This report does not constitute a rating action.
Key Takeaways
- Sovereign-sponsored and politically motivated cyber attacks are targeting U.S. critical infrastructure, according to warnings by the U.S. Cybersecurity and Infrastructure Agency (CISA) and the FBI.
- Utilities' exposure to cyber risks are exacerbated by widespread failure to implement all federal cyber security standards. Smaller water systems appear particularly vulnerable, due to investment constraints, limited industry-level cooperation, and inconsistent application and quality of cyber risk oversight frameworks.
- Rated issuers in the transportation sector have a generally higher degree of cyber risk awareness, according to anecdotal evidence from meetings with management teams, though risk to fiscal health and operational services remains.
Foreign state-backed cyber attacks on U.S. infrastructure, including utilities and transport operators, continues to be a threat to both safety and critical services, according to warnings by U.S. security agencies including the Cybersecurity and Infrastructure Agency (CISA) and the FBI. At the same time, wide variations in the adoption and application of cyber security practices means many issuers, particularly among utilities, are failing to meet minimum federal standards aimed at preventing a breach by cyber criminals.
The targeting of U.S. public finance issuers, and the sector's cyber security preparations, were chief among the subjects discussed at S&P Global Ratings' recent U.S. Public Finance Credit Spotlight: The Changing Face Of Cyber Risk In U.S. Critical Infrastructure. The webinar also featured a fireside chat with Cyrus Bulsara, Chief Information Security Officer of Scripps Health.
Utilities' Varied Reponses
The potential for U.S. critical infrastructure providers to suffer disruption and damage by cyber criminals was highlighted by a May 2024 Environmental Protection Agency report, “Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities,” which noted that about 70% of utilities inspected by federal officials over the last year were found to be in violation of standards intended to prevent cyber breaches. The prospect of a cyber incident at a water and sewage system supplier could be exacerbated by the absence of standard cyber security and hygiene guidelines that apply to operators.
"Smaller water systems were found to be particularly vulnerable," said Jenny Poree, S&P Global Ratings analyst and sector leader U.S. Water & Sewer Utilities." Moreover, the closing of those vulnerabilities faces myriad challenges including competing demands for financial and management resources, limited cooperation and sharing of resources by entities that have sophisticated cyber security operations, and weak or inconsistent cyber security frameworks."
The webinar also discussed the potential impact of prospective changes to staffing levels at government agencies involved in cyber security and resilience, including CISA and the National Security Agency (NSA), and the potential for funding cuts to organizations including the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Transportation: Providing A Path To Follow
On a more positive note, the webinar heard that transportation sector issuers rated by S&P Global Ratings generally demonstrate a high degree of cyber risk awareness. "We discuss in our management meetings and receive assurances from operators that they continue to embed cyber security into overall risk mitigation strategies and that these are reported to their governing boards," said Kurt Forsgren, S&P Global Ratings analyst and sector leader U.S. Transportation.
The webinar participants agreed that cyber criminality is evolving and often innovating, though incidents were often traceable to well-understood but difficult to manage vulnerabilities, including hacks that leverage social engineering and third-party vendors. And there was consensus that issuers' best defense against cyber criminality remains pro-active cyber risk management, including the enforcement of plans and protocols that reinforce good cyber hygiene and the purchase of cyber insurance.
A replay of the webinar is available here. For more S&P Global Ratings' coverage of these issues please visit our sites dedicated to U.S. Public Finance, Transportation, and Utilities.
Related Research
U.S. Public Finance: Credit Spotlight Slides, May 21, 2025
Cyber Brief: U.S. Infrastructure Faces Evolving Threats And Federal Policy Uncertainty, May 20, 2025
Cyber Risk Insights: Sovereigns And Their Critical Infrastructure Are Prime Targets, April 29, 2025
Transportation Companies Face Increasing Cyber Risks, Dec. 12, 2024
Cyber Risk Insight: Poor Cyber Vulnerability Management Can Be A Governance Issue, Oct. 28, 2024
Your Three Minutes In Water Utilities: The Water Risk And Resilience Organization, Oct. 2, 2024
Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sept. 24, 2024
| Primary Contact: | Geoffrey E Buswick, Boston 1-617-530-8311; geoffrey.buswick@spglobal.com |
| Secondary Contacts: | Krystal Tena, New York 1-212-438-1628; krystal.tena@spglobal.com |
| Jenny Poree, San Francisco 1-415-371-5044; jenny.poree@spglobal.com | |
| Kurt E Forsgren, Boston 1-617-530-8308; kurt.forsgren@spglobal.com | |
| Tiffany Tribbitt, New York 1-212-438-8218; Tiffany.Tribbitt@spglobal.com | |
| Writer: | Paul Whitfield, Paris ; paul.whitfield@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.