Critical infrastructure is under siege, yet most citizens remain unaware of the scale and severity of the threat — especially in the utility sector. From solar panels dotting suburban rooftops to water treatment facilities in small towns, the systems that power society are increasingly vulnerable to sophisticated cyberattacks.
The Solar Vulnerability: A Dark Side to Green Energy
As utilities transition toward renewable energy, they’re inadvertently introducing new attack surfaces. Forescout’s Vedere Labs published groundbreaking research in March 2025 revealing severe systemic security weaknesses in solar power infrastructure that could destabilize entire power grids.
The SUN:DOWN research discovered 46 new vulnerabilities across three of the world’s top 10 solar inverter vendors—Sungrow, SMA, and Growatt. More alarmingly, Vedere Labs found that 80% of all vulnerabilities disclosed in solar power systems over the past three years were classified as high or critical severity, with CVSS scores ranging from 9.8 to 10.
Daniel dos Santos, Vice President of Research at Vedere Labs, explained the stakes: “Solar power systems are rapidly becoming essential elements of power grids throughout the world, but persistent security flaws threaten both grid stability and national security.”
Forescout CEO Barry Mainz framed the human impact succinctly: “The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down.”
The research identified close to 1,700 solar power devices in commercial installations, predominantly in government, manufacturing, and education sectors. These distributed assets are significantly harder to defend than traditional centralized power generation facilities, creating thousands of potential attack vectors across the grid.
A 70% Surge in Attacks on Utilities in 2024: The Numbers Don’t Lie
The data paints an alarming picture. U.S. utilities faced 1,162 cyberattacks in 2024, representing a nearly 70% jump compared to 689 attacks during the same period in 2023. By the third quarter of 2024, the situation had deteriorated further, with utilities experiencing a staggering 234% year-over-year increase in attacks, averaging 1,339 weekly incidents, according to Check Point Research.
These aren’t isolated events or theoretical vulnerabilities. They represent a coordinated, escalating campaign by nation-state actors and criminal groups targeting America’s most essential services. The attacks have already moved beyond mere reconnaissance—adversaries are pre-positioning themselves within critical systems, preparing for potential conflicts that could turn digital vulnerabilities into real-world disasters.
The Water Crisis: “Target Rich But Cyber Poor”
Water infrastructure presents a particularly acute vulnerability. As cybersecurity expert Josh Corman explained in a recent interview with Information Security Media Group, small and medium-sized utilities are “target rich but cyber poor”—a formulation capturing the perfect storm of high-value targets with minimal defenses.
“They don’t have cybersecurity staff. They don’t have a cybersecurity budget. They don’t even have IT staff in many cases, let alone people to protect OT or industrial control systems,” Corman emphasized. Unlike the highly regulated electricity sector, “water is unguarded” despite the cascading consequences of a successful attack.
The mathematics of vulnerability are daunting. With approximately 150,000 water facilities across the United States, each representing a potential entry point for adversaries, the challenge becomes existential. “No water means no hospitals,” Corman warned. Most hospitals would be forced to close within hours of losing water access—a scenario that transforms a utility cybersecurity attack into a public health emergency.
This isn’t hypothetical. In October 2024, American Water—the largest regulated water utility in the U.S., serving more than 14 million people across 14 states—detected a cyber attack that forced the company to disconnect customer portals and pause billing systems. While water quality and core operations remained intact, the incident demonstrated how easily critical infrastructure can be disrupted.
Even more concerning, the Municipal Water Authority of Aliquippa in Pittsburgh had to shut down operational technology systems after the Iran-backed group “Cyber Av3ngers” compromised one of its booster stations. Forescout’s Vedere Labs analysis revealed the hackers targeted Unitronics PLCs—Israeli-manufactured equipment—defacing the human-machine interface and potentially accessing operational technology controls. Federal investigators discovered that at least 10 additional water facilities throughout the United States were breached using the same methodology, with more than 1,800 Internet-exposed Unitronics PLCs worldwide presenting ongoing vulnerabilities.
The Attribution Problem: Nation-States Targeting Civilian Infrastructure
Perhaps most disturbing is the nature of the threat actors. Corman emphasized in his Security Ledger podcast interview that these attacks represent a fundamental violation of norms around civilian protection.
“These are military hackers, prepositioning on civilian, non-combatant infrastructure so that they can target it as a precursor to armed conflict. It’s outrageous,” Corman stated.
Chinese hacking groups—particularly those operating under the “Typhoon” umbrella (Volt Typhoon, Salt Typhoon, and others)—have systematically compromised hundreds of small and medium-sized U.S. water utilities, power companies, and hospitals. Their targets aren’t strategically significant military installations but rather heartland communities with no connection to defense infrastructure.
The supply chain dimension adds another layer of complexity. Vedere Labs research found that Chinese-manufactured IoT devices in U.S. networks grew by over 40% between 2023 and 2024, despite official government bans. Critical infrastructure sectors show alarming increases: manufacturing organizations more than doubled their deployment of Chinese-made devices, healthcare saw a 47% increase, financial services grew 40%, and government networks expanded 30%.
Watch our researchers explain why Chinese-made devices grew in the U.S. despite bans:
The proliferation isn’t limited to obvious consumer electronics. Procurement cycles often lag behind executive orders, and white-labeled hardware introduces components from banned manufacturers without buyers’ knowledge. Particularly concerning are specific IP camera vendors—explicitly banned by the FCC—which remain connected to government and critical infrastructure networks. Vedere Labs identified 43 small utilities with 885 Chinese-manufactured devices exposed directly to the Internet, predominantly surveillance equipment.
Recent reports from Britain’s Drinking Water Inspectorate revealed 15 cyberattack reports from water suppliers between January 2024 and October 2025, highlighting that this is a global phenomenon. Utilities worldwide find themselves on the digital front lines of what many experts consider a simmering cyber conflict between established and emerging powers.
The Resource Gap: Beyond Information Deficits
Corman’s work with UnDisruptable27—an initiative aimed at strengthening lifeline critical infrastructure by 2027—initially focused on mobilizing cybersecurity volunteers to educate utility operators. However, Corman quickly realized the problem exceeded simple information gaps.
“There’s no way we’re going to successfully shield up and cyber up with no talent, no time and no money,” Corman explained. “We thought we had an information gap, but we actually have a motivation and enablement, empowerment gap.”
The challenge involves multiple stakeholder groups: utility owners and operators, local political leaders, citizens, and cybersecurity experts. Each group requires different approaches, resources, and motivations to effect meaningful change. UnDisruptable27 has since paused volunteer recruitment to develop comprehensive case studies that would serve as playbooks for all involved parties.
The Historic Precedent: Lessons From Ukraine
The threat isn’t theoretical. In December 2015, Ukrainian power companies experienced unscheduled power outages impacting approximately 225,000 customers after a coordinated cyberattack. CISA’s official report documented how adversaries used sophisticated techniques to compromise industrial control systems, providing a blueprint that could be replicated against U.S. infrastructure.
The attack demonstrated that modern power grids—despite their complexity and redundancy—remain vulnerable to determined nation-state actors with sufficient time and resources to understand operational technology systems.
OT:ICEFALL and the Insecure-by-Design Problem
Forescout’s Vedere Labs has consistently exposed foundational security weaknesses in operational technology. Their OT:ICEFALL research identified 61 vulnerabilities affecting devices from 13 OT vendors, caused by insecure-by-design practices prevalent throughout the industry.
These vulnerabilities affect products deployed in oil and gas facilities, chemical plants, nuclear installations, power generation and distribution systems, manufacturing operations, water treatment and distribution networks, mining operations, and building automation systems. The systemic nature of these flaws means that even well-intentioned security efforts by individual utilities may be undermined by vendor-introduced vulnerabilities embedded in the hardware and software they depend upon.
The Path Forward: Systemic Solutions for Systemic Problems
Addressing these vulnerabilities requires coordinated action across multiple fronts:
Regulatory Evolution
While electricity infrastructure faces NERC CIP compliance requirements, water systems remain largely unregulated from a cybersecurity perspective. This regulatory asymmetry must be addressed with requirements proportional to the criticality of water infrastructure.
Vendor Accountability
Manufacturers of industrial control systems, solar inverters, and other critical infrastructure components must prioritize security-by-design principles. Forescout’s SUN:DOWN research noted that some vendors like Sungrow and SMA responded proactively to disclosed vulnerabilities, patching issues and engaging in meaningful security conversations. This should become the industry standard, not the exception. Organizations must demand software and hardware bills of materials that reveal all components, including those from manufacturers in countries of concern.
Visibility and Network Segmentation
As dos Santos recommended, utilities must “enforce strict security requirements when procuring solar equipment, conduct regular risk assessments, ensure full network visibility into these devices and segment them into sub-networks with continuous monitoring.” This visibility becomes especially critical given Forescout’s findings that Chinese-manufactured devices often enter networks through white-labeled equipment or procurement contracts predating government bans.
Community Mobilization
Corman’s UnDisruptable27 initiative recognizes that technical solutions alone are insufficient. Public awareness, political will, and community resilience all play critical roles in defending lifeline infrastructure.
Federal Support
Small utilities cannot bear this burden alone. Federal programs must provide resources, technical assistance, and threat intelligence sharing to communities that lack the expertise and budgets for sophisticated cybersecurity programs.
The Clock Is Ticking
The cybersecurity challenges facing utilities aren’t future threats—they’re present realities demanding immediate action. With attacks increasing 70% year-over-year and adversaries already embedded within critical systems, the window for proactive defense is rapidly closing.
Corman framed the urgency around 2027, but the attacks are happening now. Every day without meaningful action represents another opportunity for adversaries to deepen their access, understand systems more thoroughly, and position themselves for maximum disruption when conflicts escalate.
The question isn’t whether cyberattacks will target water and power infrastructure—it’s whether we’ll strengthen our defenses before those attacks cause catastrophic harm to civilian populations who depend on systems they barely know exist. The data suggests we’re running out of time to find out.