New research from Red Sift reveals a widespread security gap across the U.S. energy, chemical, and water and waste sectors, with 42 percent still lacking effective email authentication. This leaves critical infrastructure vulnerable to spoofing, phishing and ransomware attacks.
Despite rising regulatory pressure and a surge in cyber threats targeting operational technology, Red Sift’s analysis shows that nearly half of these organizations have failed to implement DMARC, the foundational email authentication standard required to block domain impersonation.
The report also highlights mounting regulatory pressure, including mandates under CISA guidelines and sector-specific compliance requirements. Failure to secure email systems risks not only operational continuity, but also public trust and safety. More specifically:
- 42 percent of chemical enterprises admitted to lacking email protections.
- That number climbs to 52 percent for water and wastewater companies.
- Perhaps most alarming is that nearly one out of every three (32 percent) energy generation locations is lacking proper email security.
The chemical sector’s high exposure is particularly concerning given its handling of hazardous materials and complex supply chains, where a breach could have catastrophic consequences. Energy companies face persistent threats from nation-state actors and cybercriminals targeting sensitive operational data. Meanwhile, water and waste firms remain the most exposed overall.
Email-based attacks on critical infrastructure can disrupt essential services, compromise supply chains, and endanger public health. For critical infrastructure industries in the United States, DMARC should not be considered optional, but a cornerstone of operational security, particularly as AI continues to be weaponized by bad actors.
Click here for the full report.
