Risk 2:
Nation-State Threats
HIGH RISK
Risk Overview
Description:
The strategic objectives of China, Russia, and Iran pose significant cyber threats to the United States. These objectives aim to weaken our military and economic capabilities and influence foreign policy decisions. North Korea, while also a threat, is primarily motivated by financial gain and cryptocurrency theft.
This threat focuses on actors that are well-funded, capable, have effective cyber tools, and are motivated to support their nation’s strategic objectives. They accomplish their goals by infiltrating targets, maintaining persistence, and waiting for the right time to strike. A nation-state threat is not motivated by quick financial gain like those captured by other cyber and physical threat profiles in MRO's 2026 RRA.
Key Drivers and Trends:
To remain undetected within bulk power systems, nation-state threats employ 'Living Off the Land' tactics. By leveraging native command-line tools and existing system processes rather than external malware, these actors remain stealthy. This lack of malicious artifacts makes them exceptionally difficult to detect through standard security monitoring.
Continued tensions between the United States and China, Russia, and Iran, along with ongoing global conflics, incentivizes cyber agression from Nation-State threat actors.
For example, reported espionage numbers from threat actors have increased steadily across sectors over the past 3 years, with 5% of cases in 2022, 7% of cases in 2023, and 17% of cases in 2024.
Source: House Homeland Security Committee https://homeland.house.gov/wp-content/uploads/2025/02/CCP-Threat-UPDATED-Feb-2025.pdf
Source: House Homeland Security Committee https://homeland.house.gov/wp-content/uploads/2025/02/CCP-Threat-UPDATED-Feb-2025.pdf
China continues to focus on critical infrastructure assets that provide little espionage or intelligence value, but collectively could enable disruption of military capability or health and human services. China’s cyber activities have increased 150% since 2024 in manufacturing, industrials, engineering, and telecom.
According to Homeland Security's Cyber Threat Snapshot for 2025, 10% of global cyber intrusions by Nation States and opportunistic criminal networks targeted the energy sector in 2024.
Event History:
- China-sponsored Volt Typhoon gained access to U.S. and Indo-Pacific critical infrastructure sectors in 2023, including communications, energy, transportation, and water and wastewater systems. Littleton Electric Light & Water (Maine) was one of the compromised companies in the electricity subsector. The Volt Typhoon group was pre-positioning itself on IT networks to enable lateral movement to OT assets to disrupt critical functions.
- Russia-sponsored Sandworm used a coordinated cyberattack that targeted 30 Distributed Energy Resource (DER) generation facilities. Adversaries disabled key equipment beyond repair at a site. This attack demonstrates that DER are now a valid target that can be used to impact the grid,
- China-sponsored Salt Typhoon infiltrated major U.S. telecommunications companies including internet service providers, targeting 80 countries and potentially accessing data from nearly every American.
- Russia-sponsored Sandworm used 'Living Off the Land' techniques in 2022 to execute a successful cyber attack against a Ukrainian electric utility, causing massive power outages. The attack coincided with several physical attacks. Days after the initial attack, Sandworm deployed malware to erase the contents of computers on the utility’s network.
Actions to Reduce Risk:
Several mandatory NERC Critical Infrastructure Protection Standards exist, or are under development) to help to mitigate this risk:
|
NERC Reliability Standard(s) |
Mitigation Activities |
|---|---|
|
CIP-005-7 (Electronic Security Perimeter) CIP-007-6 (System Security Management) CIP-009-6 (Recovery Plans for BES Cyber Systems) CIP-010-4 (Configuration Change Management and Vulnerability Assessments) CIP-011-3 (Information Protection) |
Collectively, these standards are controls protecting medium and high impact Bulk Electric System cyber equipment. They provide defense-in-depth measures to limit the movement of threat actors within defined systems, harden cyber assets, aid in system recovery, change detection, and limit access to defined repositories of power system information. |
|
CIP-007-6 (System Security Management) |
Provides additional requirements for logging information at the host level that could be used to detect adversary activity. |
|
CIP-015-1 (Internal Network Security Monitoring) |
Provides requirements for Internal Network Security Monitoring for Bulk Electric System cyber equipment at high and medium impact assets. This improves the probability of detecting anomalous or unauthorized network activity by a malicious insider and improves response and recovery from an attack. This new Reliability Standard is subject to future enforcement on October 1, 2028. |
Other recommended actions include:
- Apply the Secure Connectivity Principles for Operational Technology (OT) as a framework to design, implement, and manage OT connectivity. The principles outline desired end-states that organizations should try to achieve, rather than minimum requirements.
- Leverage existing logging and Internal Network Security Monitoring to maximize detection.
- Bolster controls on data integrity and consider anomaly-based detection on control system values. (This is in addition to integrity controls while data is in transit, such as hashing.)
- Seek input from Operational Technology and Industrial Control System engineers, as these frontline workers often know system design vulnerabilities and can provide insights on where to monitor adversary activity.
- Develop business continuity plans for nation-state attack scenarios. Include plans to address a direct attack on infrastructure and an indirect attack on dependent infrastructure (GPS, operations-critical telecom, etc.).
Built with Shorthand