational resilience planning with the seriousness it warrants.

  • For PE sponsors with healthcare portfolio companies, energy-dependent cyber exposure represents an underappreciated liability that does not surface cleanly in standard diligence frameworks.
  • Regulatory pressure is intensifying: CMS, The Joint Commission, and state health departments are beginning to integrate operational resilience — including power continuity — into compliance assessments.
  • The latency between compromise and discovery in healthcare OT environments rivals the industrial sector: often weeks or months between infiltration and detection.

04 — Recent incidents: What the evidence shows

These are not hypothetical scenarios. Each represents a documented event that produced quantifiable business consequences — and each offers a different lens on how energy-related cyber risk propagates through organizations and supply chains.

May 2021
Colonial Pipeline
6-day shutdown · 45% of US East Coast fuel supply

DarkSide ransomware forced the 5,500-mile pipeline offline, triggering fuel shortages, panic buying, and emergency regulatory orders. The event rewrote the regulatory playbook for critical energy infrastructure.

$4.4M ransom paid · $2.3M recovered by DOJ
RansomwareNational SecurityRegulatory Trigger
June 2023
Suncor Energy · Petro-Canada
Consumer-facing paralysis · Cash-only stations across Canada

Cyberattack disrupted payment and loyalty systems at Petro-Canada retail locations, leaving stations cash-only and affecting supplier payments. Recovery took until nearly August — a two-month consumer-facing disruption.

Tens of millions estimated recovery cost
Retail DisruptionReputationalSupply Chain
August 2024
Halliburton
Global operations halted · Billing and collections suspended

RansomHub infiltrated the world's second-largest oilfield services company, forcing systems offline and disconnecting customers. The CEO disclosed the cost alongside Gulf of Mexico storm impact in the same earnings sentence — a telling signal about how boards are pricing this risk.

$35M disclosed loss · Q3 2024 earnings
RansomHubFinancialSEC Disclosure
November 2024
ENGlobal Corporation
Six-week operational paralysis · Federal supply chain exposure

Ransomware attack on a firm providing engineering services to the energy industry and US government restricted operations to essential functions for approximately six weeks. The dual commercial-federal exposure amplified the strategic significance of the intrusion.

Federal Supply ChainOperational6-Week Disruption
February 2025
PPL Electric Utilities
Third-party breach · 18-month latency between compromise and disclosure

Customer data exposed via a third-party vendor in June 2023 was published online by a Russian ransomware group in December 2024 — eighteen months after the initial compromise. A case study in supply chain risk latency.

Third-PartySupply Chain18-Month Latency
August 2025
Norwegian Hydropower Dam
Remote valve manipulation · Physical consequence, publicly attributed

Pro-Russian hackers remotely opened a dam valve for approximately four hours, releasing 500 liters per second and altering downstream water flows. Norwegian police and security services publicly attributed the attack — the clearest recent example that OT intrusions produce physical, not just digital, consequences.

Physical SabotageState-SponsoredOT Attack

05 — What boards and CEOs are still missing

In my work with boards across the US and globally, I have noticed a consistent gap between how cyber risk is discussed in the abstract and how it is governed in practice. Boards typically receive briefings on IT security posture — firewall configurations, patch compliance, incident response protocols. What they rarely receive is a rigorous analysis of their company's physical and financial exposure to energy-related cyber risk specifically.

01

The IT/OT governance blind spot

Most organizations have a CISO who owns IT risk. Far fewer have clear ownership of OT risk — the systems managing physical operations, production, and energy intake. The question of who is accountable when the plant floor goes dark is, in too many companies, genuinely unanswered. This ambiguity becomes acutely visible during an incident.

02

Third-party and supply chain latency

The PPL Electric Utilities breach illustrates the latency problem: data compromised via a third-party vendor was published eighteen months later. Companies often have sophisticated controls on their own systems and minimal visibility into the cyber posture of suppliers with direct interfaces to production environments.

03

The valuation question PE sponsors are now asking

I am seeing a meaningful shift in how sophisticated PE sponsors approach cyber risk in diligence. The question has evolved from "does this company have a cybersecurity program?" to "what is the quantified financial exposure from a cyber event, including indirect and cascading losses, and how does that affect our return profile?" For portfolio company boards, cyber posture is now a value creation lever.

04

Compliance as a floor, not a ceiling

NSM-22, NERC CIP, SEC incident disclosure requirements, and the EU NIS2 Directive establish minimum baselines — but I counsel boards not to mistake compliance for security. These frameworks are backward-looking by nature. The most significant cyber risks facing energy-dependent companies today are at the frontier of what regulators are only beginning to address.

06 — The questions I cannot stop asking

Part of what makes cyber risk to energy infrastructure intellectually challenging — and strategically important — is that some of the most consequential questions remain genuinely unresolved. These are the ones I bring into boardrooms, and that mark the difference between governance that manages this risk and governance that is merely aware of it.

Most companies have not quantified their cyber-energy risk exposure with the same rigor they apply to market or credit risk. That is not a criticism — the quantification tools are genuinely underdeveloped. But the absence of a number creates a governance vacuum. How does a board set risk appetite for a risk it cannot size? How does a CFO allocate capital for resilience against a scenario that exists only as a narrative?

The convergence of IT and OT was an engineering decision before it was a security problem. Now it is both. In many organizations, the CISO's mandate stops at the enterprise network. The OT environment — the systems managing physical processes, production lines, energy systems — is owned by operations or engineering. The seam between them is, in my experience, frequently ungoverned. That is precisely where adversaries focus.

The disclosed cost of the Halliburton attack — $35 million — is what a public company was required to report to the SEC. It does not include downstream customer disruptions, reputational damage, deferred capital allocation costs, or the long-tail liability of data that was exfiltrated but not yet weaponized. For privately held companies, there is no comparable disclosure requirement. That opacity can mask risk that should be visible to boards, sponsors, and leadership teams alike.

The average time to discover a successful OT cyberattack in energy and manufacturing is currently over one month, with average recovery times of seven months. These numbers suggest that many organizations are operating under the assumption of security while adversaries have already established persistence. The question is not hypothetical — it is live, and it is uncomfortable.

The correlation between geopolitical escalation and cyber activity targeting energy infrastructure is well-documented and intensifying. Russia's conflict in Ukraine has substantially increased state-sponsored activity against NATO-aligned energy systems. China's pre-positioning within US critical infrastructure is a matter of public record. For a company with operations in Europe, Asia, or the Middle East, the geopolitical map of cyber risk is not the same as the geopolitical map of political risk — but it overlaps in ways most enterprise risk frameworks have not yet fully integrated.

Continuity planning tends to assume disruptions measured in hours. Sophisticated energy infrastructure attacks can produce disruptions measured in days or weeks. Colonial Pipeline was offline for six days. The Southeast Asian energy provider hit by NightSpire in May 2025 had its control systems disabled for eighteen days. What does your manufacturing facility, data center, or hospital do at day three? Day seven? The honest answer, for most organizations, is that the playbook has not been written.

Standard cyber policies were designed around data breach events. An attack that disrupts energy supply to a major facility — creating business interruption, equipment damage, and potential safety liability — may engage clauses and exclusions that have never been tested in litigation. Boards should be asking their legal and insurance advisors to stress-test coverage against a scenario that is not merely plausible but, given current trends, increasingly probable.

Closing

"The companies that manage this risk well in the decade ahead will not be those that spend the most on cybersecurity technology. They will be those whose boards and leadership teams understand the risk with enough sophistication to govern it."

To set the right questions, hold management accountable to the right answers, and make capital allocation decisions that reflect reality rather than the assumption that the next significant cyber event will happen to someone else.

That CEO I mentioned at the beginning — the one who had no idea his machines were externally reachable — has since rebuilt his board's approach to operational risk. It required difficult conversations, significant investment, and a willingness to sit with uncertainty. It also required a certain intellectual courage: the courage to acknowledge that the map of risk your company has been navigating may not match the terrain.

That is the conversation I am most interested in having.

About the Author
Alex Kruzel

CEO & Founder, Telesto. Alex advises corporate boards, management teams, and private equity sponsors on geopolitical risk, operational resilience, and sustainability strategy across the US and globally. She is the author of The Courage to Continue: Stay the Course on Sustainability to Secure Our Future.

For advisory engagement or speaking inquiries, visit alex-kruzel.com or telestostrategy.com.

Alex Kruzel
Alex Kruzel
CEO & Founder, Telesto · Board Director · Author

Sources: Check Point Research (2024), TrustWave Risk Radar (2025), Cyble Energy Threat Report (2025), NERC, Siemens Energy / Ponemon Institute (2025), PwC Energy Sector Threat Intelligence (2024–2025), KPMG ENRC (2025), CISA, SEC filings, Reuters. All data points cited from publicly available industry research and regulatory disclosures.