SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
268 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Story 299992
#
Virtualisation
#
DR
#
Ransomware

Codific maps five cyber paths threatening power grids

Fri, 27th Feb 2026
Author image
By Kaleah Salmon, News Editor

Codific has published an analysis of five cyberattack pathways it says repeatedly appear in incidents and sector scenarios affecting power grids. The report focuses on how utilities can reduce outage risk and improve recovery.

Codific argues that the most disruptive grid cyber events often follow familiar patterns rather than novel techniques. Initial access commonly starts with people or exposed perimeter services. Attackers then expand access using stolen credentials and remote administration tools, disrupting operational visibility, control, and restoration.

Large-scale modelling continues to shape how insurers and utilities assess the financial consequences of prolonged outages. The Lloyd's and University of Cambridge Centre for Risk Studies "Business Blackout" scenario, which examines a cyberattack on the US power grid, estimates total economic losses of about USD $243 billion. An extreme variant exceeds USD $1 trillion. Estimated insured losses range from roughly USD $21.4 billion to USD $71.1 billion, depending on severity.

Dr. Dag Flachet, Codific's co-founder, said planning should assume controls will fail at some point.

"A famous saying in the industry is that there is no such thing as 100% secure. That doesn't mean we should throw up our hands and give up. Quite the opposite: it means we must have multiple layers of defence and still prepare for when all of them are breached. We will fall at some point, but how fast can we get back up?"

Email entry

The first pathway Codific highlights is spearphishing that escalates into operational impact. It often begins with a convincing email that leads to credential theft. Attackers then use remote access and move into systems linked to operational environments.

The Ukraine 2015 power grid attack is commonly cited as an example. Reports describe spearphishing as the initial access vector, followed by credential theft and access into operational systems. Attackers remotely opened breakers, contributing to customer outages and complicating recovery because of limited visibility and coordination.

Codific recommends phishing-resistant multi-factor authentication for privileged accounts and remote access, along with monitoring for abnormal logins and rapid credential revocation. It also highlights segmentation between IT and operational technology environments as a key control.

Remote access

The second pathway focuses on remote access infrastructure, including VPN portals and remote access gateways. Utilities rely on remote access for operations and maintenance, and those services are attractive targets for attackers.

A typical sequence starts with stolen VPN credentials or the exploitation of an internet-facing access service. Attackers then move into the virtual infrastructure that hosts operational support systems, such as historian data platforms, SCADA support components, identity services, and monitoring tools. Even if core controllers are not altered, the loss of supporting services can push operations into degraded modes and extend restoration timelines.

Codific recommends reducing exposed services, patching edge systems quickly, and enforcing multi-factor authentication broadly. It also calls for tighter third-party access controls through least-privilege permissions and time-limited approvals, plus session logging across remote connections.

"There is a tradeoff between usability and security, and it is our job in this industry to make this less painful by better system design," Flachet said.

Ransomware impact

The third pathway is ransomware that impairs recovery rather than directly attacking industrial control systems. Codific frames ransomware in utilities as a resilience problem: it can cut off access to identity systems, engineering workstations, backup infrastructure, virtual platforms, and monitoring tools that teams rely on for safe operation and restoration.

Codific describes incidents in which attackers enter through remote access, move laterally, and encrypt or wipe virtualised environments hosting OT-adjacent services. Field assets may remain intact, but operations teams lose the systems used for coordination and safe switching.

Codific cites research on interruption costs in Germany that estimated national-level outage costs averaging about €430 million per hour, with peaks around €750 million per hour. In that context, recovery speed becomes a key factor in limiting overall impact.

Suggested preparations include offline, immutable backups protected by the same identity systems that attackers target, as well as regular restoration testing under time pressure. Segmentation and tighter privileges can reduce the spread and limit the scale of disruption.

Legitimate commands

The fourth pathway involves attacks that use legitimate industrial commands and protocols. Codific argues that serious operational outcomes do not always require novel exploits. Attackers can issue real operational commands through compromised access, then take destructive actions that slow restoration.

The 2016 Ukraine incident is often cited as a case in which malware interacted with industrial control protocols and used destructive components to complicate recovery. Codific notes that harmful actions can resemble normal operational sequences, making detection difficult without context.

Codific recommends monitoring that can identify unusual command patterns and sequencing, supported by a reliable asset inventory and behavioural baselines. It also calls for rehearsed manual operations and recovery playbooks that include clear communications and decision paths.

Cascading disruption

The fifth pathway broadens the focus to systemic disruption and cascading impacts. Codific points to stress tests that examine how prolonged regional outages can affect transportation, healthcare, communications, supply chains, and other critical services.

The Business Blackout model describes a coordinated cyber event that causes prolonged power disruption across the Northeastern United States, affecting 15 states and Washington, DC, including major hubs such as New York City and the Washington, DC area. The modelling outlines compounding losses across healthcare, transportation, water, communications, and logistics, with insured losses in the tens of billions of dollars.

Codific says planning for severe, low-probability events can improve day-to-day readiness. It recommends identifying single points of failure, clarifying decision-making under pressure, validating recovery objectives, and rehearsing coordination across internal teams and external stakeholders.

Flachet said utilities should focus on established practices and training rather than expecting novel defences to solve the problem.

"The grid will be targeted more in the future, largely because of the massive disruption caused. The answers are here, in the industry wisdom compiled by organizations such as OWASP. In order to defend against grid attacks, we don't need to invent anything new-we just need to educate and implement the known best practices," Flachet said.

Related stories
Preserving our voice: Why women must shape the future of AI and cybersecurity
Bridging the gap: Cybersecurity breakthroughs and imbalances
In a cost-pressured AI race, operational maturity is now the competitive advantage
UK AI budgets shift to data infrastructure & storage
Teramind launches AI governance to tackle shadow AI

Top stories

Safe AI needs all voices: Celebrating the women who help drive CSA's AI safety initiative
Autonomous AI 'agentic customers' set to reshape banks
Reversec names Åse Holmberg Zetterlund as Chief Executive
How women in cyber change the conversation at board level
The weight women carry