Much work has gone into addressing known data cybersecurity threats that impact utilities, and this has been ongoing for quite some time. Yet when we look at the threat of kinetic cyberattacks – which can cause extensive, long-term equipment damage – there is a lack of urgency and insight to address the seriousness of this risk across many sectors. The question is, if you do not have the technical capabilities to truly address the threat of kinetic cyberattacks, how can you stop them from happening? Earlier this year, I had an opportunity to brief congressional House Homeland Security staf…

For those tasked with securing and protecting utility assets, the most formidable adversaries aren’t always external. While threat actors, cybercrime and infrastructure sabotage are real and constant threats, internal biases and resistance to change are some of the most challenging security obstacles. If not overcome, three specific challenges – complacency, misconceptions and parochialism – will render futile any attempt to enhance security. Pervasive complacency, entrenched misconceptions and long-standing parochialism create security challenges that no firewall or physical barrier can r…

If you’ve ever had the lights go out in the middle of a Netflix binge, you know just how fragile our utility systems can feel. Now, imagine that same blackout – not caused by a storm, squirrel or clumsy backhoe operator but by a hacker halfway across the globe who thinks it’s hilarious to shut down the power grid. Welcome to the reality of cybersecurity in the utility sector, a mix of legacy technology, patchwork defenses and enough regulatory acronyms to make your head spin. We’re at a crossroads. One direction: modernize, secure and actually get ahead of attackers. The other: keep duct-t…

Climate-related disasters are becoming more frequent. In 2024, there were 27 weather and climate disasters that caused at least $1 billion in damage, according to the National Oceanic and Atmospheric Administration’s National Centers for Environmental Information. Some disasters have revealed fragility in utility infrastructure that also presents security issues that can quickly escalate. Recent examples include: The 2025 Texas Hill Country flooding, which claimed more than 100 lives. The 2025 Los Angeles urban conflagration that destroyed over 15,000 structures. Hurricane Helen…

As threats to critical infrastructure continue to grow in complexity, the divide between physical and cyber security is dissolving, and a unified approach is becoming essential for a robust and proactive risk management security program. Within the utility industry, attacks targeting water supplies, power grids and other vital systems are becoming more sophisticated, underscoring the need for more comprehensive and proactive security measures. At the same time, the sector is under regulatory pressure from frameworks like the North American Electric Reliability Corp.’s Critical Infrastructu…

I see a lot of substations every year, and most of them have chain-link fences. I think chain-link fences are obsolete, but don’t take my word for it. IEEE 1402-2021, “IEEE Guide for Physical Security of Electric Power Substations,” includes the following statement: “A standard chain-link fence is easily cut, and most purposeful intruders use this method to gain access. Chain-link fences are therefore of limited value against this type of intruder.” The length of delay offered by a plain 9-gauge AWG wire, 2-inch mesh chain-link fence is measured in seconds, not minutes. A reasonably fit pe…

In the previous two issues, we asked how you would know if your critical substation could survive an attack. (If you haven’t already, it might be a good idea to revisit those columns.) In this issue, we examine how the scenario is used to test the physical protection system (PPS). The Vulnerability of Integrated Security Analysis (VISA) methodology breaks the scenario into discrete steps and evaluates how likely the system is to detect, assess and stop the threat. Our scenario (outlined in the previous issue) is divided into steps, entered into a worksheet and timed accordingly. An…

Most of my focus these days centers on digital threats to key systems and ensuring that China is being removed from our fragile supply chain that we depend on every day in the energy sector. To be successful at this, the utility sector needs to invest heavily in cybersecurity threat hunting, open-source intelligence tools to give us a leg up when the feds are slow to share, and security information and event management (SIEM) platforms to better aggregate security information. Often in these efforts, cybersecurity dominates the conversation. But I believe we can “walk and chew gum at the s…

It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway. Now what? Many security plans…

The utility sector stands at a crossroads. As critical infrastructure providers, utilities face an unprecedented convergence of physical and cyber threats that traditional siloed security approaches can no longer adequately address. The time has come for a fundamental shift toward integrated security operations that break down organizational barriers and create a unified defense against increasingly sophisticated adversaries. The Evolving Threat Landscape Today’s threat actors don’t distinguish between physical and cyberattack vectors—they exploit whatever pathway offers the greatest opport…

Let’s just call it what it is—cybersecurity is no longer the awkward sidekick in the corner of the boardroom whispering about “threat surfaces” and “zero trust.” Regulators have officially given it a bullhorn, a front-row seat and a stack of expectations tall enough to block the view of your latest digital transformation project.  Federal regulators, including the National Institute of Standards and Technology (NIST), the North American Electric Reliability Corporation (NERC), the U.S. Department of Energy (DOE) and the U.S. Environmental Protection Agency (EPA), are sending an unmistakabl…

I had the opportunity to talk with Burns Engineering’s security practice leader, René Rieder Jr., about his wealth of experience meeting with C-suite-level executives to discuss security strategies. During our discussion, he shared excellent insights on how executives can best reach security success by adopting key best practices and avoiding common pitfalls. CURTIS MARQUARDT JR.: Let’s talk about what C-suite and other leaders need to do during security meetings to be successful. First, let’s start with the bad. What are the most common missteps or unproductive strategies you have seen f…