CISA has confirmed that Volt Typhoon has pre-positioned inside U.S. energy infrastructure for at least five years. Not attacking — waiting. California energy utilities power everything that makes the state's global events possible. That makes them a named target.
In February 2024, CISA, the NSA, and the FBI published a joint advisory that carried an unusual level of specificity and urgency. The advisory confirmed that Volt Typhoon — a Chinese state-sponsored threat group — had maintained persistent access to U.S. critical infrastructure networks for at least five years.
The targets included communications providers, transportation networks, water utilities, and energy infrastructure. The stated objective was not data theft. It was pre-positioning — establishing the capability to disrupt critical services at a moment of geopolitical choosing.
Volt Typhoon uses "living off the land" techniques — exploiting built-in system tools and legitimate credentials to move laterally through networks in ways that blend in with normal administrative activity. Detection is exceptionally difficult.
Volt Typhoon operates differently from ransomware groups and data theft actors. Rather than deploying malware or exfiltrating data — activities that generate detectable signals — Volt Typhoon uses legitimate credentials and built-in system utilities to move slowly and quietly through target environments.
The attack path typically runs through enterprise IT first. Attackers gain initial access through internet-facing systems, then pivot into operational technology networks using the same credentials that legitimate administrators use. Active Directory, which manages access to both IT and OT systems in most energy environments, is the bridge that makes this pivot possible.
This is why identity infrastructure security is not just an IT priority for energy utilities — it is an OT security priority as well.
NERC CIP reliability standards are mandatory for bulk electric system operators. They are not voluntary guidelines. Non-compliance carries financial penalties of up to one million dollars per violation per day — and more importantly, compliance gaps create the security vulnerabilities that mandatory controls are designed to prevent.
The key standards that most directly intersect with identity and access management include:
CIP-013's expansion is significant. It now requires utilities to develop and implement plans for managing cybersecurity risks in the supply chain for industrial control system hardware, software, and services. The Change Healthcare and SolarWinds incidents made clear that supply chain access is a primary attack vector — and NERC CIP is now written to address that.
Since 2021, the Transportation Security Administration has issued a series of cybersecurity directives for pipeline operators and other critical energy transportation infrastructure operators. These directives represent a shift from voluntary guidance to mandatory requirements.
Key requirements include mandatory incident reporting to CISA within 24 hours, designation of a cybersecurity coordinator available around the clock, annual cybersecurity assessment, and implementation of specific security controls including network segmentation and access management for operational technology environments.
Super Bowl LX at Levi's Stadium in Santa Clara. FIFA World Cup 2026 matches at SoFi Stadium in Los Angeles. The 2028 Olympics across the LA region. These events create predictable demand surges, concentrated media and infrastructure attention, and operational complexity that stretches security resources.
Threat actors plan for events. They time attacks for peak periods when defenders are stretched, when anomalous activity is harder to detect against the noise of legitimate operations, and when the reputational and operational impact of a successful attack is greatest.
Whether the threat is Volt Typhoon pre-positioning, ransomware targeting OT systems, or a supply chain compromise — the common vulnerability is identity infrastructure. Active Directory manages access to enterprise IT and, in most energy environments, increasingly to OT systems as those networks converge.
Understanding the current state of identity infrastructure — where the gaps are, what the exposure looks like, and what the highest-priority remediation steps are — is the foundation for both NERC CIP compliance and genuine operational resilience.
The Preparedness & Identity Resilience Assessment from Tec-Refresh evaluates your identity infrastructure, maps your NIST CSF 2.0 alignment, and delivers a prioritized remediation roadmap. No obligation — and spots for California energy organizations are available now.
Request Your Free Assessment →