Explainer: Critical infrastructure cybersecurity — what it is, why it matters, and how to evaluate options
A practical primer: key concepts, the decision checklist, and the core economics. Focus on attack paths, detection/response, and how to harden real-world systems.
Roughly 70% of all cyberattacks in 2024 targeted critical infrastructure, with BlackBerry detecting over 600,000 attacks on essential services in Q3 alone (BlackBerry Global Threat Intelligence Report, 2024). The financial toll is staggering: nearly half of affected organisations reported losses exceeding $500,000, while the Change Healthcare ransomware attack alone cost UnitedHealth Group $2.87 billion in response efforts and a $22 million ransom payment (Claroty, 2024). As nation-state actors like China's Volt Typhoon pre-position themselves within energy, transportation, and water systems for potential future disruption, the intersection of cybersecurity and sustainability has never been more critical. This explainer provides a practical primer on protecting the systems that underpin modern society—from power grids to healthcare networks—and offers a decision framework for evaluating cybersecurity options.
Why It Matters
Critical infrastructure encompasses the sixteen sectors identified by CISA (Cybersecurity and Infrastructure Security Agency) as essential to national security, economic stability, and public health: energy, water, healthcare, transportation, communications, financial services, and more. These interconnected systems form the backbone of sustainable development—without reliable power, clean water, and functioning healthcare, climate adaptation and resilience goals become impossible to achieve.
The sustainability implications are profound. A successful attack on the energy grid can halt renewable energy generation, force reliance on carbon-intensive backup systems, and disrupt electric vehicle charging networks. Water treatment facility compromises can lead to public health crises and environmental contamination. Healthcare system outages delay critical care and undermine pandemic response capabilities. The 2024 attack landscape demonstrated these risks in stark terms: utilities cyberattacks rose 70% compared to 2023, while healthcare experienced 444 reported incidents including 238 ransomware events (CISA 2024 Year in Review).
The economic case is equally compelling. The global Critical Infrastructure Protection (CIP) market reached $153.93 billion in 2025 and is projected to grow to $197.13 billion by 2030 at a 5.1% CAGR (MarketsandMarkets). For sustainability-focused organisations, cybersecurity investment is no longer optional—it is a prerequisite for operational resilience and stakeholder trust. The average cost of a data breach in the United States reached $10 million in 2025, more than double the global average, making prevention far more cost-effective than remediation.
Key Concepts
The IT-OT Convergence Challenge
Traditional information technology (IT) systems and operational technology (OT) systems were historically separate domains. IT handled data processing and business operations, while OT controlled physical processes—turbines, pumps, valves, and industrial machinery. The drive toward efficiency and sustainability has accelerated IT-OT convergence, connecting previously isolated control systems to enterprise networks and the internet.
This convergence creates expanded attack surfaces. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, many designed decades before cybersecurity was a consideration, now face sophisticated threat actors. The Pennsylvania water authority attack in 2024 exemplified this vulnerability: Iranian-linked hackers compromised a Unitronics Vision programmable logic controller through an internet-connected human-machine interface, gaining control of water pressure systems.
Attack Vectors and Threat Actors
Nation-state actors dominate the critical infrastructure threat landscape. China's Volt Typhoon has operated undetected within US critical infrastructure for over five years, pre-positioning for potential future disruption of energy, transportation, and water systems. Salt Typhoon conducted a two-year campaign against major telecommunications providers including AT&T, Verizon, and T-Mobile, exfiltrating sensitive communications data. Russia's Sandworm group has demonstrated the ability to cause physical damage through cyber means, using OT-level techniques to trip substation circuit breakers in Ukraine.
Criminal ransomware groups represent an equally significant threat, often operating with implicit state protection. BlackCat/ALPHV's attack on Change Healthcare demonstrated how criminal actors can achieve nation-state-level impact: nearly 100 million Americans affected, healthcare operations halted for a month, and patients denied care due to disrupted pharmacy and Medicaid processing systems.
Zero Trust Architecture
The traditional security model of defending a network perimeter has proven inadequate for critical infrastructure protection. Zero Trust Architecture (ZTA) operates on the principle of "never trust, always verify"—every user, device, and network flow must be authenticated and authorised, regardless of location. For OT environments, this means implementing granular access controls, continuous monitoring, and micro-segmentation to limit lateral movement after initial compromise.
Sector-Specific Key Performance Indicators
Effective cybersecurity requires measurable outcomes. The following KPIs help organisations benchmark their critical infrastructure protection efforts:
| Sector | Primary KPI | Target Range | Measurement Frequency |
|---|---|---|---|
| Energy & Utilities | Mean Time to Detect (MTTD) | <24 hours | Continuous |
| Healthcare | System Availability | >99.9% uptime | Monthly |
| Financial Services | Incident Response Time | <4 hours | Per incident |
| Water & Wastewater | Patch Compliance Rate | >95% within 30 days | Quarterly |
| Transportation | OT Asset Visibility | >95% inventory coverage | Annual |
| Telecommunications | Third-Party Risk Score | <3.0 (1-5 scale) | Semi-annual |
What's Working and What Isn't
What's Working
Government-Industry Collaboration: CISA's Joint Cyber Defense Collaborative has established effective information-sharing mechanisms between federal agencies, state governments, and private sector operators. The Cyber Storm IX exercise in April 2024 brought together 2,200 participants from 35 federal agencies, 13 states, 100 private companies, and 11 partner nations to simulate nation-state attacks on food and agriculture infrastructure.
Proactive Threat Notification: CISA's Pre-Ransomware Notification Initiative has delivered 3,368 early-warning alerts to organisations showing signs of ransomware infection before encryption occurs. This programme enables defenders to interrupt attacks during the reconnaissance and lateral movement phases, when remediation is still possible.
Free Vulnerability Scanning: Over 9,000 critical infrastructure entities now have access to CISA's free external vulnerability scanning service, with 3,000 organisations enrolled—a 53% growth in 18 months. This programme helps smaller operators identify and remediate internet-exposed control systems.
Network Segmentation: Organisations implementing robust network segmentation have demonstrated significantly reduced blast radii from successful intrusions. Separating IT and OT networks, isolating critical control systems, and implementing data diodes for unidirectional traffic flow have proven effective against lateral movement.
Secure-by-Design Principles: The Swiss Financial Network (SSFN), operated by the Swiss National Bank and SIX, demonstrates how purpose-built secure architectures can protect critical financial infrastructure. Using SCION internet architecture, the network creates isolated, secure communications channels that are effectively invisible to external threat actors.
What Isn't Working
Multi-Factor Authentication Gaps: The Change Healthcare breach—the most consequential cyberattack on US healthcare—originated from a Citrix remote access portal lacking multi-factor authentication. Despite years of awareness campaigns, basic security hygiene remains inconsistent across critical infrastructure sectors.
Patch Management Failures: Salt Typhoon's two-year telecommunications campaign exploited known vulnerabilities that organisations had failed to patch. The tension between operational uptime requirements and security updates leaves many systems perpetually exposed to known exploits.
Legacy System Dependencies: Much critical infrastructure relies on equipment designed and deployed before modern cybersecurity threats existed. Industrial control systems with 20-30 year lifespans cannot be easily replaced, yet they lack fundamental security capabilities like encryption, authentication, and logging.
Supply Chain Vulnerabilities: Third-party vendors and software providers represent significant risk vectors. The Finastra breach exposed 400GB of sensitive data through compromised vendor credentials. Many organisations lack visibility into their extended supply chains and cannot effectively assess third-party security postures.
Insufficient OT Security Expertise: The shortage of professionals who understand both operational technology and cybersecurity creates persistent capability gaps. Traditional IT security approaches often fail in OT environments where availability trumps confidentiality and systems cannot be easily taken offline for updates.
Key Players
Established Leaders
Honeywell (8-9% market share): Provides integrated physical security and cybersecurity solutions across energy, transportation, and industrial sectors. Their operational technology security offerings leverage deep domain expertise in building automation and industrial control systems.
Thales (6-7% market share): Specialises in encryption, secure communications, and identity management for defence, aviation, and government infrastructure. Their 2025 Data Threat Report—Critical Infrastructure Edition provides essential benchmarking data for the sector.
Claroty: Focuses exclusively on cyber-physical systems (CPS) security, offering asset discovery, network protection, and threat detection purpose-built for industrial and healthcare environments. Their research quantified the $500,000+ financial impact experienced by 45% of organisations.
OPSWAT: Provides IT/OT threat prevention through their MetaDefender platform, offering data sanitisation and cross-domain security for over 2,000 organisations worldwide. Their Critical Infrastructure Academy provides specialised training for OT security professionals.
Rockwell Automation: Combines industrial automation expertise with cybersecurity capabilities, offering asset management, network segmentation, and threat detection specifically designed for manufacturing and process industries.
Emerging Startups
Dream Security ($198M raised, $1.1B valuation): Founded by former Austrian Chancellor Sebastian Kurz, Dream develops AI-powered "Cyber Language Models" trained on threat intelligence, logs, and code to provide real-time nation-state attack prevention for governments and critical infrastructure operators.
Claroty (Series D, $400M+ raised): While now established, Claroty pioneered the industrial cybersecurity category and continues to lead innovation in cyber-physical systems protection across industrial, healthcare, and commercial environments.
Fortress Information Security: Uses AI-powered platforms for supply chain defence, third-party risk management, and vulnerability assessment specifically targeting critical infrastructure procurement and vendor management challenges.
Palitronica (Y Combinator-backed): Develops side-channel attack detection technology that can be retrofitted to legacy critical infrastructure systems, addressing the challenge of securing equipment that predates modern cybersecurity.
Key Investors and Funders
Bain Capital Ventures: Led Dream Security's $100M Series B, demonstrating significant investor appetite for critical infrastructure cybersecurity solutions.
CISA Grant Programmes: The State and Local Cybersecurity Grant Programme (SLCGP) and Tribal Cybersecurity Grant Programme (TCGP) distributed $18.2 million to 30+ Tribal governments in July 2024—the largest DHS tribal grant programme in history.
Department of Energy: Funds research through national laboratories on grid security, renewable energy system protection, and cyber-informed engineering principles.
European Investment Bank: Supports critical infrastructure security investments across EU member states under the NIS2 Directive implementation framework.
Examples
1. Transport for London (TfL)
In 2024, Transport for London experienced a significant cyberattack targeting its operational systems. TfL's incident response demonstrated effective crisis management: they activated pre-established protocols, engaged external cybersecurity advisors, and maintained transparency with the public while containing the threat. The organisation's investment in network segmentation prevented attackers from moving laterally into safety-critical train control systems. Post-incident, TfL accelerated implementation of zero trust architecture principles and enhanced monitoring of supplier access to their systems.
2. Swiss National Bank and SIX (SSFN)
The Secure Swiss Finance Network represents a proactive, rather than reactive, approach to critical infrastructure protection. Rather than layering security on top of conventional internet connectivity, SSFN uses the SCION architecture to create inherently secure, isolated network paths for financial infrastructure. This edge-to-edge encryption and path verification approach makes the network invisible to external reconnaissance and resistant to man-in-the-middle attacks. The model demonstrates how purpose-built secure infrastructure can achieve both operational efficiency and robust protection.
3. CISA Cyber Storm IX
The April 2024 Cyber Storm IX exercise brought together 2,200 participants from government and industry to simulate a sophisticated nation-state attack exploiting cloud vulnerabilities to target food and agriculture infrastructure. The exercise validated incident response procedures, identified coordination gaps, and stress-tested information-sharing mechanisms. Participating organisations received detailed after-action reports enabling continuous improvement of their security postures. This model of collaborative defence demonstrates how public-private partnership can build collective resilience.
Action Checklist
- Conduct a comprehensive asset inventory of all IT and OT systems, prioritising identification of internet-exposed industrial control systems and legacy equipment lacking security capabilities
- Implement multi-factor authentication on all remote access portals, VPNs, and privileged accounts—the single most impactful control against credential-based attacks
- Establish network segmentation between IT and OT environments, implementing data diodes or unidirectional gateways where appropriate for critical control systems
- Develop and test incident response plans specific to OT environments, recognising that availability requirements differ from traditional IT scenarios
- Enrol in CISA's free external vulnerability scanning service and Pre-Ransomware Notification Initiative for early warning of emerging threats
- Conduct supply chain risk assessments of critical vendors and establish security requirements in procurement contracts
- Implement a 3-2-1 backup strategy for OT systems: three copies of data, on two different media types, with one copy stored offsite and tested regularly for restoration capability
FAQ
Q: How does critical infrastructure cybersecurity differ from enterprise IT security? A: Critical infrastructure environments prioritise availability over confidentiality—systems cannot simply be taken offline for updates or incident response. OT systems often use proprietary protocols, have 20-30 year lifespans, and were designed before modern cybersecurity threats existed. Effective protection requires understanding both the technology and the physical processes it controls, as attacks can cause real-world harm to people, equipment, and the environment.
Q: What is the role of government regulation in critical infrastructure protection? A: Regulatory frameworks are expanding rapidly. The US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will mandate incident reporting once final rules are issued. The European NIS2 Directive imposes enhanced security requirements across essential and important entities. TSA has proposed mandatory cyber risk management requirements for surface transportation. These regulations establish baseline security expectations and improve threat intelligence sharing across sectors.
Q: How can smaller organisations afford adequate protection for critical systems? A: Government resources significantly reduce the barrier to entry. CISA offers free vulnerability scanning, cybersecurity assessments, and threat intelligence to critical infrastructure operators regardless of size. Regional cybersecurity advisors provide direct consultation at no cost. Grant programmes like SLCGP provide funding for security improvements. Industry Information Sharing and Analysis Centres (ISACs) pool threat intelligence across sectors. Cloud-based security solutions reduce capital expenditure requirements while providing enterprise-grade protection.
Q: What should be the first priority for organisations beginning their cybersecurity journey? A: Asset visibility is the essential foundation—you cannot protect what you cannot see. Conduct a complete inventory of all connected systems, including shadow IT and legacy OT equipment. Identify internet-exposed assets using external scanning tools. Map dependencies between systems to understand cascading failure risks. Only with complete visibility can organisations prioritise investments and implement effective segmentation strategies.
Q: How are AI and machine learning changing critical infrastructure cybersecurity? A: AI enables both enhanced defence and more sophisticated attacks. Defensive AI applications include anomaly detection in network traffic patterns, automated threat hunting across large data sets, and predictive maintenance that identifies compromised equipment. However, threat actors are using AI for automated vulnerability discovery, convincing phishing campaigns, and evading traditional detection systems. The 4,151% increase in phishing attacks since ChatGPT's release demonstrates the offensive potential. Organisations must adopt AI-enhanced defences while preparing for AI-enabled threats.
Sources
- BlackBerry Global Threat Intelligence Report Q3 2024. BlackBerry. https://www.blackberry.com/us/en/company/newsroom/press-releases/2025/blackberry-reports-600000-cyberattacks-on-critical-infrastructure-in-q3-2024
- CISA 2024 Year in Review. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/about/2024YIR
- Thales 2025 Data Threat Report—Critical Infrastructure Edition. Thales Group. https://cpl.thalesgroup.com/critical-infrastructure-data-threat-report
- Critical Infrastructure Protection Market Report. MarketsandMarkets. https://www.marketsandmarkets.com/ResearchInsight/critical-infrastructure-protection-cip-market.asp
- Significant Cyber Incidents. Center for Strategic and International Studies. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
- Recent Cyber Attacks on US Infrastructure Underscore Vulnerability of Critical US Systems. Office of the Director of National Intelligence. https://www.dni.gov/files/CTIIC/documents/products/Recent_Cyber_Attacks_on_US_Infrastructure_Underscore_Vulnerability_of_Critical_US_Systems-June2024.pdf
- The State of CPS Security 2024: Business Impact of Disruptions. Claroty. https://claroty.com/resources/reports
Related Articles
Critical infrastructure cybersecurity KPIs by sector (with ranges)
The 5–8 KPIs that matter, benchmark ranges, and what the data suggests next. Focus on attack paths, detection/response, and how to harden real-world systems.
How-to: implement Critical infrastructure cybersecurity with a lean team (without regressions)
A step-by-step rollout plan with milestones, owners, and metrics. Focus on attack paths, detection/response, and how to harden real-world systems.
Deep dive: Critical infrastructure cybersecurity — the hidden trade-offs and how to manage them
What's working, what isn't, and what's next — with the trade-offs made explicit. Focus on attack paths, detection/response, and how to harden real-world systems.