[Update 6/17/2026: MSN reports that an Iranian group, Handala, has claimed responsibility for a cyberattack on CalWater, a California water utility, exfiltrating customer data and billing records.]

It's inevitable. Advocates should get prepared now.

If your clean energy firm or nonprofit depends upon access to customer energy usage or billing data from utilities, it’s time to prepare for an abrupt shutoff.

Tuesday was “Power Plant Day,” when President Trump said he would attack Iran’s power plants with air campaigns. The tit-for-tat escalation ladder means that, like it or not, the American power sector is likely to be thrust into this war. Of course, Iran’s ballistic missiles may not be able to reach the United States, but a cyberattack could. There’s little reason to think that Iran wouldn’t retaliate against our power infrastructure in a similar way given our president’s reckless and unhinged threats. (Update: While writing this, NYT reports that the Trump administration claims that Iran’s IRGC has launched cyberattacks on water and electric utilities.)

Many investor-owned utilities are sure to exploit this political moment to their advantage. The war in Iran provides the perfect pretext utilities have been waiting for: A 9/11-like climate of fear in which government regulators cannot be seen as “soft” on cyber risks. Any regulator that considers voting in favor of caution, restraint, or anything other than immediate and enthusiastic support of utilities’ cybersecurity crackdowns will be viewed as careless, unpatriotic or even pro-terrorist.

I am confident that a data shutoff affecting clean energy firms is going to occur because we’ve been here several times before, when political forces were significantly weaker than they are today. In 2018, ESG, a software vendor to retail energy suppliers, experienced an embarrassing data breach, revealing social security numbers and financial information of customers in several states. The data breach had nothing to do with distributed energy resource (DER) firms – ESG accessed utilities’ Electronic Data Interchange (EDI) systems, a vestige from the days of electric restructuring. EDI shares none of the security measures of a modern Green Button Connect system, but that fact did not insulate DER firms from negative impacts: New York utilities pounced, ruthlessly exploiting the opportunity by forcing every DER supplier to sign a one-sided “data security agreement” or else be cut off from their customer’s data forever. The utilities did not care that this manufactured agreement violated Commission orders – they flexed their raw power in what one company likened to “a hostage situation.” When the dust finally settled, DER suppliers with no connection whatsoever to the data breach (and who lacked access to the old-fashioned EDI system that was its underlying cause) were ultimately forced by the Commission to agree to onerous terms having little to do with cybersecurity, such as a prohibition on generating “derivatives” of energy data and being subject to audits and digital colonoscopies at the utility’s whim. Addressing cyber threats was merely a convenient cover for monopoly utilities to gain leverage over the DER firms that utilities view as their competitors.

More recently, Xcel Energy invoked the spectre cybersecurity attacks last September when asked by various clean energy proponents to release a hosting capacity map of its service territory. Xcel refused, saying that such information would lead to “high-impact attacks” causing widespread mayhem and blackouts. When advocates pointed out at the public hearing that numerous other utilities had publicly released similar information on their websites and the sky had not fallen, Xcel shot back with this:

Xcel: You’re familiar with the events of 9/11, aren’t you?
Witness: ….Yes, I lived through that….
Xcel: To your knowledge, was there ever a hijacking of commercial airlines that flew into large skyscrapers prior to the events of 9/11?
Witness: …None that I recall…
Xcel: So [an attack] doesn’t necessarily have had to have happened in the past for it to happen in the future, correct? 

To be clear, the 9/11 attacks have absolutely nothing to do with the power grid’s capacity to host solar panels or new load. But in the utilities’ playbook, distant, unrelated and low-probability attacks are irrelevant. The fear is the point: There might be a terrible attack in the future. Since that premise is unrebuttable (you can’t prove a negative), the utility gets to do whatever it deems necessary. In this way, wars and terrorism are the ultimate tranquilizer for government officials, transforming even the most public-spirited regulator into a pliant yes-man. 

It’s therefore imperative that we prepare for the coming rhetorical and legal onslaught. Here are four tips to counter false narratives:

1. Green Button Connect (GBC) has nothing to do with it. Ransomware, phishing attacks and zero-day exploits all deserve attention and warrant preventative measures by utilities, but none of these are relevant to GBC. Over the years, all of the reported cyberattacks against utilities exploited vulnerabilities in systems wholly unrelated to GBC. Moreover, in the decade or so that GBC has been operable in the United States, there has been no cyberattack on those systems that caused any damage – zero, zilch, none. We’ve heard from commission staff in some states that GBC can be a “backdoor” for greater attacks – this is flatly untrue because of layered networks, read-only access and other commonsense measures that today protect utilities’ bill-payment websites from becoming a “backdoor” to power plant controls.

2. Customer data rights are growing nationally and internationally. Whatever this war brings, the trend toward secure, permission-based exchanges of information is inevitable. Today, over 35 million electric customers have data portability. Banks, hospitals, and other custodians of sensitive information use standards like OAuth for online transactions every single day. When utilities allege that GBC represents a unique “cyber threat,” then we must demand that utilities explain why their Microsoft logins, payment portals, and business-as-usual activities on the modern internet are not similarly implicated. 

3. Regulators must distinguish each alleged cybersecurity risk from utility mismanagement. We have always acknowledged that connected devices such as meters and control equipment present some cybersecurity risks. There is no such thing as zero risk; the question is how risks are managed. A utility that fails to manage its user authentication systems or mitigate against malware is not acting prudently. The threat is not GBC; the threat is complacency and incompetence of a general nature. In each instance, must ask the question, Is the risk that the utility claims is grave caused by the utility’s mismanagement?

4. Look out for glossy reports about “cyber risks” written by utility affiliates with a financial stake in accelerating the climate of fear. A few years ago, when arguing that customers shouldn’t have full control over their data – “because security!” – Xcel Energy made a revealing admission. Dragos, a cybersecurity company, authored an “Electric Cyber Threat Landscape” assessment and told the utility what it wanted to hear: The existence of “hostile state actors” around the world demands that customer data rights be curtailed. But Dragos is an unregulated affiliate of Xcel Energy (via Energy Impact Partners, a venture capital firm). Neither Dragos nor Xcel executives can substantiate their claims because, of course, secrecy demands that “sources and methods” be protected, lest we help the evil terrorists. So what we have here is a “self-licking ice cream cone”: Xcel spends ratepayer money to boost Dragos’s revenues and profits; Dragos writes credible-sounding reports for Xcel justifying more spending on cybersecurity and undermining data portability; Xcel shareholders get outsized returns when Dragos goes public or is acquired. Round and round the circle will go unless and until regulators scrutinize affiliate relationships, require competitive bidding and, most of all, demand empirical evidence about cybersecurity risks that is specific and pertinent to Green Button Connect rather than jawboning from a financially interested party.

In these times of war, we must remain vigilant. Just remember that, without evidence, utilities are simply rolling their “attribution dice” to reach a convenient conclusion: That data portability for DERs should be eliminated.