Deep dive: Critical infrastructure cybersecurity — the hidden trade-offs and how to manage them

In 2024, Asia-Pacific led the world in cyberattacks, accounting for 34% of all incidents investigated globally—with 70% of those attacks targeting critical infrastructure organizations. The IBM X-Force 2025 Threat Intelligence Index documented 2,510 weekly attacks per organization in Q2 2024 alone, a 23% increase year-over-year. For operators of power grids, water treatment facilities, and transportation networks across the region, the question is no longer whether they will face an attack, but how to manage the hidden trade-offs between operational continuity, security hardening, and the resource constraints that define real-world infrastructure defense.

Why It Matters

Critical infrastructure—the interconnected systems that deliver electricity, clean water, transportation, telecommunications, and healthcare—forms the backbone of modern society. Unlike enterprise IT systems where a breach means data loss, attacks on operational technology (OT) and industrial control systems (ICS) can cause physical harm: water contamination, power blackouts, industrial explosions, and disrupted emergency services.

The Asia-Pacific region faces a particularly acute threat landscape. According to Group-IB's High-Tech Crime Trends Report 2025, 22% of global Advanced Persistent Threat (APT) attacks focused on Asia-Pacific, with 68 documented APT attacks out of 86 global campaigns hitting Southeast Asia in 2024. Taiwan's National Security Bureau reported 2.63 million daily intrusion attempts in 2025—a 113% increase from 2023—with energy and hospital sectors hit hardest. Manufacturing absorbed 40% of regional incidents, followed by finance and insurance (16%) and transportation (11%).

The financial stakes are severe. INTERPOL's Asia and South Pacific Cyberthreat Assessment documented $64 billion stolen by cybercriminals operating from Southeast Asia, while 35% of Asia-Pacific firms suffered data breaches costing between $1–20 million in 2023. But the true cost extends beyond dollars: successful OT attacks resulted in a 146% increase in sites suffering physical impairment—from 412 sites in 2023 to 1,015 sites in 2024.

For sustainability professionals and infrastructure engineers, the cybersecurity challenge intersects directly with climate resilience. Smart grids enabling renewable integration, IoT sensors monitoring water quality, and SCADA systems managing distributed energy resources all expand the attack surface. Securing these systems requires understanding the fundamental trade-offs that governance frameworks, vendors, and operational teams must navigate.

Key Concepts

Attack Paths in Critical Infrastructure

Modern critical infrastructure attacks follow predictable patterns that exploit the convergence of IT and OT networks. Understanding these attack paths is essential for effective defense.

Initial Access Vectors: The IBM X-Force 2025 report found that over 25% of critical infrastructure attacks exploited known vulnerabilities, while one in three attacks used valid credentials obtained through phishing, credential stuffing, or dark web purchases. In Asia-Pacific specifically, the top attack methods included:

1. Vulnerability exploitation (25%+ of attacks) targeting unpatched systems
2. Credential theft using phishing and social engineering
3. Supply chain compromise through third-party vendors
4. Internet-exposed Human Machine Interfaces (HMIs) in water and energy systems

Lateral Movement: Once inside the network perimeter, attackers move from IT networks toward OT systems. The critical trade-off here is network segmentation: stronger segmentation limits blast radius but increases operational complexity and can impede legitimate maintenance access. A CISA September 2024 alert emphasized that threat actors continue exploiting OT/ICS through "unsophisticated means"—default credentials, brute force attacks, and misconfigured remote access—rather than sophisticated zero-days.

OT-Specific Malware: The threat landscape evolved dramatically in 2024 with three new ICS-specific malware strains discovered—compared to only six in the prior 14 years. FrostyGoop exploited Mikrotik routers to disrupt heating utilities in Ukraine, affecting 600 homes for two days. Fuxnet disabled IoT sensors in Moscow's wastewater and heating systems by destroying flash memory chips. These developments signal that attackers are investing in capabilities specifically designed to cause physical disruption.

The Detection-Response Trade-off

Detecting attacks in OT environments presents unique challenges that don't exist in traditional IT security:

Real-time Constraints: Industrial control systems operate on millisecond timing requirements. Security monitoring that introduces latency can itself cause operational failures. A power grid protection relay that delays 50 milliseconds might fail to trip during a fault condition.

Limited Visibility: Many legacy OT devices—programmable logic controllers (PLCs), remote terminal units (RTUs), and SCADA servers—were designed decades before cybersecurity was a concern. They lack the logging capabilities, memory resources, and processing power to run modern endpoint detection agents.

Alert Fatigue vs. Missed Detections: Organizations face a calibration problem. Setting detection thresholds too sensitively generates overwhelming false positives that desensitize operators. Setting them too loosely allows attackers to operate below the noise floor. The Volt Typhoon campaign demonstrated this problem: Chinese state actors maintained access to U.S. electric grid systems for over 300 days before detection.

Hardening Real-World Systems

Hardening OT environments requires balancing security improvements against operational constraints:

Patching Dilemmas: Unlike IT systems that can be patched weekly, OT systems often run continuously for months or years. Downtime for patching may require regulatory approvals, coordination with multiple stakeholders, and acceptance of temporary operational risk. The North American Electric Reliability Corporation (NERC) documented 60 new vulnerable points added daily to the electrical grid—a pace that outstrips most organizations' patching capacity.

Air Gap Erosion: Traditional OT security relied on physical separation (air gaps) from IT networks and the internet. But digitalization, remote monitoring requirements, and efficiency pressures have steadily eroded these boundaries. COVID-19 accelerated this trend as maintenance teams required remote access during lockdowns.

Legacy System Constraints: Many critical infrastructure systems run on Windows XP, proprietary operating systems, or hardware that cannot be upgraded without replacing entire control systems—investments measured in tens of millions of dollars.

What's Working and What Isn't

What's Working

Zero Trust Architecture Adoption: Singapore's Government Zero Trust Architecture (GovZTA) provides a model for the region. Based on "never trust, always verify" principles, GovZTA implements five technical pillars—identity, devices, networks, applications, and data—with dynamic risk-based access control and continuous validation. Through GovZTA, agencies adopt a risk-informed stance when enhancing user experience while shortening threat detection timeframes. The Asia-Pacific zero trust market is projected to grow at 18.0% CAGR from 2025 to 2030, the highest growth rate globally.

OT-Specific Security Platforms: Specialized vendors like Claroty, Dragos, and Nozomi Networks now provide purpose-built solutions for industrial environments. Dragos monitors 70% of the U.S. electric grid and has expanded aggressively into Asia-Pacific. These platforms address the visibility gap by passively monitoring OT network traffic without requiring agents on legacy devices—discovering assets, mapping communication flows, and detecting anomalies without introducing operational risk.

IT-OT Security Operations Convergence: Leading organizations are breaking down silos between IT security operations centers (SOCs) and OT engineering teams. Joint incident response exercises, shared threat intelligence feeds, and unified governance frameworks enable faster detection and coordinated response. A Fortinet survey found that organizations with mature OT security frameworks—though only 26% of Asia-Pacific respondents—significantly outperformed peers in breach prevention and response times.

Regulatory Momentum: Singapore, Australia, Japan, and Hong Kong enacted or updated critical infrastructure cybersecurity laws in 2024. These frameworks mandate baseline security controls, incident reporting, and executive accountability. While compliance represents cost and complexity, it also provides budget justification and board-level attention that security teams have historically struggled to obtain.

What Isn't Working

Underinvestment in Water and Wastewater: The water sector remains dangerously exposed. EPA inspections in 2024 found that 70% of U.S. water utilities violated basic cybersecurity standards—default passwords, improper offboarding of personnel, and internet-exposed control systems. The fragmented structure of the sector (approximately 150,000 public water systems in the U.S. alone) means limited budgets, shared staff, and minimal security expertise. The Iran-backed "Cyber Av3ngers" attack on Aliquippa Water Authority and similar attacks on 10+ U.S. facilities demonstrated that even unsophisticated attacks can force operators into manual monitoring mode.

Supply Chain Blind Spots: The energy sector experiences 45% of breaches through third-party vendors, compared to 29% globally. Organizations invest heavily in perimeter defense while maintaining minimal visibility into contractor access, vendor software updates, and component provenance. The 2024 discovery of compromised equipment in multiple supply chains highlighted that adversaries are playing a long game—embedding access capabilities during manufacturing rather than attacking deployed systems.

Incident Response Immaturity: Many critical infrastructure operators lack tested, OT-specific incident response plans. When attacks occur, responders face impossible choices: shut down operations to contain the threat (causing service disruption) or maintain operations while attackers retain access (risking physical safety). Post-incident analysis repeatedly reveals that organizations detected attack indicators weeks or months before the incident but failed to investigate them adequately.

Skills Shortage: The intersection of OT engineering expertise and cybersecurity knowledge is exceptionally rare. Estimates suggest fewer than 1,000 practitioners globally possess deep competency in both domains. Organizations compete intensely for this talent while struggling to upskill either OT engineers (who may lack IT security fundamentals) or IT security professionals (who may not understand industrial processes).

Key Players

Established Leaders

Cisco (United States) — Global networking giant with comprehensive OT security portfolio including network segmentation, secure remote access, and industrial-grade firewalls. Strong presence across Asia-Pacific critical infrastructure through partnerships with national utilities and manufacturing conglomerates.

Honeywell (United States) — Industrial automation leader with integrated cybersecurity services including real-time monitoring, threat detection, managed security operations, and OT-specific training programs. Deep installed base in oil and gas, manufacturing, and building management systems throughout the region.

ABB (Switzerland) — Major power and automation technology provider with ABB Ability™ platform for secure control systems, threat detection, and lifecycle security services. Significant deployments in electrical grids and industrial facilities across Japan, Australia, and Southeast Asia.

Fortinet (United States) — FortiGate next-generation firewalls with OT/ICS-specific capabilities, network segmentation, and Security Fabric architecture. Growing market share in Asia-Pacific utilities sector with strong channel partner network.

Schneider Electric (France) — Industrial automation vendor investing heavily in cybersecurity for energy management and industrial automation systems. Regional headquarters in Singapore supporting Southeast Asian infrastructure operators.

Emerging Startups

Claroty (United States) — Pure-play cyber-physical systems security with exposure management, network protection, and threat detection. Named "Strong Performer" in Forrester Wave for OT Security Solutions. Expanding aggressively in Asia-Pacific through partnerships with regional systems integrators.

Dragos (United States) — OT security platform with world-class threat intelligence derived from incident response engagements. Monitors 70% of U.S. electric grid infrastructure and building presence in Australian and Japanese markets. Known for detailed adversary behavior analysis and ICS-specific security playbooks.

OTORIO (Israel) — Industrial cybersecurity platform featuring cyber digital twin technology for attack simulation, vulnerability assessment, and compliance automation. Focus on proactive risk management rather than reactive detection.

Nozomi Networks (United States) — OT and IoT visibility and security platform with asset discovery, anomaly detection, and threat intelligence integration. Strong presence in oil and gas and manufacturing sectors across the region.

Key Investors & Funders

Insight Partners — Growth equity firm with significant investments in cybersecurity including ICS/OT adjacent companies. Active in late-stage funding for scaling security platforms.

Tenable Ventures — Corporate venture arm of vulnerability management leader Tenable, specifically backing ICS-adjacent startups including supply chain security companies relevant to critical infrastructure.

Sequoia Capital — Backed multiple cybersecurity platforms with applicability to critical infrastructure including identity management and cloud security companies expanding into OT environments.

Intel Capital — Strategic investor in OT-related ventures with focus on hardware security, edge computing, and industrial IoT platforms that underpin critical infrastructure digitalization.

Examples

Taiwan Power Company Grid Defense

Taiwan Power Company (Taipower), which operates the island's electrical grid, faced a 113% increase in daily cyberattack attempts between 2023 and 2025. In response, the utility implemented a comprehensive defense-in-depth strategy combining network segmentation between corporate IT and grid operations, continuous monitoring of SCADA systems, and incident response rehearsals conducted quarterly. Taipower deployed Taiwanese-developed security solutions to reduce dependence on foreign vendors amid geopolitical concerns, while participating in regional threat intelligence sharing through APCERT (Asia Pacific Computer Emergency Response Team). The utility's investment in security operations center capabilities enabled detection of reconnaissance activities attributed to Chinese APT groups before any operational impact occurred.

Singapore Public Utilities Board Water Security

Singapore's Public Utilities Board (PUB), which manages the city-state's entire water supply including the innovative NEWater reclamation system, exemplifies proactive OT security investment. Following global incidents targeting water utilities, PUB accelerated zero trust implementation across its network of treatment plants, reservoirs, and distribution systems. The agency adopted the GovZTA framework, implementing microsegmentation between control system zones, mandatory multi-factor authentication for all remote access, and real-time anomaly detection tuned specifically to water treatment process parameters. PUB's security operations integrate with Singapore's Cyber Security Agency, enabling rapid threat intelligence sharing when new vulnerabilities or attack techniques emerge. The integrated approach demonstrates how small, well-resourced utilities can achieve security maturity that larger, more fragmented systems struggle to match.

Ausgrid Ransomware Resilience Program

Ausgrid, one of Australia's largest electricity distribution networks serving 1.8 million customers in Sydney, implemented a ransomware resilience program after observing the 80% surge in ransomware attacks targeting energy and utilities in 2024. The program focused on three elements: immutable backups of all critical OT configurations isolated from network access, segmented recovery environments enabling restoration without reconnecting to potentially compromised infrastructure, and detailed playbooks specifying decision criteria for whether to pay ransom demands (with legal pre-authorization for scenarios requiring rapid decisions). Ausgrid conducted tabletop exercises with board participation, establishing that executives understood their roles during incidents. When a contractor laptop was compromised in late 2024, the response team contained the incident within four hours, validating their preparation investment.

Action Checklist

• Conduct comprehensive asset inventory of all OT devices including PLCs, RTUs, HMIs, and SCADA components—you cannot protect what you cannot see
• Implement network segmentation between IT and OT environments with monitored demilitarized zones (DMZs) for any required cross-domain data flows
• Eliminate default credentials on all OT devices and implement secure remote access with multi-factor authentication and session recording
• Deploy passive network monitoring specifically designed for OT protocols (Modbus, DNP3, IEC 61850) to detect anomalies without impacting operations
• Develop and rehearse OT-specific incident response plans that address the unique constraints of maintaining operations during attacks
• Establish formal vulnerability management program with risk-based prioritization recognizing that not all systems can be patched on IT timelines
• Conduct third-party security assessments of all vendors with access to OT networks, including software supply chain analysis
• Integrate OT security into broader organizational risk management with board-level reporting on critical infrastructure protection metrics

FAQ

Q: How do we secure legacy systems that cannot be patched or upgraded? A: Compensating controls become essential when direct remediation is impossible. Network segmentation limits exposure by restricting which systems can communicate with vulnerable devices. Protocol-aware firewalls can filter malicious commands while permitting legitimate operations. Continuous monitoring detects anomalous behavior patterns even when you cannot prevent exploitation. Virtual patching—intrusion prevention rules that block known exploit techniques—provides protection without modifying the underlying system. Finally, maintain detailed documentation of legacy system vulnerabilities and compensating controls to support risk-informed decision-making about replacement timelines and residual risk acceptance.

Q: What's the right balance between IT and OT security team structures? A: There is no universal answer, but successful organizations share common characteristics. Dedicated OT security expertise is essential—IT security professionals without process control background make dangerous assumptions about what can be blocked or interrupted. However, complete separation leads to inconsistent policies, duplicated tooling, and communication gaps during incidents. A hybrid model works well: unified governance and threat intelligence sharing, with specialized OT security engineers embedded in or closely aligned with operations teams who understand process constraints. Joint exercises build relationships and mutual understanding before crisis situations demand collaboration.

Q: How should organizations prioritize investments when budgets are constrained? A: Start with visibility—you cannot defend systems you don't know exist. Asset inventory costs relatively little and often reveals surprising exposure. Next, address high-impact, low-cost improvements: eliminating default credentials, implementing network segmentation at critical boundaries, and establishing basic monitoring. Detection capabilities should prioritize the OT network perimeter where IT-OT boundaries exist, as this is where most attackers must traverse. Invest in incident response planning and exercises before expensive detection technologies—the ability to respond effectively matters more than detecting every possible threat. Finally, leverage regulatory compliance requirements to secure budget that might otherwise be unavailable.

Q: How do we measure the effectiveness of OT security investments? A: Traditional IT security metrics translate poorly to OT environments. Mean time to detect and respond matter, but must be contextualized against operational requirements. Track coverage metrics: percentage of OT assets with visibility, percentage of remote access sessions using secure methods, percentage of critical systems with current vulnerability assessments. Measure control effectiveness through red team exercises and tabletop scenarios. Monitor hygiene indicators like mean time to patch after vendor releases (recognizing that months rather than days may be appropriate for OT systems). Ultimately, tie security metrics to operational risk reduction rather than activity counts—the goal is preventing impact, not generating alerts.

Q: What emerging technologies will reshape critical infrastructure security in the next 3-5 years? A: AI-powered detection offers promise for identifying subtle anomalies in industrial processes that signature-based systems miss, though false positive rates remain challenging. Secure-by-design industrial equipment is slowly entering the market, with new PLCs featuring built-in encryption, authentication, and logging capabilities that legacy devices lack. Software bills of materials (SBOMs) are becoming standard, enabling supply chain visibility previously impossible. Zero trust network access is maturing for OT environments, moving beyond IT-centric implementations to address industrial protocol requirements. Finally, quantum-resistant cryptography is being evaluated for long-lifecycle infrastructure components that may remain deployed beyond the timeline when current encryption becomes vulnerable.

Sources

• IBM X-Force, "2025 Threat Intelligence Index," IBM Security, 2025. https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index

• Group-IB, "High-Tech Crime Trends Report 2025," Group-IB Threat Intelligence, 2025.

• INTERPOL, "Asia and South Pacific Cyberthreat Assessment Report 2024," INTERPOL Cybercrime Directorate, 2024. https://www.interpol.int/content/download/22308/file/Asia%20and%20South%20Pacific%20Cyberthreat%20Assessment%20Report%202024-4.pdf

• Waterfall Security Solutions, "2024 OT Threat Report: Learning From 2024's Top OT Attacks and Planning for 2025's Security," 2024. https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/learning-from-2024s-top-ot-attacks-and-planning-for-2025s-security/

• CISA, "Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means," Cybersecurity and Infrastructure Security Agency Alert, September 2024. https://www.cisa.gov/news-events/alerts/2024/09/25/threat-actors-continue-exploit-otics-through-unsophisticated-means

• Cloud Security Alliance, "Zero Trust Guidance for Critical Infrastructure," CSA Research Publication, October 2024. https://cloudsecurityalliance.org/artifacts/zero-trust-guidance-for-critical-infrastructure

• Taiwan National Security Bureau, "Annual Report on Chinese Cyber Activities," NSB Taiwan, 2025.

• Singapore Cyber Security Agency, "Singapore Cyber Landscape 2024/2025," CSA Singapore, 2025. https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2024-2025/