According to Utility Dive, the Black & Veatch 2025 Electric Report reveals that 41% of utilities consider malware their top security threat, followed by cloud vulnerabilities at 38% and ransomware at 37%. The report shows only half of utilities base spending decisions on formal risk assessments, despite 37% believing they could recover from an operational technology attack within a day. Keon McEwen, head of solutions development for industrial cybersecurity at Black & Veatch, notes that last April’s 12-hour power outage in Spain and Portugal immediately raised cyberattack suspicions, highlighting how grid security concerns have become mainstream. The survey found 40% of respondents prioritize workforce training as their top security concern, while only 22% use unified physical and cybersecurity teams, creating dangerous organizational gaps in defense coordination.
Sponsored content — provided for informational and promotional purposes.
The Perimeter Problem
Here’s the thing about modern grid security: the old approach of building walls around your systems just doesn’t work anymore. We’re talking about thousands of distributed energy resources – solar panels, smart inverters, remote sensors – each one a potential entry point for attackers. And these aren’t isolated systems anymore. They’re all connected, which means there’s no meaningful perimeter to defend.
Think about it this way: a power surge could be aging equipment failing or it could be someone deliberately messing with your systems. Motor failures might look like normal maintenance issues. Without better visibility, operators won’t know they’re under attack until things are already breaking. That’s terrifying when you’re responsible for keeping the lights on for millions of people.
The Human Element
All the fancy monitoring technology in the world won’t save you if your team isn’t prepared. The report shows training has jumped to the top priority for 40% of utilities, and that’s actually encouraging. Because let’s be honest – you can have the best security patches available, but if your operators don’t know how to spot threats or manage access properly, you’re vulnerable.
Operational teams that used to just worry about hardware and uptime now need skills in network logging, compliance documentation, and threat assessment. And this needs to become part of their daily routine, not something they think about only during security audits. The C-suite has to make cybersecurity an operational strategy, not just a compliance checkbox.
Organizational Silos
This might be the biggest challenge utilities face. Attackers don’t care whether they’re exploiting physical or digital vulnerabilities – they’ll take whatever path gets them in. But most utilities still have physical security and cybersecurity teams operating separately, using different tools and protocols.
The numbers don’t lie: 34% haven’t integrated physical and cybersecurity planning, and only 22% use unified teams. That’s a massive gap in coordination. When an incident happens, these teams need to work together seamlessly, but if they’re not communicating regularly during normal operations, how can we expect them to collaborate effectively during a crisis?
Scaling Challenges
Grid modernization is accelerating everything – including the threats. Utilities are moving from managing thousands of devices to potentially millions. Each new connected device means more automation, more complexity, and more ways for attacks to spread. We’re adding renewables, AI systems, and IoT devices at an incredible pace, and the attack surface is expanding faster than most organizations can keep up with.
About 40% of utilities are using outside specialists for operational technology security, while one-third rely only on internal staff. There’s no right answer here – you either build deep internal expertise or partner with organizations that have it. But you can’t ignore the problem, because the grid is becoming more digital, more vulnerable, and more distributed every single day. The utilities that build integrated defenses will keep us powered up. The rest will be explaining their failures to regulators.
