The recent intensification of cyber attacks on U.S. energy critical infrastructure (CI) is about to become more troublesome. The widespread exploitation of lost or stolen credentials is already being exacerbated by the proliferation and evolution of cloud and traditional Information Technology (IT) networks. The security of CI will be dealt another blow due to the diminished efficacy of current encryption methods, driven by steal-now, decrypt-later threats and the impending development of a cryptographically relevant quantum computer. These factors have an aggravating relationship which—if left unchecked—will undermine the viability of the systems that preserve our way of life.
Secure Identity
The majority of unauthorized network infiltrations stem from lost or stolen credentials, emphasizing the urgent need to invest in robust identity solutions. By securing identities and preventing the misuse of credentials, we can meaningfully enhance the resilience of the nation's energy infrastructure in the face of current and future cyber threats. There are a number of noteworthy cyber attacks on CI which could have been prevented with better identity practices in place:
- Colonial Pipeline Attack (2021): The largest publicly disclosed cyberattack against U.S. CI, the Colonial Pipeline attack disrupted fuel supply across the East Coast and was perpetrated by a criminal non-state actor. A legacy virtual private network (VPN) which lacked multi-factor authentication (MFA) was exploited, data was stolen, and ransomware was deployed.
- Volt Typhoon (2024): Chinese hackers, identified as part of the state-sponsored group, infiltrated U.S. CI networks, positioning themselves for potential disruptive attacks in the event of conflict between the U.S. and China. This long-term cyber operation targeted key sectors, including energy, with the intention of causing significant damage during a crisis.
- Sandworm (2024): This Russian state-sponsored hacking group has been responsible for a series of high-profile cyber attacks targeting U.S. CI. In 2024, Sandworm was connected to cyber attacks on water utilities in Texas, which included the physical manipulation of industrial control systems. The attackers used sophisticated phishing techniques to infiltrate and maintain access.
These breaches could have been mitigated or prevented by the use of stronger authentication and more secure identity practices. Implementing phishing-resistant MFA with hardware-bound Public Key Infrastructure (PKI)-based credentials, conducting regular security audits, and enforcing strict access controls could have detected and blocked the malicious activities.
Enter Quantum Computing
The advent of quantum computing poses a greater challenge for energy utilities and infrastructure to remain secure. As quantum technology develops, the potential to break current encryption methods becomes increasingly real. Adversaries are already collecting encrypted data, knowing they can decrypt it in the future when quantum computers become available. This threat amplifies the urgency of transitioning to quantum-safe methodologies and reinforces the need for resilient identity solutions.
With the recent National Institute for Standards and Technology (NIST) announcement of the approval of three quantum safe algorithms recommended for mass usage in government, CI, and commercial networks and systems, the White House’s recent approval of $7.1 billion to assist in transition to post-quantum cryptography, and a Senate Bill aimed at authorizing $2.9 billion to the Department of Energy (DOE) to support quantum research, the ability to act has never been more supported.
Leading Change
In keeping with its mission of securing the nation’s energy infrastructure, the DOE is at the forefront of investment and promotion of innovative cybersecurity solutions to help address these threats. The DOE has pledged to be the national leader in all research, development, and deployment of innovative cybersecurity solutions aimed at keeping up with fast-paced technological life cycles and the rapid evolution of the threat landscape.
Actionable Strategies for Enhanced Security
To navigate the rapidly changing threat environment, government and CI organizations can adopt several strategies:
- Transition Away from Exploitable Credentials: It is critical to abandon outdated, interceptable methodologies for credential storage and exchange. Instead, organizations should employ non-interceptable methods, where credentials are bound to hardware or devices and secured with biometrics or passcodes before conducting secure handshakes.
- Aggressively Develop Solutions for Emerging and Disruptive Threats: Solutions must be forward-looking, designed to counter both current and future threats. This includes integrating NIST-approved quantum-safe algorithms and enhancing the security of identity systems which provide access to cloud, hybrid, and on-premise networks.
- Prioritize Secure Identity: Securing identity is central to defending against these evolving threats. A robust identity platform, built on the principles of Zero Trust and supported by phishing-resistant MFA and hardware-bound PKI, is essential.
Securing the nation's energy resources and infrastructure is a team effort. No one company, person, department, or agency can do it alone. We all must be willing and active participants in solving the important challenges of securing energy resources. Collectively, we need to commit to the development and deployment of technologically innovative identity and digital defense solutions to protect the fundamental institutions of Western Democracy against emerging and disruptive threats.
