When the streets of Muleshoe, Texas, flooded with water in January, most people probably didn’t blame Russian hackers.

But that’s exactly who was at blame, according to a report published this week by Google-owned cybersecurity firm Mandiant, which said Russia was responsible for hacks of water utilities in Texas as well as in France and Poland.

The January attack was far from the first to hit U.S. utilities. In December, Fast Company reported on U.S. National Security Council concerns that critical infrastructure providers could pose easy targets for hackers. 

But why are they so vulnerable to cyberattacks in the first place?

“They have proven to be a little vulnerable because they are private companies and hence the profit motive prevails,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “Security is seen as a cost center.” That’s borne out by data compiled by the International Energy Agency (IEA) on the power sector, which found that there were more than 1,100 targeted attacks launched across the world in 2022.

The utilities sector seems uniquely understaffed, according to the IEA’s analysis: While the finance and insurance sector accounted for nearly 1% of all cybersecurity job postings in September 2022, and public administration 0.57%, power utilities languished behind at 0.49%. The average wage offered by the utility sector also pales into comparison to competing industries, which could mean it’s losing out on quality candidates.

The U.S. government has also failed to pass a number of legislative attempts to force utilities to adopt minimal cybersecurity standards. As a result, U.S. utilities are comparatively underprotected in comparison to their peers. “Compare that to the U.K. where we have a specialist government agency that focuses on such service providers and assesses them regularly,” Woodward says.

But the utilities sector also bears much of the blame here. “Utilities also have a lot of older equipment as they have lots of embedded systems and these tend to be updated less frequently simply because of scale,” Woodward says. That results in a Frankenstein’s monster of infrastructure that is built on top of shaky systems and is difficult to chart and understand—even for those tasked with doing just that. “People still haven’t got the message that they may be a way into a network,” says Woodward—meaning that some of the vulnerabilities may remain unspotted until they’re exploited by bad actors.

It all adds up to a worry for critical parts of our national infrastructure—and the latest attacks suggest little has changed. Though there is one silver lining: The IEA data shows that utilities boost spending on cybersecurity and hiring in the immediate aftermath of an attack… but then return back to a baseline shortly after.