In 2026, few operational priorities are more critical than cybersecurity, as a cyberattack can have devastating impacts with consequences for both a utility’s infrastructure and its customers. So why do so many cybersecurity myths persist in the industry?

Utility leaders in 2026 should approach cybersecurity with eyes wide open. That means setting the record straight on both the actors who seek to attack critical infrastructure, as well as the practices and principles that will be most effective in stopping them.

Myth: Cyberattackers are mostly private entities acting for profit

For years, the common view of cyberattackers, shaped primarily by Hollywood, has been of lone-wolf actors or faceless entities seeking to cause chaos and steal data for profit, revenge or no reason at all. This view, while not always inaccurate, is simply incomplete when examining the threat landscape in 2026.

The current geopolitical environment paints a much more complicated picture. Cyberattacks can come from a multitude of actors motivated by different aims, but among the greatest emerging threats are nation-states. Modern warfare, as illustrated by the war in Ukraine, has moved the fight beyond the battlefield. In 2022, Russia carried out cyberattacks aimed at sabotaging Ukraine’s satellite communications before it moved in with its physical invasion. The impact of these attacks was widespread, disrupting services across the EU and affecting nearly 6,000 wind turbines in Germany.

More recently, in December of 2025, Russia-linked groups associated with the GRU attempted to disrupt power delivery in Poland by targeting communication links between renewable generation sites and the operators who manage them during peak winter stress. Instead of using tailored malware against a transmission substation or control center, the attackers targeted the communication layers carrying the telemetry data that operators rely upon for visibility and control. By cutting off that information across many small DER sites at once, the attackers increased the risk of frequency disturbances and potential load shedding during peak cold weather demand. Had the attack succeeded, nearly 500,000 people could have lost power and heat in extreme cold.

These attacks have significant short- and long-term implications for North American operators. The indication from high-ranking officials is that China intends to take Taiwan by 2027, and intelligence agencies have confirmed that Chinese state-sponsored actors are positioned to launch cyberattacks in the event of a conflict that involves the United States. For this reason, civilian infrastructure (including public utilities) and military networks could be attractive targets in such a scenario.

Domestic threats persist and complement these geopolitical concerns, as threat actors target both public and private organizations, including utilities. Vendors with hidden or masked foreign ownership are becoming more involved in local contracts, multiplying supply chain risks. And insider threats are ever-present as bad actors recruit and bribe employees via shady online forums to sell network access.

The ramifications of an attack on utilities are potentially devastating for both the organization and its customers. Recent natural disasters, such as Hurricane Helene, have shown the lasting damage a wide-scale outage can have on utility customers. Hospitals can lose power and water treatment plants can shut down for months, risking the health and safety of thousands. Even banks and grocery stores can be severely disrupted, leaving many without access to essential resources. These are just a few of the possible impacts of a cyberattack on utility infrastructure, and the likelihood of these attacks due to the rising number of global threats has become a matter of not “if,” but “when.”

Myth: Threat actors only target IT systems

Many utilities assume that cyber threats target only IT resources. However, cyberattacks can target any number of entry points in a utility across an ecosystem of wireless, microwave, satellite and cloud-based connections, any one of which can be vulnerable to attack if not sufficiently protected. Organizations that limit responsibility for cybersecurity only to IT can overlook these assets and put critical systems at risk.

A good example is the coordination of distributed energy resources (DERs). Utilities are integrating more renewable energy, battery energy storage and other resources across the grid and managing them via a communication network. This can create potential vulnerability points with each new resource added, and both the network as well as the DERs themselves require protection from threats.

One important consideration in securing connected network assets is to leverage private broadband communication, which has become a critical component of grid modernization for many utilities. Private LTE (PLTE) networks can enable high-speed coordination of DERS and other resources and enhance overall resiliency. More importantly, however, PLTE networks offer significant security benefits over public or “mesh” networks, making them an essential tool in utilities’ cybersecurity strategies.

A PLTE network comes with inherent cybersecurity features and gives utilities full ownership and control of the network. Utilities can embed utility-grade reliability and advanced security controls into the overall network design, while being better positioned to respond quickly to potential threats by owning and designing the network. And because the networks operate at high speeds, operators can quickly detect anomalies, close traffic “black holes” and enforce policies around segmentation, roaming and third-party access to help protect critical infrastructure from being compromised.

It’s clear that while IT assets can certainly be a target for malicious actors, IT is only one piece of the cybersecurity puzzle for utilities.

Myth: Cybersecurity is only IT’s concern

Because business leaders tend to view cybersecurity as an IT problem, many miss the risks it poses to the bottom line and consider it the IT department’s responsibility. But cybersecurity is first and foremost a business risk, and as such requires an organization-wide approach. For critical infrastructure owners and operators, that risk extends beyond financial and operational impacts to include the safety of employees in the field and the general public, who depend on reliable services.

The most effective cybersecurity strategies are woven into the organization's DNA from the top down. Accountability must extend to the board level, and the C-suite should make security a priority by defining roles clearly across all business units. The costs of failure for utilities are simply too great to ignore.

This can be easier said than done when it comes to financing cybersecurity efforts. Budgets for defense are frequently considered operating expenses and are therefore constantly under scrutiny. Effective cybersecurity can be difficult to quantify as it is not a revenue-generating activity for the business and, in the best-case scenario, nothing happens, and the ability to generate revenue from other parts of the business is maintained. While this looks good for an IT administrator, it can make the business case for further investment difficult to demonstrate.

Utilities need to reframe cybersecurity as a business necessity, one that is essential to ensuring continuity, mitigating risk and protecting brand reputation. This can help change the perception of security from a mere cost center to a strategic imperative for the business.

In addition to upgrading to a private network, utilities can implement several tactics to strengthen cybersecurity and improve network visibility. They should:

• Strengthen hygiene: Patch systems, block common threats and monitor well-known vulnerabilities.
• Establish baselines: Ensure adequate detection and train staff to respond to anomalies such as “living off the land” attacks using legitimate tools like PowerShell.
• Test resilience: Conduct regular exercises for business continuity and disaster recovery, simulating the loss of both IT and OT systems.
• Invest in people: Avoid skill stagnation with ongoing training, conferences and cross-functional exercises.
• Scrutinize vendors: Contracts don’t reduce operational risks, and they don’t transfer accountability. Require vendors that can access your systems to show clear, transparent evidence that their own security program is robust and meets industry standards, because the responsibility for an attack ultimately falls on the utility.

Utilities can also build security strategies and evaluate programs using the National Institute of Standards and Technology’s cybersecurity framework. Many are adopting zero-trust and micro segmentation architectures, stress-testing continuity plans and treating vendor risk as a shared responsibility.

Finally, utilities should bake cyber resilience into their organizational culture. This means investing in training and professional development opportunities to keep staff agile, while incorporating cross-functional exercises to help prepare teams for a crisis. Rather than instill fear, good training helps create a healthy respect for cybersecurity as a foundational element of resilience.

A changing environment

The cyber threat landscape is shifting. Regardless of where attacks are coming from, threat actors are relentlessly seeking out vulnerabilities in utility infrastructure and systems, and the impacts of an attack can be devastating for any utility. By focusing on organizational awareness and vigilance and understanding the full scope of the cybersecurity paradigm in 2026, utilities can give both leaders and their workers the ability to protect both the organization’s bottom line and the well-being of the communities they serve.