The utilities sector is currently in a digital transformation, with AI-driven monitoring, smart grids, and automation bringing unprecedented change to the industry, according to the UK Utilities Risk Report 2025.
The benefits of these advancements are well documented, improving efficiency and enabling increasingly complex and interconnected supply chains to work more easily together. But alongside the benefits, they also introduce new and ever-evolving risks.
For cyber-attackers the utilities sector is a high-value target. Rather than simply stealing data, they can disrupt critical infrastructure, bringing chaos to services crucial to businesses and individuals.
With new technologies introducing unknown dangers, leaders are now under pressure to understand their own vulnerabilities and those within their supply chains, prepare for potential cyberattacks, and build digital assets that are fit for the future.
Disruption to utilities in the AI era
While traditional disruptions such as port closures, extreme weather, and geopolitical tensions still pose challenges, AI is emerging as one of the key threats to the utilities sector.
The digitisation of supply chains has given rise to a greater risk of cyber breaches, with threat actors weaponising AI to launch bigger, more comprehensive attacks.
Threat actors use AI to:
- Scan for vulnerabilities — they might typically focus on warehouse or transportation systems.
- Automate phishing campaigns — emails could be sent en masse to logistics staff to trick them into revealing sensitive information.
- Disrupt inventory systems — a move that could lead to supply chain chaos.
Not just data theft: Why supply chains are attackers’ latest target
The interconnected nature of utilities means attackers can now bring down essential infrastructure such as power and water supplies. Our global supply chains are becoming increasingly vulnerable to this sort of security breach.
- Florida water treatment facility: In 2021, a hacker was able to use a dormant remote access software platform to infiltrate a water treatment plant’s system with the intention of poisoning a Florida city’s water supply.
- Synnovis pathology services: Synnovis, a provider of pathology services to the NHS, was hit by an attack in the summer of 2024 that cost an estimated £32.7 million and resulted in thousands of missed patient appointments.
- Hypothetical attack: The Government claims that a hypothetical cyberattack focused on key energy services in the South East of England could wipe over £49 billion from the wider UK economy.
The Government’s Cyber Security and Resilience Bill, which will be introduced to Parliament later this year, sets out new laws to boost supply chain protection and improve critical service cyber defences. It also includes tough penalties for those managed service providers failing to patch vulnerabilities.
This new legislation is in addition to the laws and regulations already in place, with penalties of up to £17 million for those who fail to implement proper cybersecurity measures.
Protecting against supply chain risks
The utilities sector’s supply chains typically include digital third-party suppliers. However, with each external connection to a utility’s network providing a gateway through which cyberattackers can gain access, the hidden security risks of these chains are intensifying.
It takes just one compromised vendor to infiltrate an entire service, enabling hackers to access sensitive data, introduce malware, or cause widespread disruption.
How to strengthen supply chain security
- Carry out risk assessments: Conduct thorough risk assessments on a vendor’s cybersecurity protocols before allowing system access.
- Restrict access permissions: Ensure all suppliers’ access permissions are restricted to essential levels only.
- Introduce cyber clauses: Embed cyber resilience clauses in supplier contracts to ensure each vendor is held accountable for their own cybersecurity.
Balancing progress with risk management
With digital transformation across utilities gathering pace, the challenge of leaders is to ensure their organisation keeps up with the changes while retaining the highest level of cybersecurity.
Mitigating risk:
- Implement continuous risk assessments, as rolling risk assessments are crucial to keep pace with emerging threats and hacker capabilities.
- Don’t forget human error, as human error will remain a significant threat, so prioritise regular staff training to keep them aware of issues around cybersecurity.
- Keep regulatory knowledge up to date, as failing to do so can lead to financial penalties, exclusion from contracts, and reputational damage. Non-compliance can lead to a whole host of problems.
Future-proof your business
Cybersecurity is no longer a case of protecting a single organisation — robust defence strategies are vital to protect critical infrastructure as a whole. By designing mitigations, leaders can take proactive measures to strengthen supply chain security — and build a business that’s fit for the future.
Strategic support for cybersecurity-savvy utilities
Marsh McLennan offers comprehensive support to help utilities address cybersecurity and build long-term resilience. Services include:
- A consultative strategy, ensuring cybersecurity is integrated into business resilience planning.
- Tailored solutions based on industry-specific risks and regulatory requirements.
- Cyber risk assessments to identify and fix vulnerabilities.
- Cyber insurance solutions to mitigate financial exposure.
- Operational resilience strategies to protect critical systems from cyber-physical threats.
- Incident response planning to ensure rapid recovery from cyberattacks.
- Compliance advisory services to help utilities meet evolving regulatory requirements.
- Supply chain risk monitoring to track vulnerabilities across digital vendors.
- Conduct risk assessments to prepare for emerging threats and hacker capabilities.
If you would like to discuss any topic raised in this article, please contact us.