Deep dive: Critical infrastructure cybersecurity — what's working, what's not, and what's next

The Colonial Pipeline ransomware attack of May 2021 forced 45% of the US East Coast's fuel supply offline for six days. Nearly five years later, the cybersecurity posture of North American critical infrastructure has improved materially in some sectors while remaining dangerously vulnerable in others. Federal data from the Cybersecurity and Infrastructure Security Agency (CISA) shows that reported cyber incidents targeting critical infrastructure rose 38% between 2023 and 2025, even as defensive spending increased by an estimated $14.2 billion over the same period. This paradox, more investment alongside more incidents, defines the current landscape and demands a sector-by-sector assessment of what is actually working, where fundamental gaps persist, and what the next generation of protective frameworks must deliver.

Why It Matters

North America's critical infrastructure encompasses 16 sectors designated by the US Department of Homeland Security, including energy, water and wastewater, transportation, healthcare, financial services, and communications. These sectors collectively support $23 trillion in annual economic output and serve over 400 million people across the United States and Canada. The convergence of operational technology (OT) and information technology (IT), accelerated by the deployment of IoT sensors, cloud-connected SCADA systems, and remote monitoring platforms, has expanded the attack surface dramatically. CISA reported that 68% of critical infrastructure organisations experienced at least one OT-related cyber incident in 2025, up from 47% in 2022.

The threat landscape has shifted from opportunistic criminal groups to state-sponsored actors with strategic objectives. Microsoft's Threat Intelligence team documented the "Volt Typhoon" campaign, attributed to Chinese state actors, which pre-positioned access within US water, energy, and transportation systems for potential disruption during geopolitical conflict. The FBI assessed in January 2026 that state-sponsored intrusions into US critical infrastructure networks had increased 250% over three years. Separately, ransomware targeting operational technology systems evolved from encrypting IT systems to directly manipulating industrial control processes: the January 2025 attack on a Texas water treatment facility attempted to alter chemical dosing parameters, a potentially life-threatening action prevented only by manual override.

The regulatory response has accelerated. The Biden administration's National Cybersecurity Strategy (2023) and subsequent implementation plans designated critical infrastructure cybersecurity as a national security priority. The TSA issued binding cybersecurity directives for pipeline and rail operators. The EPA proposed mandatory cybersecurity standards for water systems before being challenged in court. Canada's Bill C-26, enacted in 2024, established mandatory cyber incident reporting for federally regulated critical infrastructure operators. These regulatory developments create both compliance obligations and, for organisations that approach them strategically, frameworks for systematic risk reduction.

Key Concepts

Operational Technology (OT) Security addresses the protection of hardware and software that monitors and controls physical processes in industrial environments. Unlike IT security, which prioritises confidentiality, OT security must prioritise availability and safety. A compromised OT system can cause physical damage to equipment, environmental releases, or harm to human safety. The convergence of IT and OT networks, often implemented without adequate segmentation, creates pathways for attackers to move from corporate networks into control systems.

Zero Trust Architecture for Critical Infrastructure applies the principle of "never trust, always verify" to industrial environments. Traditional perimeter-based security assumed that internal network traffic was trustworthy; zero trust eliminates this assumption by requiring continuous authentication and authorisation for every device, user, and data flow. Implementing zero trust in OT environments presents unique challenges: legacy industrial control systems often cannot support modern authentication protocols, real-time control processes cannot tolerate authentication latency, and many OT devices lack the computational resources for cryptographic operations.

Software Bill of Materials (SBOM) provides a comprehensive inventory of software components within critical infrastructure systems, enabling operators to identify vulnerabilities rapidly when new threats emerge. Executive Order 14028 (May 2021) mandated SBOM generation for software sold to the federal government. Extending SBOM requirements to critical infrastructure has proven challenging: industrial control system vendors frequently use proprietary, embedded software with supply chains spanning dozens of component suppliers. CISA's SBOM working groups have published minimum element specifications, but adoption across critical infrastructure remains below 35%.

Cyber-Physical System Resilience recognises that preventing all intrusions is impossible and focuses on maintaining safe operations during and after cyber incidents. This includes redundant manual controls, automated failsafe systems, air-gapped backup configurations, and trained personnel capable of operating critical processes without digital controls. The concept draws from nuclear and aviation safety engineering, applying defence-in-depth principles to protect the physical processes underlying essential services.

Critical Infrastructure Cybersecurity KPIs: Benchmark Ranges

Metric	Below Average	Average	Above Average	Top Quartile
Mean Time to Detect OT Incident	>72 hours	24-72 hours	6-24 hours	<6 hours
IT/OT Network Segmentation Score	<40%	40-60%	60-80%	>80%
Patching Cadence (critical vulns)	>90 days	45-90 days	15-45 days	<15 days
Incident Response Plan Testing	Never/annually	Semi-annually	Quarterly	Monthly
SBOM Coverage	<15%	15-35%	35-60%	>60%
Employee Security Training Hours	<4 hrs/yr	4-8 hrs/yr	8-16 hrs/yr	>16 hrs/yr
Third-Party Risk Assessment Coverage	<25%	25-50%	50-75%	>75%

What's Working

Energy Sector Defensive Maturation

The energy sector, particularly large investor-owned utilities, has made the most measurable progress in cybersecurity posture since 2021. The North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards, now in version 7, provide prescriptive requirements covering electronic security perimeters, personnel training, incident reporting, and supply chain risk management. Compliance rates for NERC CIP among large utilities exceeded 94% in 2025, and NERC's GridEx VII exercise in November 2025 involved over 700 organisations simulating coordinated cyber-physical attacks on the bulk power system. Duke Energy invested $450 million in grid cybersecurity between 2022 and 2025, deploying OT-specific intrusion detection across 95% of its substations and establishing a dedicated OT Security Operations Centre staffed around the clock. Southern Company's partnership with Idaho National Laboratory on consequence-driven cyber-informed engineering (CCE) demonstrated measurable reduction in high-consequence attack pathways across three nuclear generating stations.

Financial Services Sector Intelligence Sharing

The Financial Services Information Sharing and Analysis Center (FS-ISAC) remains the gold standard for sector-specific threat intelligence. Its 7,000+ member institutions across 75 countries share real-time threat data through automated platforms that distributed over 28,000 actionable indicators in 2025. The sector's Sheltered Harbor programme, ensuring critical financial data can be restored within hours of a destructive attack, now covers institutions holding 85% of US retail deposit accounts. JPMorgan Chase's $600 million annual cybersecurity budget (disclosed in its 2025 10-K filing) funds a 3,500-person security team with dedicated OT capabilities for its data centres and trading floor infrastructure. The financial sector's advantage stems from regulatory pressure (including SEC requirements, OCC guidance, and FFIEC examination procedures), deep pockets, and a culture of information sharing that other sectors lack.

TSA Pipeline Security Directive Impact

The Transportation Security Administration's Security Directives for pipeline operators, issued in two phases following the Colonial Pipeline attack, have produced measurable improvements. By 2025, 100% of the 100 most critical pipeline operators had implemented network segmentation between IT and OT environments, compared to approximately 35% before the directives. CISA assessments found that average time to detect OT intrusions at major pipeline facilities dropped from 96 hours in 2021 to 18 hours in 2025. Colonial Pipeline itself invested $300 million in cybersecurity upgrades, including implementation of micro-segmentation, continuous OT monitoring, and an air-gapped operational backup system capable of maintaining pipeline operations during complete IT system compromise.

What's Not Working

Water and Wastewater Sector Vulnerability

The water sector represents the most concerning gap in critical infrastructure cybersecurity. Of approximately 153,000 public water systems in the United States, the EPA estimates that fewer than 8% have conducted comprehensive cybersecurity risk assessments. Most water utilities serve populations under 50,000 and operate with annual cybersecurity budgets below $25,000, often with no dedicated cybersecurity staff. The November 2023 attack on the Municipal Water Authority of Aliquippa, Pennsylvania, exploited default passwords on a Unitronics programmable logic controller, a vulnerability so basic that it underscored the sector's fundamental readiness deficit. CISA's 2025 assessment of 200 water utilities found that 72% used at least one internet-exposed OT device with known vulnerabilities, 58% had no formal incident response plan, and 41% had not changed default credentials on at least one critical control system component.

The regulatory vacuum compounds the problem. The EPA's attempt to impose mandatory cybersecurity requirements through Safe Drinking Water Act authority was vacated by the Eighth Circuit Court of Appeals in October 2023 following legal challenges from state attorneys general. Congressional efforts to establish water cybersecurity standards have stalled due to concerns about unfunded mandates for small systems. The American Water Works Association published voluntary cybersecurity guidance, but voluntary frameworks have historically failed to drive adoption among resource-constrained utilities.

Healthcare Sector Under Persistent Attack

Healthcare organisations face a uniquely hostile threat environment. The FBI reported 389 ransomware attacks targeting US healthcare entities in 2025, a 42% increase from 2023. The February 2024 Change Healthcare attack disrupted prescription processing, claims adjudication, and payment systems for over 100 million Americans for weeks. The attack exposed a critical vulnerability in healthcare's digital supply chain: a single point of failure in claims processing infrastructure that affected one-third of all US healthcare transactions. UnitedHealth Group disclosed $2.4 billion in direct costs from the incident, not including downstream impacts on hospitals, pharmacies, and patients.

Healthcare cybersecurity suffers from structural challenges. Legacy medical devices, including MRI machines, infusion pumps, and patient monitoring systems, frequently run unsupported operating systems that cannot be patched without manufacturer involvement. The average hospital maintains 10,000-15,000 connected devices, of which 30-40% run software that has reached end of life. The Health and Human Services Department proposed updated HIPAA Security Rule requirements in December 2024, including mandatory encryption, network segmentation, and multi-factor authentication, but implementation timelines extend to 2028 for many provisions.

Supply Chain and Third-Party Risk

Critical infrastructure operators increasingly depend on shared vendors, cloud services, and managed service providers, creating concentrated points of failure. The 2024 CrowdStrike software update incident, which crashed 8.5 million Windows devices globally including hospital systems, emergency dispatch centres, and airport operations, was not a cyberattack but demonstrated the fragility of supply chain dependencies. Actual supply chain attacks compound this risk: the SolarWinds compromise affected multiple federal agencies and at least 100 private sector organisations, including critical infrastructure operators. CISA's 2025 supply chain risk assessment found that 65% of critical infrastructure operators could not identify all software components in their OT systems, and 78% had not conducted cybersecurity assessments of their most critical third-party providers.

What's Next

AI-Powered Defensive Capabilities

Artificial intelligence is transforming both offensive and defensive capabilities in critical infrastructure security. On the defensive side, AI-powered anomaly detection systems analyse OT network traffic patterns to identify deviations that indicate potential intrusions. Dragos, a leading OT security firm, reported that its AI-enhanced platform reduced false positive rates by 60% and mean time to detection by 45% compared to signature-based approaches in 2025 deployments. Claroty's Extended Detection and Response (XDR) platform, deployed across 500+ critical infrastructure sites, uses machine learning to baseline normal OT device behaviour and flag anomalies in real time. The challenge is that adversaries also use AI: CISA warned in 2025 that state-sponsored actors are using large language models to accelerate vulnerability discovery, craft more convincing social engineering campaigns, and automate reconnaissance of critical infrastructure networks.

Regulatory Convergence and Harmonisation

The fragmented regulatory landscape is moving toward convergence. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), with final rules expected by mid-2026, will establish uniform incident reporting requirements across all 16 critical infrastructure sectors within 72 hours of a significant incident. Canada's Bill C-26 implementation aligns reporting timelines with US requirements, creating a North American framework. The National Institute of Standards and Technology's Cybersecurity Framework 2.0, released in February 2024, added a "Govern" function emphasising board-level cybersecurity governance, supply chain risk management, and explicit coverage of OT environments. Several sectors are developing sector-specific profiles based on CSF 2.0 that translate the framework into actionable requirements tailored to their operational contexts.

Resilience-Focused Engineering

The next generation of critical infrastructure cybersecurity moves beyond prevention to focus on engineered resilience. Idaho National Laboratory's CCE methodology, adopted by the Department of Energy for priority infrastructure, identifies the highest-consequence cyber attack scenarios and engineers physical safeguards that prevent catastrophic outcomes regardless of cyber compromise. This approach recognises that sophisticated state actors will eventually penetrate digital defences, and therefore critical physical processes must maintain safe states even under complete loss of digital control. Early adopters include nuclear facilities, bulk power system operators, and natural gas transmission companies. The US Army Corps of Engineers is applying CCE principles to dam and levee control systems, while the Department of Transportation is developing analogous frameworks for air traffic control and rail signalling systems.

Action Checklist

• Conduct a comprehensive OT cybersecurity risk assessment using NIST CSF 2.0 or sector-specific frameworks
• Implement network segmentation between IT and OT environments with monitored demilitarised zones
• Establish an OT-specific incident response plan and test it through tabletop exercises at least quarterly
• Inventory all OT devices and software, generating SBOMs where possible, and prioritise patching of internet-exposed assets
• Assess third-party and supply chain cyber risk for critical vendors, requiring evidence of security controls
• Deploy OT-specific network monitoring tools capable of protocol-aware deep packet inspection
• Ensure manual override capabilities exist for all safety-critical processes and train operators on manual procedures
• Engage with sector-specific ISACs and participate in cross-sector exercises such as GridEx and Cyber Storm
• Brief board members and senior leadership on OT cyber risk using business impact quantification

FAQ

Q: What is the difference between IT and OT cybersecurity in critical infrastructure? A: IT cybersecurity protects data confidentiality, integrity, and availability in business systems (email, databases, enterprise applications). OT cybersecurity protects the industrial control systems that manage physical processes such as power generation, water treatment, pipeline operations, and manufacturing. OT systems prioritise availability and safety over confidentiality. A compromised IT system typically results in data loss or financial impact; a compromised OT system can cause physical equipment damage, environmental contamination, or threats to human safety. The tools, protocols, and operational constraints differ fundamentally between the two domains.

Q: How much should a critical infrastructure operator budget for cybersecurity? A: Benchmarks vary significantly by sector and scale. Large utilities and financial institutions typically allocate 8-12% of IT/OT budgets to cybersecurity. The Energy sector average is approximately $15-25 per customer account annually for investor-owned utilities. For water utilities serving populations under 50,000, even $50,000-100,000 annually would represent a substantial improvement over current spending. The key principle is risk-proportionate investment: organisations should quantify potential consequences of cyber incidents in operational, safety, and financial terms, then allocate resources proportionate to the highest-consequence scenarios.

Q: Are small and mid-size critical infrastructure operators effectively unprotected? A: Many are, particularly in the water and healthcare sectors. CISA offers free services to address this gap, including vulnerability scanning, penetration testing, and cybersecurity assessments for critical infrastructure operators of any size. State-level programmes in Colorado, Virginia, and Maryland provide shared security services for small water utilities. The Water Information Sharing and Analysis Center (WaterISAC) provides free threat intelligence to small systems. However, these voluntary resources reach only a fraction of eligible organisations: fewer than 12% of small water utilities have engaged with CISA services as of early 2026.

Q: How does critical infrastructure cybersecurity intersect with climate and sustainability goals? A: The relationship is bidirectional. Climate adaptation increases cybersecurity risk by deploying more connected devices (smart grid sensors, remote monitoring for water systems, distributed energy resources) that expand the attack surface. Conversely, cyberattacks on critical infrastructure can cause environmental damage: attacks on water treatment can alter chemical processes, pipeline disruptions can cause spills, and grid attacks can force reliance on higher-emitting backup generation. Resilient critical infrastructure is foundational to both sustainability and national security objectives.

Sources

• Cybersecurity and Infrastructure Security Agency. (2025). Critical Infrastructure Cyber Incident Report: Annual Summary 2025. Washington, DC: CISA.
• Microsoft Threat Intelligence. (2024). Volt Typhoon Targets US Critical Infrastructure. Redmond, WA: Microsoft Corporation.
• North American Electric Reliability Corporation. (2025). Grid Security Report and GridEx VII After-Action Review. Atlanta, GA: NERC.
• US Government Accountability Office. (2025). Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Water Sector. Washington, DC: GAO.
• Health and Human Services Department. (2025). Healthcare Cybersecurity Performance Goals: Implementation Progress Report. Washington, DC: HHS.
• National Institute of Standards and Technology. (2024). Cybersecurity Framework 2.0. Gaithersburg, MD: NIST.
• Idaho National Laboratory. (2025). Consequence-Driven Cyber-Informed Engineering: Implementation Guide for Critical Infrastructure. Idaho Falls, ID: INL.
• Dragos, Inc. (2025). ICS/OT Cybersecurity Year in Review 2025. Hanover, MD: Dragos.