This report does not constitute a rating action.
Sovereign-sponsored and politically motivated cyber attacks on critical infrastructure in the U.S. have become more frequent, resulting in a heightened risk of infrastructure failures that could cause significant economic disruptions and loss of life. U.S. infrastructure providers' preparedness for such attacks, which are often sophisticated compared to more common cyber criminality, is inconsistent due to differing federal regulations and ownership. At the same time, the level of continued federal support for government cyber security institutions is uncertain.
What's Happening
U.S. security agencies continue to warn of the risk to critical infrastructure from sovereign-sponsored cyber attacks. In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI reported that hackers from China, Iran, and Russia had successfully infiltrated energy, water, wastewater, and telecommunications systems. The federal government has responded with sanctions on perpetrators and support for domestic infrastructure owners. These threats come at a time of potential realignment of federal and state support for cyber security, including potentially reassessing staffing levels at CISA and the National Security Agency, and reducing funding to organizations including the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Why It Matters
- Critical infrastructure sustains life, safety, and economic activity. Damage to utilities, transportation, or healthcare networks can have widespread ramifications, as demonstrated by the estimated $7 billion to $10 billion of economic losses from the 2003 New York City blackout, caused by a transmission line fault.
- Hybrid warfare, which combines the kinetic attacks of conventional war with cyber attacks, has become common practice in conflicts, often targeting critical infrastructure (see "Cyber Risk Insights: Sovereigns And Their Critical Infrastructure Are Prime Targets," April 29, 2025).
- Digitalization and AI usage by critical service providers and within infrastructure control systems offer improved reliability and efficiency, but it also increases the potential for damage by a successful cyber attack.
What Comes Next
S&P Global Ratings' assessment of the credit quality of critical infrastructure owners includes consideration of the extent to which management maintains robust, frequently updated cyber security policies, and response and recovery plans. Some U.S. critical infrastructure, including most electric utilities, healthcare, and transportation companies, must adhere to Critical Infrastructure Protection (CIP) regulations. Yet cyber security weaknesses are likely to persist, notably among water utilities, where the operators' size (based on accounts served) often exempts them from regulation. Even where regulations apply, they may not be followed. A September 2024 study by the Environmental Protection Agency found that over 70% of water systems inspected in the prior year violated Safe Drinking Water Act risk and resilience and emergency response regulations (Section 1433). Small systems can also suffer greater financial damage from cyber attacks. For example, IBM, a technology and consulting group, estimates the average cost of a data breach in 2024 was $4.88 million, which could be equivalent to a year's revenues for a small water system.
CISA continues to highlight that successful attacks often take advantage of an organization's poor cyber hygiene (weak password management, lack of Multi-Factor Authentication, poor patching, and inadequate vendor management). Our research suggests these vulnerabilities are most common in smaller utility systems outside CIP requirements, which are often resource constrained, have limited capacity to maintain investments in technology, and comparatively lower liquidity levels to withstand the financial damage resulting from a successful cyber attack. Cyber Brief: U.S. Infrastructure Faces Evolving Threats And Federal Policy Uncertainty spglobal.com/ratings May 20, 2025 3 S&P Global Ratings. All rights reserved. No reprint or dissemination without S&P Global Ratings permission. See terms of use/disclaimer on last page.
The possibility of diminished federal support for information sharing or cyber preparedness remains uncertain given potential changes at CISA, the NSA, and MS-ISACs. In general, we view robust information sharing and federal support for cybersecurity as supportive of credit quality, particularly for organizations that operate critical infrastructure and therefore face greater risk of sophisticated attacks.
Background In Brief
Negative rating actions linked to cyber security incidents can occur where timely recovery proves slow (whether because of weak risk management or affordability pressures) or if they cause significant financial damage. Examples include: Baltimore Water and Sewer, where the recovery of both operational and billing systems proved lengthy (see "Baltimore Mayor and City Council, Maryland; Water/Sewer," Feb. 24, 2022), and Change Healthcare, a claims processing platform of United Health, where an outage that disrupted payments across the healthcare services sector contributed to two downgrades (see "Thrive Merger Sub LLC Downgraded To 'CCC+' From 'B-' On Prolonged Cash Flow Deficits; Outlook Negative," Sept. 27, 2024," Sept. 27, 2024, and "Quincy Health LLC Downgraded To 'SD' On Distressed Transactions; Term Loan Rating Lowered To 'D'," July 29, 2024).
Furthermore, where we view cyber hygiene as weak or below that of peers, it can negatively weigh on our credit assessments (for more on how we incorporate cybersecurity risks into our analysis, see "Cyber Risk Insights: Navigating Digital Disruption," July 9, 2024) However, cyber attacks generally have limited effect on credit quality where there is proactive risk management coupled with sufficient insurance or liquidity (as seen during the 2024 ransomware attack on the Port of Seattle, among others).
Related Research
- Cyber Risk Insights: Sovereigns And Their Critical Infrastructure Are Prime Targets, April 29, 2025
- Transportation Companies Face Increasing Cyber Risks, Dec. 12, 2024
- Cyber Risk Insights: Poor Cyber Vulnerability Management Can Be A Governance Issue, Oct. 28, 2024
- Your Three Minutes In Water Utilities: The Water Risk And Resilience Organization, Oct. 2, 2024
- Thrive Merger Sub LLC Downgraded To 'CCC+' From 'B-' On Prolonged Cash Flow Deficits; Outlook Negative, Sept. 27, 2024
- Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
- Quincy Health LLC Downgraded To 'SD' On Distressed Transactions; Term Loan Rating Lowered To 'D', July 29, 2024
- How U.S. Not-For-Profit Acute-Care Providers Are Managing Risks From The Change Healthcare Cyber Attack, March 7, 2024
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023
- Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
- Cyber Risk Insights: Ongoing Preparedness Is Key To U.S. Power Utilities Keeping Attackers In The Dark, May 11, 2023
- Cyber Risk In Health Care: High Stakes, Valuable Data, And Increasing Connectivity Attract Bad Actors, Dec. 6, 2022
- Baltimore Mayor and City Council, Maryland; Water/Sewer, Feb. 24, 2022
- Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?, Feb. 22, 2022
| Primary Credit Analysts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
| Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com | |
| Secondary Contacts: | Michelle Keferstein, Frankfurt (49) 69-33-999-104; michelle.keferstein@spglobal.com |
| Raam Ratnam, CFA, CPA, London + 44 20 7176 7462; raam.ratnam@spglobal.com | |
| Patrick Bell, New York (1) 212-438-2082; patrick.bell@spglobal.com | |
| David N Bodek, New York + 1 (212) 438 7969; david.bodek@spglobal.com | |
| Trevor J D'Olier-Lees, New York + 1 (212) 438 7985; trevor.dolier-lees@spglobal.com | |
| Kurt E Forsgren, Boston + 1 (617) 530 8308; kurt.forsgren@spglobal.com | |
| Gabe Grosberg, New York + 1 (212) 438 6043; gabe.grosberg@spglobal.com | |
| Jenny Poree, San Francisco + 1 (415) 371 5044; jenny.poree@spglobal.com | |
| Aneesh Prabhu, CFA, FRM, New York + 1 (212) 438 1285; aneesh.prabhu@spglobal.com | |
| Nora G Wittstruck, New York + (212) 438-8589; nora.wittstruck@spglobal.com | |
| Research Contributor: | Olyvia Gendron, New York 3322106263; olyvia.gendron@spglobal.com |
| Writer: | Paul Whitfield, Paris; paul.whitfield@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.