Deep dive: Critical infrastructure cybersecurity — the fastest-moving subsegments to watch
An in-depth analysis of the most dynamic subsegments within Critical infrastructure cybersecurity, tracking where momentum is building, capital is flowing, and breakthroughs are emerging.
Start here
Critical infrastructure cybersecurity is undergoing a structural transformation across Europe and globally. The convergence of escalating threat sophistication, accelerated digitalization of operational technology (OT) environments, and a rapidly tightening regulatory landscape has created conditions where specific subsegments are advancing far faster than the broader market. Understanding which subsegments carry the strongest momentum is essential for product teams, investors, and security leaders allocating resources in a domain where both the stakes and the velocity of change continue to rise.
Why It Matters
The scale of the problem is difficult to overstate. In 2025, cyberattacks against critical infrastructure operators in Europe increased 38% year-over-year, according to the European Union Agency for Cybersecurity (ENISA). The energy sector accounted for the largest share of reported incidents at 24%, followed by transport at 18% and healthcare at 14%. The average cost of a successful breach in an operational technology environment reached $4.7 million, per IBM's Cost of a Data Breach Report, compared to $3.3 million for traditional IT breaches. The premium reflects the cascading physical consequences that OT compromises generate: production shutdowns, safety system failures, and disruption to essential public services.
Regulatory pressure has shifted from voluntary guidance to binding obligation. The EU's NIS2 Directive, which became enforceable in October 2024, expanded the definition of "essential entities" to cover approximately 160,000 organizations across 18 sectors, up from roughly 10,000 under the original NIS Directive. These entities now face mandatory risk assessments, incident reporting within 24 hours, supply chain security requirements, and personal liability for management boards that fail to ensure compliance. Fines reach up to 10 million euros or 2% of global annual turnover, whichever is higher. The Cyber Resilience Act, targeting products with digital elements, adds further obligations for manufacturers and integrators serving critical infrastructure.
Meanwhile, the attack surface is expanding rapidly. The number of connected industrial control system (ICS) components visible on the public internet grew by 27% in 2025 according to Censys research. Legacy SCADA systems designed decades before cybersecurity was a consideration now connect to cloud platforms, remote monitoring dashboards, and third-party analytics services. Each integration point introduces potential vulnerability. The result is a market projected to reach $38.2 billion by 2028 (MarketsandMarkets, 2025), with several subsegments growing at rates well above the sector average of 12.4% CAGR.
Key Concepts
Operational Technology (OT) Security encompasses the protection of hardware and software that monitors or controls physical processes, devices, and infrastructure. Unlike traditional IT security, OT security must prioritize availability and safety over confidentiality, creating fundamentally different architectural and operational requirements. OT environments typically operate on cycle times measured in milliseconds, making conventional IT security tools (which introduce latency through inspection) unsuitable without significant adaptation.
Industrial Control System (ICS) Monitoring refers to the passive and active surveillance of communications within SCADA, DCS, and PLC networks to detect anomalies, unauthorized commands, and indicators of compromise. Modern ICS monitoring platforms use deep packet inspection of industrial protocols (Modbus, DNP3, OPC UA, IEC 61850) combined with machine learning to establish behavioral baselines and flag deviations without disrupting process operations.
Zero Trust Architecture for OT applies the principle of "never trust, always verify" to industrial networks. Traditional OT networks relied on air-gapping and perimeter defenses, but increasing connectivity has rendered these approaches insufficient. Zero trust in OT contexts requires micro-segmentation of industrial zones, continuous authentication of devices and users, and real-time validation of commands against expected operational parameters.
Software Bill of Materials (SBOM) provides a machine-readable inventory of all software components, libraries, and dependencies embedded in a product. For critical infrastructure, SBOMs enable operators to rapidly assess exposure when new vulnerabilities are disclosed, such as the Log4Shell vulnerability that affected thousands of industrial products containing the Log4j library. The Cyber Resilience Act mandates SBOM provision for all products with digital elements sold in the EU market.
Cyber-Physical Systems Security addresses the intersection where digital compromise creates physical consequences. This discipline integrates cybersecurity with safety engineering, process control, and physical security to protect systems where a malicious command could cause equipment damage, environmental release, or harm to human life.
Fastest-Moving Subsegments
OT Network Detection and Response (NDR)
OT-specific network detection and response represents the fastest-growing subsegment, expanding at approximately 28% CAGR through 2025. The acceleration reflects a fundamental shift in how operators approach OT security: from prevention-focused perimeter defenses to detection-focused monitoring that assumes adversaries will eventually gain access. The catalyst was the Colonial Pipeline attack of 2021, which demonstrated that even organizations with significant IT security investments remained vulnerable when OT visibility was inadequate.
Claroty, a leader in this space, raised $400 million in 2024 at a valuation exceeding $2.5 billion, reflecting investor confidence in the category. Their Extended Detection and Response (xDR) platform now monitors over 800,000 industrial assets across 1,500 customer environments. Nozomi Networks, another category leader, processes telemetry from more than 2 million OT and IoT devices globally, using supervised and unsupervised machine learning models trained on 300+ industrial protocols to distinguish legitimate process changes from malicious activity.
European adoption is particularly strong. Dragos, which entered the European market aggressively in 2024, reported that 45% of new enterprise contracts in fiscal year 2025 originated from EU-based operators responding to NIS2 requirements. The company's threat intelligence division tracked 21 distinct threat groups targeting industrial infrastructure in 2025, up from 15 in 2023, providing the empirical threat data that justifies monitoring investments.
Cloud Security for Critical Infrastructure
The migration of critical infrastructure workloads to cloud and hybrid environments represents a subsegment growing at 24% CAGR, driven by operational efficiency demands and the recognition that on-premises security capabilities cannot match the scale and sophistication of hyperscaler security investments. This subsegment is complex because critical infrastructure operators must balance cloud benefits against sovereignty requirements, data residency regulations, and the need for continued operation during connectivity disruptions.
Microsoft's acquisition of ReFirm Labs and subsequent integration of firmware analysis into Azure Defender for IoT illustrates how hyperscalers are extending cloud security capabilities to the OT edge. Azure's Sovereign Cloud offerings, designed specifically for European critical infrastructure operators subject to GDPR and NIS2, now serve energy utilities, water treatment facilities, and transportation networks across 14 EU member states.
Amazon Web Services launched its Dedicated Local Zones for critical infrastructure in 2025, providing isolated cloud infrastructure physically located within an operator's facility but managed by AWS. This architecture addresses sovereignty concerns while enabling cloud-native security tools, including AI-powered anomaly detection and automated incident response. Early adopters include three European energy transmission system operators and two national railway networks.
Google Cloud's Mandiant division has established dedicated OT incident response teams across five European locations, offering critical infrastructure operators both proactive threat hunting and reactive breach investigation services. Their intelligence reporting on state-sponsored threats to European energy infrastructure has become a primary input to national cybersecurity agency threat assessments.
Supply Chain Cyber Risk Management
Supply chain cyber risk management is expanding at approximately 22% CAGR, propelled by high-profile incidents (the SolarWinds and MOVEit compromises) and the explicit supply chain security requirements embedded in NIS2 Article 21. Critical infrastructure operators must now assess and manage cybersecurity risks across their entire supplier ecosystem, creating demand for platforms that automate vendor risk assessment, monitor third-party attack surfaces, and validate software integrity.
SecurityScorecard, which maintains continuous security ratings for over 12 million organizations globally, reported that 62% of European NIS2-scoped entities initiated formal third-party cyber risk programs in 2025, up from 23% in 2023. Their data shows that supply chain compromises accounted for 31% of successful attacks against European critical infrastructure in 2025, making this vector more prevalent than direct exploitation.
Finite State, which specializes in firmware and software composition analysis for connected devices, provides automated SBOM generation and vulnerability mapping for industrial products. Their platform has analyzed over 15,000 distinct firmware images used in European critical infrastructure, identifying an average of 127 known vulnerabilities per device firmware, with 14% classified as critical severity.
Identity and Access Management for OT
Identity and access management (IAM) adapted for operational technology environments is growing at approximately 20% CAGR, addressing one of the most persistent vulnerabilities in critical infrastructure: shared credentials, default passwords, and the absence of multi-factor authentication in industrial control systems. Traditional IAM solutions designed for IT environments cannot accommodate the unique requirements of OT, including offline operation, millisecond response times, and the need for emergency bypass procedures.
CyberArk's Privileged Access Management platform for OT, launched in its current form in 2024, now secures access to industrial systems across 280 critical infrastructure operators in Europe. The platform implements session recording, just-in-time privilege escalation, and credential rotation for SCADA and DCS environments without introducing latency that could affect process control.
Wallix, a French cybersecurity company, has built a significant presence in European critical infrastructure IAM, securing privileged access for energy, water, and transportation operators across 15 countries. Their OT-specific capabilities include protocol-aware session management for industrial protocols and integration with safety instrumented systems to ensure that security controls never interfere with safety functions.
KPIs and Benchmark Ranges
| Metric | Below Average | Average | Above Average | Top Quartile |
|---|---|---|---|---|
| OT Asset Visibility (% discovered) | <50% | 50-70% | 70-90% | >90% |
| Mean Time to Detect OT Incident | >72 hours | 24-72 hours | 6-24 hours | <6 hours |
| Supply Chain Risk Assessments (% of critical vendors) | <25% | 25-50% | 50-80% | >80% |
| NIS2 Compliance Readiness | <40% | 40-60% | 60-80% | >80% |
| OT Patching Cadence (critical vulns) | >90 days | 60-90 days | 30-60 days | <30 days |
| Incident Response Plan Testing Frequency | Annual or less | Semi-annual | Quarterly | Monthly |
What's Working
European energy operators that adopted layered OT monitoring ahead of NIS2 enforcement are reporting measurable improvements in threat detection. E.ON, one of Europe's largest energy companies, deployed Claroty across 47 operational sites in Germany and Sweden, achieving 94% asset visibility within six months and reducing mean detection time for anomalous OT communications from an estimated 180+ days to under 12 hours. The investment was approximately 2.3 million euros, representing less than 0.4% of annual operational expenditure for the covered facilities.
The Netherlands' Rijkswaterstaat, responsible for national water management infrastructure, implemented a zero trust architecture for its 3,200 SCADA-connected water control structures. The phased deployment, completed over 18 months with support from the Dutch National Cyber Security Centre, reduced the number of externally accessible OT endpoints by 87% while simultaneously improving remote operational capabilities through secured access pathways.
Transport for London (TfL) invested in supply chain cyber risk management following a significant breach in September 2024 that compromised customer data and disrupted payment systems. Their program now continuously monitors the security posture of 340 technology suppliers, requires SBOM disclosure for all software deployed in signaling and control systems, and conducts tabletop exercises with critical vendors quarterly.
What's Not Working
Many organizations are struggling with the intersection of legacy OT systems and modern security requirements. A 2025 ENISA survey found that 43% of NIS2-scoped entities reported inability to implement required security measures on systems older than 15 years without replacement, yet replacement cycles for industrial control equipment typically span 20 to 30 years. The resulting gap between regulatory expectation and operational reality creates compliance risk that compensating controls only partially address.
Skills shortages remain acute. The European Cybersecurity Skills Academy estimates a deficit of 260,000 cybersecurity professionals across the EU, with OT security specialists representing the most severe shortage. Only 11 European universities offer dedicated OT cybersecurity programs at the graduate level, producing fewer than 800 graduates annually against demand for over 5,000 new specialists per year.
Vendor consolidation, while improving integration, is creating concentration risk. The top five OT security vendors now account for approximately 58% of the European market, raising concerns about single points of failure and vendor lock-in among operators required to maintain resilient, diversified supply chains under NIS2.
Action Checklist
- Complete an OT asset inventory covering all connected industrial control systems, IoT devices, and network infrastructure
- Evaluate OT-specific NDR platforms from at least three vendors, prioritizing those with demonstrated European critical infrastructure deployments
- Conduct a NIS2 gap assessment covering all 10 security measures specified in Article 21, with remediation timelines for identified deficiencies
- Implement a supply chain cyber risk management program covering all vendors with access to OT networks or providing software deployed in operational environments
- Establish an OT-specific incident response plan and test it through tabletop exercises at least quarterly
- Deploy privileged access management for all remote and administrative access to industrial control systems
- Develop a workforce development plan addressing OT cybersecurity skills gaps through training, hiring, and managed service arrangements
- Generate and maintain SBOMs for all software and firmware deployed in critical operational systems
Sources
- European Union Agency for Cybersecurity. (2025). ENISA Threat Landscape for Critical Infrastructure 2025. Athens: ENISA Publications.
- IBM Security. (2025). Cost of a Data Breach Report 2025. Armonk, NY: IBM Corporation.
- MarketsandMarkets. (2025). Critical Infrastructure Cybersecurity Market: Global Forecast to 2028. Pune: MarketsandMarkets Research.
- Dragos, Inc. (2025). OT Cybersecurity Year in Review 2025. Hanover, MD: Dragos Publications.
- European Commission. (2024). NIS2 Directive Implementation Guidance for Essential Entities. Brussels: Official Journal of the European Union.
- Censys. (2025). State of the Internet: Industrial Control Systems Exposure Report. Ann Arbor, MI: Censys Research.
- ENISA. (2025). Survey on NIS2 Readiness Among Essential and Important Entities. Athens: ENISA Publications.
Stay in the loop
Get monthly sustainability insights — no spam, just signal.
We respect your privacy. Unsubscribe anytime. Privacy Policy
Deep dive: Critical infrastructure cybersecurity — what's working, what's not, and what's next
A comprehensive state-of-play assessment for Critical infrastructure cybersecurity, evaluating current successes, persistent challenges, and the most promising near-term developments.
Read →Deep DiveDeep dive: Critical infrastructure cybersecurity — the hidden trade-offs and how to manage them
What's working, what isn't, and what's next, with the trade-offs made explicit. Focus on attack paths, detection/response, and how to harden real-world systems.
Read →ExplainerExplainer: Critical infrastructure cybersecurity — what it is, why it matters, and how to evaluate options
A practical primer: key concepts, the decision checklist, and the core economics. Focus on attack paths, detection/response, and how to harden real-world systems.
Read →InterviewInterview: Practitioners on Critical infrastructure cybersecurity — what they wish they knew earlier
A practitioner conversation: what surprised them, what failed, and what they'd do differently. Focus on attack paths, detection/response, and how to harden real-world systems.
Read →ArticleCritical infrastructure cybersecurity costs in 2026: budgets, tool pricing, and ROI benchmarks
A comprehensive cost and ROI analysis of cybersecurity investments for critical infrastructure operators, covering platform pricing, staffing costs, incident response economics, and payback timelines.
Read →ArticleNIS2 and critical infrastructure cybersecurity compliance: what operators need to know for 2026
A step-by-step compliance guide to the EU NIS2 Directive and related critical infrastructure cybersecurity regulations, covering obligations, timelines, penalties, and implementation checklists for essential service operators.
Read →