Top Utilities Cyberattacks of 2025 and Their Devastating Impact on Critical Infrastructure

Connected technology has transformed every industry, including those that underpin critical infrastructure. Water utilities use remote sensors to monitor water quality and reservoir levels; power companies rely on connected equipment to track outages and high‑demand areas; and oil and gas firms leverage geographically distributed sensors to oversee pipeline integrity. These sectors employ Internet of Things (IoT) devices both because of the need for real‑time monitoring in remote locations and the ability to streamline monitoring, creating centralized operations with robust data insights. 

Yet, an increased reliance on IoT devices also created an expanded attack surface, with increased risks of cyber attacks, data breaches, and potential impacts to the global supply chain. While the estimated number of IoT devices worldwide varies, as of 2025, there are approximately 18 billion devices, which is forecasted to grow to 40 billion by 2030. For critical infrastructure organizations, the stakes are especially high. These organizations face threats from nation-state threat actors aiming to disrupt essential services, whether through tampering with electricity grids or contaminating water treatment systems. Strengthening security programs around IoT devices is no longer optional; it’s a key safeguard against cascading failures and systemic breakdowns.

The IoT Risk to Utilities and Critical Infrastructure 

In terms of IoT, many critical infrastructure companies have remote monitoring tools implemented through their infrastructure. An oil and gas pipeline typically runs through miles upon miles of wilderness and has sensors all along its length to track the liquid crude as it travels from extractors to refiners. Water treatment plants have sensors spread throughout their operations, and electric companies have internet-enabled transformers tracking power flow through their systems. 

The federal government has acknowledged the growing risks to critical infrastructure systems. A 2022 report from the U.S. Government Accountability Office (GAO) highlighted the cybersecurity challenges associated with IoT usage in these environments. At the time, the federal agencies responsible for the 16 critical infrastructure sectors had not conducted risk assessments related to their use of IoT or operational technology (OT). A follow-up report in 2024 found that, despite federal mandates, few agencies had implemented formal initiatives or submitted waivers for noncompliant devices, as required under the IoT Cybersecurity Improvement Act.

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has advanced broader risk management efforts. In 2024, it began developing the 2025 National Infrastructure Risk Management Plan (National Plan), which directs Sector Risk Management Agencies (SRMAs) to identify, assess, and prioritize cyber risks—including those related to IoT and OT—within their sectors. The plan also calls for the development of sector-specific risk management strategies and participation in a CISA-led cross-sector risk assessment..

Examples of Recent Attacks on Critical Infrastructure 

While it’s not always clear whether recent cyberattacks on critical infrastructure originated with IoT devices, the source matters less than the reality: threat actors are actively targeting these sectors. Any expansion of the attack surface, including unprotected IoT devices, demands a strong defense.

Different critical infrastructure categories experience distinct threats. For water utilities, an IoT breach won’t necessarily stop operational technology from functioning or create downtime. That might be a good thing, but that doesn’t mean these attacks aren’t damaging. A more salient point is that these attacks on water systems may also occur in rural areas that have more limited budgets. 

Several recent examples include:

• In October 2024, American Water, the largest regulated water utility in the US, detected a cyberattack that forced the company to disconnect the MyWater customer portal and pause billing systems as a precautionary measure. Operations were restored within a few days, and regulators were notified. Notably, the company confirmed that water quality—which provides clean drinking water to more than 14 million people in 14 states—and core operations were not compromised.
• The Municipal Water Authority of Aliquippa in Pittsburgh had to shut down its OT systems after a cyberattack from the Iran-backed group “Cyber Av3ngers” on one of its booster stations. The attack shut down equipment that monitors water pressure at the station, forcing the water company to switch to manual monitoring. 
• At least 10 more water facilities throughout the United States were hacked through the same method the Cyber Av3ngers used to breach the Aliquippa water company, according to federal investigators. The devices that the Iranian group shut down were manufactured in Israel and displayed a message that said all Israeli tech is fair game for the Cyber Av3ngers. 
• The Municipal Water Division of Oldsmar, Florida, had to defend against a poisoning attack. Someone hacked into a utility control network and raised levels of sodium hydroxide to over 100 times their normal concentrations. Sodium hydroxide is dangerous in large quantities but is safely used in everyday water treatment. An operator who noticed the hack in real time – by seeing his mouse cursor move by itself – stopped the chemicals from reaching the water supply. 

With power companies, the same trends persist. Co‑ops and rural utilities continue to be favored targets due to their limited defenses. In 2024, Check Point Research documented 1,162 cyberattacks on utilities, a 70 percent year-over-year increase. The North American Electric Reliability Corporation (NERC) has warned that susceptible points on the electrical grid grow by approximately 60 per day. IoT attacks may not cause major disruptions given how they’re connected to a network, but they can still impact energy company terminals and other IT rather than OT. For example:

• In May 2025, a Southeast Asian energy provider was hit by ransomware threats from the NightSpire group. The threat actors disabled control systems for 18 days while demanding an $8 million ransom; a stark example of how ransomware threats and data theft can target industrial control systems.
• In 2021, Colorado cooperative Delta-Montrose Electric Association (DMEA) was hit by a “malicious” cyberattack and left without payment processing, billing, and other internal systems. It took more than a month to bring those systems back online. The utility said it suffered a significant data loss, but there was “no breach of sensitive data within our network environment,” and its distribution grid was not impacted. 
• Nearly two dozen Danish energy companies were attacked in May 2023 in three successive waves. This was the largest cyberattack in Danish history and resulted in several of the power companies shutting off their connection to the internet to limit the damage.  
• It’s not only the power companies directly that are impacted. Chicago-based engineering firm Sargent & Lundy, which designed more than 900 power stations in the US,  experienced a ransomware attack in October 2022. Sargent & Lundy holds sensitive data on its power station and power line projects. Data on electrical systems was exfiltrated, but there is as yet no indication of any downstream impacts. But that doesn’t mean power companies can relax either.   

Oil and gas companies typically have larger organizations with distributed networks and riskier IoT assets because of their geographic distribution. While oil and gas organizations have traditionally faced fewer regulatory pressures, that is beginning to change. In 2024, both NERC and FERC introduced significant updates to enhance cybersecurity resilience, most notably through the evolution of NERC’s CIP standards, which include expanded requirements around cybersecurity, access controls, and supply chain risk management.

That said, successful cyberattacks in the oil and gas industry can have massive societal impacts. There could be widespread gas shortages, triggering hoarding behavior at the pump and leading to broader chaos. In some cases, that may be the goal of the cyberattack in the first place. 

• On August 6, 2025, Pakistan Petroleum Limited (PPL), an oil and gas exploration firm, detected a ransomware intrusion affecting portions of its IT infrastructure. The incident was swiftly contained, and the company isolated noncritical IT services to limit impact. They later went on to confirm that threat actors had not accessed critical systems, and no sensitive data was compromised.
• In May 2021, financially motivated cybercriminals launched a ransomware attack on Colonial Pipeline. They locked up IoT sensors, making it impossible for the company to track how much to bill gas customers. In response, the company shut down all 5,500 miles of pipeline, which caused fuel shortages and panic buying in multiple states. With good reason too: Colonial Pipeline makes up 45% of the East Coast’s supply of diesel, petrol, and jet fuel. 
• Suncor Energy, a Canadian oil and gas company, experienced a cyberattack in June 2023 that one expert said would likely cost the company millions of dollars in recovery. Customers trying to get gas at Suncor Petro-Canada retail locations couldn’t use credit or debit cards while the company recovered. It took until nearly August to almost completely resume regular operations.  
• ExxonMobil was disrupted in December 2019 by a Ryuk ransomware attack. Ryuk specifically impacted the company’s downstream business, which includes refining, chemical production, and distribution of petroleum products. 
• In 2017, cyber attackers using a new Triton malware attacked the safety systems at Saudi Aramco, the world’s largest oil company. This was the first example of malware used to target safety systems directly. Aramco initially denied the attack, so it wasn’t known until Foreign Policy magazine detailed the attack’s progression. 

The risk of cyber attacks against critical infrastructure sectors remains high as threat actors continue to exploit both technical vulnerabilities and operational blind spots across energy, water, oil and gas, and other sectors. For example, data from a 2025 Trustwave report revealed that ransomware attacks have surged 80% year over year in the energy and utilities sector alone, with 84% of incidents starting via phishing and 96% involving remote service exploitation.

To address this growing threat landscape, critical infrastructure operators should take immediate and proactive steps to reduce their exposure and build cyber resilience:

• Understand their true equipment and device inventory along with their network architecture, through the use of discovery tools. 
• Adapt their security strategy to focus on data and traffic as opposed to perimeter defense.
• Deploy IoT security tools designed with anomalous behavior detection in mind to ensure they can be readily monitored and risks mitigated from a central location. 

How Asimily Helps Defend Critical Infrastructure

Asimily’s platform simplifies IoT security through a few key capabilities. These include anomalous behavior detection, risk simulation, traffic analysis, and vulnerability scoring. Asimily maps all the IoT devices in your environment, ensuring that critical infrastructure firms have a complete picture of their connected device environment and centralized insight into their risks. 

IoT devices used in critical infrastructure may not be easily taken offline for remediation. Asimily’s risk simulation enables these companies to assess options for mitigating the risk from a given vulnerability on a device. Simulating a fix can help determine criticality and whether the weakness is even of interest to attackers before doing the work. That’s critical information when deciding how to improve your security posture. 

Asimily also provides holistic context into IoT environments when calculating likelihood-based risk scoring for devices. For example, highly networked devices have more inherent risk than ones with few connections. Our scoring considers the compensating controls so you can more appropriately prioritize remediation activities.

Asimily customers efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Utilities looking to implement smart technology to improve their operations need a solution like Asimily to address IoT security risks. Interested in learning more? Check out our platform overview.