Ransomware attacks on utility OT systems surged 80% in 2024, but most grid operators still run unpatched SCADA systems from the 2000s
infrastructureinfrastructure0 views
Ransomware attacks targeting the energy and utilities sector increased 80% in 2024 compared to 2023, with nearly 1,700 ransomware incidents hitting industrial organizations that year (an 87% increase per Dragos). Meanwhile, many grid operators still run legacy SCADA and ICS systems deployed 15-20 years ago that were never designed for internet connectivity but are now exposed through IT/OT convergence.
Why it matters: A successful ransomware attack that locks SCADA systems at a utility control center blinds operators to real-time grid conditions, so they cannot detect equipment failures, manage load balancing, or dispatch generation -- effectively flying blind. Flying blind during peak demand or severe weather means operators cannot prevent cascading failures, so the risk of a widespread blackout affecting millions of customers multiplies. A multi-day blackout in a major metro area causes deaths (people on home medical equipment, extreme heat/cold exposure), so the attack becomes a public safety emergency. The reputational and financial damage from such an incident (average OT breach cost: $22 million per CISA) drives utilities to over-invest in cybersecurity compliance paperwork rather than actual technical hardening, so the underlying vulnerabilities persist. Persistent vulnerabilities are well-known to nation-state actors (Russia's Sandworm, China's Volt Typhoon), so the grid remains a high-value target for geopolitical coercion.
The structural root cause is that utility SCADA systems were designed in the 1990s-2000s for isolated, air-gapped networks with no authentication or encryption. As utilities connected these systems to corporate IT networks and the internet for remote monitoring and efficiency gains, they inherited all the vulnerabilities of networked computing without any of the security architecture. Replacing these systems requires shutting down grid operations during upgrades, which utilities are unwilling to risk.
Evidence
TrustWave's January 2025 report found ransomware attacks on energy/utilities up 80% in 2024. Dragos' 2025 OT Year in Review reported nearly 1,700 ransomware attacks on industrial organizations in 2024 (87% increase). CISA reported a 145% surge in OT-targeted cyberattacks in 2024, with average breach costs of $22 million. CRIL analyzed 2,451 ICS-specific vulnerabilities disclosed between December 2024 and November 2025 across 152 vendors. Z-Pentest was identified as the most active threat actor targeting HMIs and web-based SCADA interfaces. Source: TrustWave, Dragos, CISA, Industrial Cyber, SecurityWeek.