In the rapidly evolving landscape of critical infrastructure protection, few topics are as pressing as the security of the electrical grid. Today, we’re speaking with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With both cyber and physical threats to the grid on the rise, Rupert offers invaluable insights into the urgent need for integrated security approaches, the impact of grid modernization, and the evolving tactics of threat actors. Our conversation explores the convergence of digital and physical risks, the startling increase in attacks on utilities, and the critical steps grid operators must take to safeguard this essential infrastructure.
Can you explain why there’s such a strong push for grid operators to merge their cybersecurity and physical security strategies?
Absolutely. Historically, grid operators focused on keeping the lights on by maintaining physical equipment and ensuring uptime. But the landscape has shifted dramatically. Cyber threats are no longer just about data breaches; they’re increasingly aimed at causing real-world disruption to operations. At the same time, physical attacks on infrastructure, like substations, have spiked. This dual threat means that siloed approaches—where one team handles cyber risks and another manages physical security—just don’t cut it anymore. If these strategies aren’t unified, vulnerabilities slip through the cracks, potentially leading to cascading failures that could knock out power for entire regions.
What are some of the recent trends in cyber and physical attacks that are driving this shift in thinking?
On the cyber side, we’ve seen a massive uptick in attacks targeting utilities—research shows a 69% increase in weekly cyberattacks from 2023 to 2024. Ransomware and malware are hitting hard, often exploiting the growing connectivity between operational technology and IT networks. Physically, since 2020, there’s been a 71% rise in incidents, ranging from random vandalism to coordinated attacks with political motives. These trends aren’t isolated; they feed into each other. A cyber breach can provide intel for a physical strike, or a physical intrusion can enable a cyberattack. It’s a vicious cycle that demands a holistic response.
Focusing on the cyber threats for a moment, what do you think is behind this sharp increase in attacks on utilities?
A big factor is the expanding attack surface due to grid modernization. As utilities digitize and connect more systems to the internet for efficiency and remote operation, they’re exposing critical infrastructure to hackers. Plus, the stakes are incredibly high—disrupting power can cause chaos, making utilities a prime target for everyone from cybercriminals seeking ransom to nation-state actors looking to destabilize economies. High-profile incidents, like the Colonial Pipeline attack in 2021, have also shown attackers just how much impact they can have, fueling more aggressive campaigns against the energy sector.
Shifting to physical threats, what’s driving the significant rise in attacks on grid infrastructure since 2020?
It’s a mix of factors. Some incidents are low-level, like vandalism or theft of materials such as copper from substations. But we’re also seeing more organized and motivated attacks, often tied to political or social agendas. For instance, there have been plots by extremist groups aiming to disrupt entire cities by targeting key infrastructure. Social unrest and geopolitical tensions play a role too, as attackers see the grid as a symbolic or strategic target. This isn’t just random crime—it’s often calculated to maximize disruption and fear.
How has grid modernization and the push for digitalization changed the security landscape for the electrical grid?
Modernization is a double-edged sword. Connecting operational technology—think control systems for power plants—with IT networks allows for better monitoring and efficiency, but it also massively expands what we call the attack surface. Every new connected device or remote access point is a potential entry for hackers. Digitalization efforts, like smart grids and distributed energy resources, introduce new technologies that often lack robust security built in from the start. So, while these advancements are crucial for meeting energy demands, they’re also creating vulnerabilities that didn’t exist when systems were more isolated.
There seems to be a surprising lack of awareness among some grid operators about how their cyber and physical security efforts overlap. What do you think contributes to this gap?
It often comes down to organizational structure and culture. Many utilities have historically separated their IT and operational teams, with little crossover in training or communication. Cyber folks might focus on firewalls and network monitoring, while physical security teams guard against intrusions or vandalism. Without a unified strategy, neither side fully grasps how their risks intersect—like how a physical breach at a substation could enable a cyberattack. Add to that the complexity of managing sprawling, legacy infrastructure alongside new tech, and it’s no wonder some operators are in the dark about their own security posture.
Looking at high-profile incidents, how do you think events like the Colonial Pipeline attack have influenced the way threat actors target the grid?
That 2021 attack was a game-changer. It demonstrated to threat actors—whether they’re cybercriminals or state-sponsored groups—that hitting critical infrastructure can create global ripple effects. Shutting down a pipeline didn’t just disrupt fuel supply; it caused panic, economic damage, and intense media attention. For attackers, it was proof of concept: target the grid or similar systems, and you can paralyze a society. Since then, we’ve seen a shift toward more sophisticated, coordinated attacks that aim for maximum disruption, often blending cyber and physical tactics to exploit every possible weakness.
What’s your forecast for the future of grid security over the next few years?
I expect the threats to grow in both frequency and complexity through at least 2026. As grids become smarter and more connected, the attack surface will keep expanding, and adversaries will get better at exploiting it. We’ll likely see more hybrid attacks that combine cyber and physical elements—think a cyber breach disabling alarms to enable a physical strike. On the flip side, I’m hopeful that regulatory pressure and industry collaboration will drive better integration of security strategies. Funding for research, like zero-trust models for distributed energy systems, is a step in the right direction. But it’s going to be a race to stay ahead of attackers, and grid operators will need to prioritize resilience and cross-team coordination to keep up.
