The energy sector quite literally powers modern life — keeping cities buzzing, businesses running, and communities connected. From industrial complexes to suburban neighbourhoods, its uninterrupted operation is essential. In recent years, this critical infrastructure has become a prime target for cyber criminals. In the U.S., cyberattacks on utilities surged by 70 percent in 2024, and while Canadian-specific data remains scarce, there’s little reason to believe our energy networks are any less vulnerable.

Utilities represent more than just infrastructure for attackers — they’re high-value targets where a single breach can disrupt millions of lives. Yet, many organizations remain underprepared, struggling with outdated systems, regulatory gaps, and the increasing complexity of IT-operational technology integration. In today’s threat landscape, cyber security can no longer be passive. It must be relentless, proactive, and, most importantly, offensive.

There are two major reasons why utilities are such attractive targets: financial motivation and geopolitical cyber warfare. Ransomware attackers know there’s money in this industry and that the sector is under pressure to restore operations quickly. On the other side, state-sponsored attackers target energy infrastructure to create widespread disruption, affecting entire nations.

While these threats continue to grow, utilities remain behind in their cyber security maturity. Unlike financial institutions, which have long been the subject of strict regulations, many energy companies have operated without comprehensive security mandates. That’s beginning to change, with frameworks like the Ontario Energy Board’s (OEB) cyber security standard requiring independent assessments. But compliance alone won’t stop an attack. To stay ahead, organizations must take a more proactive approach.

Cyber criminals don’t just exploit the obvious weak spots. They look for misconfigurations, manipulate employees, and take advantage of gaps in vendor security. Many organizations focus on defensive security — firewalls, endpoint protection, and access controls — but these solutions assume attackers will be stopped at the perimeter.

The problem is attackers don’t always come through the front door. That’s why offensive security is critical. Instead of waiting for an attack to happen, this approach simulates real-world threats to find vulnerabilities before cyber criminals do. By thinking like an attacker, organizations can uncover weaknesses that traditional defences miss.

1. Penetration testing: Simulating cyberattacks to identify weak points in networks, applications, and devices.
2. Red team assessments: A full-scale simulation of determined attackers, using both cyber and physical intrusion methods.
3. Social engineering tests: Evaluating how easily employees can be tricked into granting unauthorized access.
4. Physical security reviews: Testing whether unauthorized personnel can gain access to critical systems in facilities.

Too often, organizations assume their defences are strong — until they’re tested. And when they are the results can be surprising.

One of the most common gaps in energy cyber security is simply not knowing what’s connected to the network.

Example: During a security assessment, one energy company was convinced they had full visibility of their operational technology (OT) environment. But after a network scan, it was discovered there were dozens of unmonitored legacy systems still connected to the grid — many with outdated security controls. These forgotten assets were prime targets for an attacker.

If organizations don’t have full visibility into their infrastructure, they can’t secure it. A cyber security program should start with a clear inventory of every connected asset, its security posture, and its potential risk exposure.

Third-party vendors are often the weakest link in an organization’s cyber security strategy.

Example: In one case, an energy company had invested heavily in cyber security controls for its core network. However, a vulnerability assessment revealed that one of their vendors had an externally exposed system using default credentials — admin/admin. Had an attacker discovered it first, they could have used that entry point to infiltrate the energy company’s infrastructure.

To mitigate this, utilities can implement rigorous vendor risk management policies, requiring partners to meet the same security standards they enforce internally. Contracts should also include clear security requirements and incident notification obligations.

Many cyber threats don’t come from digital entry points at all — they can come from the physical world.

Example: In a security audit for a large utility provider, a red team assessment was conducted to test physical access controls. The security team was confident in their safeguards, yet testers managed to tailgate employees through restricted-access doors, gaining entry to a sensitive control room within minutes.

Once inside, the red team plugged in a rogue device, allowing them to access the internal network remotely. Had this been a real attack, an adversary could have stolen sensitive operational data or disrupted critical services — all without triggering an alarm.

This depicts a crucial lesson: Cyber security isn’t exclusively about IT. Without strong physical cyber security, an attacker doesn’t need to hack your systems — they just need to walk through the right door.

To improve cyber resilience, organizations should follow a crawl-walk-run approach:

• Crawl — Conduct a cyber security assessment to establish a baseline understanding of risks.
• Walk — Implement structured penetration testing and security reviews on a regular schedule.
• Run — Build a continuous offensive security program, integrating IT, OT, and vendor risk management into an ongoing strategy.

The reality is that the cyber security issue is a business risk that affects operations, compliance, reputation, and even national security. Leadership teams need to be actively involved in security decision-making, ensuring that proactive defences are embedded into their strategy.

The biggest shift we’re seeing in cyber security today is the rise of AI — on both sides of the battlefield.

Cyber criminals are already using AI to write malicious scripts, automate phishing attacks, and adapt their techniques faster than ever. Meanwhile, security teams must leverage AI-driven threat detection and automated response strategies to keep up.

Regulatory pressure is also increasing. The OEB’s new cyber security standard now requires independent security assessments, marking an important step toward more stringent cyber security requirements in the sector. But regulations can only go so far — organizations that want to stay ahead must take cyber security into their own hands.