Sam Thornton, Chief Operating Officer at Bridewell, comments on the recent cyberattack on American energy technology company Itron, and what it reveals about critical infrastructure security.
The recent cyberattack on American energy technology company Itron reveals one of the most unsettling realities in critical infrastructure security, that the organisations we depend on most remain highly attractive targets to malicious threat actors.
CNI under attack
Itron, headquartered in Liberty Lake, Washington, provides smart meters, grid management technologies and connected infrastructure services to thousands of utility organisations across more than 100 countries. It sits at the heart of the systems that manage water, gas and electricity for over 110 million homes and businesses. When a company like this is breached, the implications stretch far beyond its own network.
In mid-April 2026, hackers gained access to Itron's systems. The company confirmed the incident in a legally required filing with the US Securities and Exchange Commission, stating it had been "notified" of the intrusion before subsequently eradicating the attackers. Itron activated contingency plans and data backups, and stated that operations have "continued in all material respects."
The details of the attack still remain limited as Itron has not confirmed whether ransomware was deployed, whether demands were made, or precisely what data, if any, was accessed or exfiltrated. The company said it found no unauthorised activity in the "customer-hosted portion of its systems," suggesting the breach may have been contained to its own IT network. However, a warning that further regulatory notifications may be required points strongly to the possibility of a data breach, one that, under many US state laws, would trigger mandatory disclosure obligations. For the hundreds of utilities and municipalities now assessing their own exposure, those missing details matter enormously.
The resilience question
This incident is another clear reminder that cyber incidents are not a matter of ‘if’ but ‘when’, particularly across complex, interconnected critical infrastructure environments. What distinguishes resilient organisations is not the absence of incidents, but the presence of well-rehearsed response and recovery plans that enable rapid containment, recovery and continuity of operations.
On that measure, Itron's response shows the value of preparation. Activating pre-built contingency plans, notifying law enforcement promptly and monitoring for further intrusions are the hallmarks of an organisation that had planned for this moment. That discipline matters, and it should serve as a benchmark for every operator across the sector. Yet, internal resilience is only part of the picture.
The supply chain problem
The wider concern this incident raises is one of supplier assurance. Utilities and municipalities contracting with technology providers like Itron are, in effect, extending their own cyber perimeter to include those suppliers' networks. When a supplier is breached, the ripple effects can spread far beyond its own perimeters, even when customer-hosted systems remain untouched.
Organisations must maintain a clear, continuously updated view of their third-party ecosystem including what access has been provided to systems, what data is shared, where it resides, and how it is protected across downstream suppliers. The assurance that Itron's customer-hosted systems were unaffected will provide limited comfort to any organisation that shares data with the company, relies on its platforms for operational continuity, or sits further downstream in its supply chain.
Effective cyber resilience today depends as much on managing supply chain risk as it does on securing internal systems. That means going beyond periodic audits and static supplier questionnaires. It means treating third-party risk as a live, operational discipline, one that is continuously reviewed, tested and updated as supplier relationships evolve.
As critical infrastructure becomes ever more digitally interconnected, operators can’t afford to treat that discipline as someone else's responsibility. They must take ownership of their own risk and put into place appropriate protections mechanisms across their third-party ecosystem. Exploits of this nature in CNI will continue to occur, and operators should act now to limit their exposure.