Myths vs. realities: Critical infrastructure cybersecurity — what the evidence actually supports

In 2025, ransomware attacks on critical infrastructure surged 87% year over year, yet the median detection time for operational technology (OT) intrusions remained stubbornly fixed at 272 days, according to IBM's X-Force Threat Intelligence Index. Despite billions of dollars flowing into cybersecurity products marketed for power grids, water treatment plants, and transportation networks, the gap between vendor promises and operational reality has never been wider. Understanding what actually works in critical infrastructure cybersecurity, and what remains marketing noise, is essential for procurement teams responsible for protecting systems that serve millions of people.

Why It Matters

Critical infrastructure encompasses the systems societies depend on for survival: electricity grids, water and wastewater treatment, oil and gas pipelines, transportation networks, telecommunications, and healthcare delivery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors, collectively representing over $4.6 trillion in annual economic activity. Cyberattacks against these systems have escalated from theoretical exercises to tangible operational disruptions.

The Colonial Pipeline ransomware attack in May 2021 shut down the largest fuel pipeline in the United States for six days, causing fuel shortages across the southeastern states and costing an estimated $4.4 billion in economic damage. In 2024, the Volt Typhoon campaign, attributed to Chinese state-sponsored actors, compromised critical infrastructure networks across the U.S., Guam, and allied nations, with CISA confirming that the attackers maintained persistent access to water, energy, and transportation systems for at least five years before detection.

Emerging markets face compounded risks. The African Union's 2025 Cybersecurity Assessment found that fewer than 18% of critical infrastructure operators across Africa have implemented basic network segmentation between IT and OT environments. In Southeast Asia, the ASEAN Cybersecurity Status Report documented a 134% increase in attacks targeting energy infrastructure between 2023 and 2025, with median incident response times exceeding 400 days due to limited forensic capabilities.

Regulatory pressure is intensifying globally. The EU's Network and Information Systems Directive 2 (NIS2), fully enforceable since October 2024, mandates cybersecurity risk assessments, incident reporting within 24 hours, and supply chain security requirements for essential and important entities. The U.S. National Cybersecurity Strategy of 2023 shifted liability toward technology providers, while Executive Order 14028 requires software bills of materials (SBOMs) for all products sold to federal agencies, including critical infrastructure operators. These requirements are reshaping procurement criteria, making evidence-based cybersecurity evaluation a compliance necessity rather than an optional best practice.

Key Concepts

IT/OT Convergence refers to the integration of information technology (corporate networks, cloud services, enterprise software) with operational technology (industrial control systems, SCADA, programmable logic controllers). Historically, OT networks were air-gapped from IT networks and the internet, limiting exposure to cyber threats. Digital transformation initiatives have connected these environments to enable remote monitoring, predictive maintenance, and data-driven optimization. This convergence creates attack pathways that allow adversaries to pivot from compromised IT systems into OT environments controlling physical processes.

Industrial Control Systems (ICS) Security addresses the unique cybersecurity requirements of systems that monitor and control physical processes. ICS environments include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLCs). These systems often run legacy operating systems, use unencrypted communication protocols (Modbus, DNP3), and cannot tolerate the latency introduced by standard IT security tools. Effective ICS security requires specialized approaches that maintain system availability while protecting against manipulation of physical processes.

Zero Trust Architecture (ZTA) eliminates implicit trust in network location, requiring continuous verification of identity, device health, and authorization for every access request. Applied to critical infrastructure, ZTA means that a user authenticated on the corporate network cannot automatically access OT systems without additional verification. NIST Special Publication 800-207 provides the foundational framework, but implementing zero trust in OT environments requires adaptation to account for legacy devices, real-time process requirements, and the inability to deploy agents on many industrial controllers.

Supply Chain Risk Management addresses cybersecurity risks introduced through third-party hardware, software, and services. The SolarWinds breach in 2020 demonstrated how a compromised software update mechanism could provide access to thousands of organizations, including critical infrastructure operators. Effective supply chain security requires vendor assessments, software composition analysis, and continuous monitoring of third-party access to critical systems.

What's Working

Network Segmentation and Monitoring at Scale

The most consistently effective cybersecurity measure for critical infrastructure remains proper network segmentation between IT and OT environments. The U.S. Department of Energy's Cybersecurity, Energy Security, and Emergency Response (CESER) office found that organizations with properly implemented segmentation reduced successful OT intrusions by 72% compared to those with flat network architectures. Duke Energy's deployment of Claroty's platform across 50 power generation and distribution facilities reduced mean time to detect OT anomalies from over 200 days to under 48 hours, while maintaining 99.97% availability across monitored systems.

Threat Intelligence Sharing Through ISACs

Information Sharing and Analysis Centers (ISACs) have matured into operationally valuable threat intelligence sharing mechanisms. The Electricity Subsector Coordinating Council (ESCC) and the Downstream Natural Gas ISAC coordinate threat intelligence across hundreds of operators. The E-ISAC, operated by the North American Electric Reliability Corporation (NERC), processed over 48,000 threat indicators in 2025, with participating utilities reporting 35% faster incident response times compared to non-participants. In emerging markets, the Global Forum on Cyber Expertise (GFCE) has established regional ISACs in Latin America, Africa, and Southeast Asia, though participation rates remain below 25% of eligible operators.

Tabletop Exercises and Incident Response Planning

CISA's annual GridEx exercise, the largest grid security exercise in North America, demonstrated in its 2024 iteration (GridEx VII) that organizations conducting quarterly tabletop exercises restored operations 60% faster than those relying solely on documented procedures. Singapore's Cyber Security Agency (CSA) mandated annual exercises for all critical information infrastructure operators in 2023, resulting in a documented 40% improvement in cross-sector coordination response times by 2025.

What's Not Working

Air Gap Mythology Persisting in Operations

Despite overwhelming evidence that true air gaps no longer exist in modern critical infrastructure, a 2025 SANS Institute survey found that 38% of OT operators in emerging markets believe their systems are air-gapped and therefore immune to cyber threats. In practice, even systems without direct internet connections are exposed through USB devices, vendor laptop connections for maintenance, historian servers bridging IT and OT networks, and wireless access points installed by operators for convenience. The Stuxnet malware, which destroyed Iranian centrifuges in 2010, traversed an air gap via infected USB drives, yet the false sense of security persists, particularly in water treatment, manufacturing, and smaller energy operators.

Bolting IT Security Tools onto OT Environments

Deploying standard IT security tools (endpoint detection and response agents, vulnerability scanners, active probing tools) in OT environments consistently causes operational disruptions. A Dragos 2025 OT Cybersecurity Report found that 44% of organizations that deployed IT-centric security tools in OT environments experienced at least one operational disruption caused by the security tools themselves, including PLC communication timeouts, SCADA system latency spikes, and unplanned process shutdowns. Active vulnerability scanning crashed a water treatment facility's SCADA system in Oldsmar, Florida-area operations, while aggressive endpoint agents caused latency-induced safety shutdowns at a European chemical plant.

Compliance-Driven Checkbox Security

Many critical infrastructure operators treat regulatory compliance as the ceiling rather than the floor for cybersecurity investment. NERC CIP standards, while valuable for establishing minimum baselines, cover only bulk electric system assets and exclude distribution networks, substations below certain voltage thresholds, and many renewable generation facilities. A 2025 analysis by the Cyberspace Solarium Commission found that organizations focused exclusively on compliance experienced 2.3 times more security incidents than those implementing risk-based cybersecurity programs extending beyond regulatory requirements.

Myths vs. Reality

Myth 1: Critical infrastructure attacks require nation-state capabilities

Reality: While the most sophisticated campaigns (Volt Typhoon, Sandworm) are state-sponsored, ransomware groups including LockBit, ALPHV/BlackCat, and Cl0p have successfully disrupted hospitals, water utilities, and transportation systems using commercially available tools. The ALPHV/BlackCat attack on Change Healthcare in February 2024 disrupted payment processing for one-third of U.S. healthcare transactions. Entry-level ransomware-as-a-service kits cost as little as $40 on dark web marketplaces, placing critical infrastructure attacks within reach of financially motivated criminal groups.

Myth 2: Patching OT systems is too dangerous, so we accept the risk

Reality: While OT patching requires careful testing and maintenance windows, accepting unpatched vulnerabilities is not a risk management strategy. The Triton/TRISIS malware exploited a known vulnerability in Schneider Electric Triconex safety controllers that had available patches. Compensating controls, including virtual patching through network-based intrusion prevention, micro-segmentation, and application whitelisting, can mitigate vulnerability exposure without requiring direct system patching. Organizations should implement risk-prioritized patching schedules with validated rollback procedures.

Myth 3: Buying the most expensive cybersecurity platform guarantees protection

Reality: Dragos's 2025 report found no correlation between cybersecurity spending levels and incident outcomes among critical infrastructure operators. Organizations spending in the top quartile experienced similar breach rates to those in the second quartile. The differentiating factor was not spend level but architecture: proper segmentation, continuous monitoring, and practiced incident response plans accounted for 80% of the variance in breach impact reduction. Procurement teams should evaluate detection efficacy, integration capabilities, and vendor OT expertise rather than feature count.

Myth 4: Cloud-based security monitoring is inappropriate for critical infrastructure

Reality: Hybrid cloud architectures for security monitoring (with on-premises data collection and cloud-based analytics) have become the operational standard for organizations that cannot afford dedicated 24/7 security operations centers. Nozomi Networks and Claroty both offer cloud-delivered analytics for OT environments, with data residency options addressing sovereignty concerns. The U.S. Department of Defense's Zero Trust Reference Architecture explicitly endorses cloud-based security analytics for critical infrastructure, provided encryption and access controls meet FedRAMP High requirements.

Myth 5: Cybersecurity insurance adequately transfers critical infrastructure risk

Reality: Cyber insurance policies increasingly exclude state-sponsored attacks (classified as "acts of war"), systemic infrastructure failures, and physical damage resulting from cyber events. Lloyd's of London mandated war exclusion clauses for all cyber policies from March 2023. The average cyber insurance premium for critical infrastructure operators rose 74% between 2023 and 2025, while coverage limits declined. Insurance cannot replace operational resilience, and procurement teams should view insurance as a financial buffer, not a risk mitigation strategy.

Key Players

Established Leaders

Claroty provides comprehensive OT visibility and threat detection purpose-built for industrial environments, deployed across over 1,000 critical infrastructure sites globally, with strong integration into Purdue Model network architectures.

Dragos operates the most widely deployed OT threat intelligence platform, tracking adversary groups specifically targeting critical infrastructure, with a team drawn from NSA, CISA, and national laboratory backgrounds.

Nozomi Networks offers AI-driven anomaly detection for OT and IoT networks, deployed across 115+ million devices in energy, manufacturing, and transportation sectors, with particular strength in European and Asia-Pacific markets.

Fortinet provides converged IT/OT security through its Security Fabric architecture, with ruggedized appliances designed for industrial environments and a dedicated OT security practice.

Emerging Startups

Phosphorus Cybersecurity automates discovery and management of extended IoT and OT devices, addressing the visibility gap that leaves 70% of industrial devices unmanaged in typical deployments.

Xage Security delivers zero trust access control for OT environments using distributed, identity-based enforcement that does not depend on centralized authentication servers, critical for remote and air-gapped sites.

Shift5 focuses on cybersecurity for operational technology in defense and transportation, monitoring data buses in aircraft, rail, and weapons systems at the protocol level.

Key Investors and Funders

CISA provides direct technical assistance and assessment services to critical infrastructure operators at no cost, including vulnerability scanning, penetration testing, and architecture review through its Cybersecurity Advisor program.

SYN Ventures focuses exclusively on cybersecurity investments, with portfolio companies addressing OT security, threat intelligence, and industrial resilience.

Team8 operates a cybersecurity venture creation platform with deep expertise in critical infrastructure protection, leveraging connections to Israeli intelligence and defense technology ecosystems.

Action Checklist

• Conduct an asset inventory of all OT devices, including legacy systems, and classify by criticality and exposure
• Implement network segmentation between IT and OT environments with documented firewall rules and monitoring
• Deploy passive OT monitoring tools (not active scanning) to establish behavioral baselines for industrial protocols
• Join your sector-specific ISAC and integrate threat intelligence feeds into detection and response workflows
• Conduct quarterly tabletop exercises simulating ransomware, insider threat, and supply chain compromise scenarios
• Evaluate vendor cybersecurity posture through standardized assessments (NIST CSF, IEC 62443) before procurement
• Develop and test incident response plans that address OT-specific scenarios including safe process shutdown procedures
• Require software bills of materials (SBOMs) from all technology vendors supplying critical infrastructure components
• Establish compensating controls (virtual patching, application whitelisting) for OT systems that cannot be directly patched
• Review cyber insurance policies for exclusions related to state-sponsored attacks, war clauses, and physical damage

FAQ

Q: What is the single most impactful cybersecurity investment for a critical infrastructure operator with a limited budget? A: Network segmentation between IT and OT environments delivers the highest risk reduction per dollar spent. Properly implemented segmentation prevents adversaries who compromise corporate networks from reaching operational systems. Basic segmentation using industrial firewalls and DMZ architectures can be implemented for $50,000 to $200,000 depending on facility size, with documented 60 to 72% reductions in successful OT intrusions. This should be prioritized before advanced detection, threat intelligence, or zero trust initiatives.

Q: How should procurement teams evaluate OT cybersecurity vendors for emerging market deployments? A: Prioritize vendors with demonstrated OT protocol expertise (Modbus, DNP3, IEC 61850, OPC-UA) rather than IT vendors marketing OT capabilities. Request reference deployments in similar infrastructure types and regions. Verify that the solution operates passively (monitoring network traffic rather than actively scanning devices) to avoid operational disruptions. Evaluate data residency capabilities, local support presence, and the vendor's ability to operate effectively with limited bandwidth, which is common in emerging market deployments.

Q: Are regulatory compliance frameworks like NERC CIP or NIS2 sufficient for protecting critical infrastructure? A: Compliance frameworks establish valuable baselines but are insufficient as standalone cybersecurity strategies. NERC CIP covers only bulk electric system assets, leaving distribution networks and many renewable generation facilities unprotected. NIS2 mandates risk assessments and incident reporting but does not prescribe specific technical controls. Organizations focused exclusively on compliance experience 2.3 times more incidents than those implementing risk-based programs. Use regulatory frameworks as a floor and supplement with threat-informed defense strategies based on actual adversary behaviors documented by organizations like Dragos, CISA, and sector-specific ISACs.

Q: How do organizations balance OT system availability with cybersecurity requirements? A: The fundamental principle is that safety and availability take precedence over confidentiality in OT environments, the opposite of traditional IT security priorities. Deploy passive monitoring rather than inline security tools that could disrupt process communications. Schedule patching and configuration changes during planned maintenance windows with validated rollback procedures. Implement compensating controls (network segmentation, application whitelisting, behavioral monitoring) that provide security without introducing latency or single points of failure into safety-critical systems.

Q: What role does artificial intelligence play in critical infrastructure cybersecurity today? A: AI and machine learning are most effective for behavioral anomaly detection in OT networks, where they establish baselines of normal industrial protocol communications and flag deviations that may indicate intrusions or equipment manipulation. Nozomi Networks and Claroty both use AI-driven analytics to reduce false positive rates by 40 to 60% compared to signature-based detection. However, AI cannot replace network segmentation, access control, or practiced incident response. Procurement teams should evaluate AI as an enhancement to foundational controls, not a replacement for them.

Sources

• IBM Security. (2025). X-Force Threat Intelligence Index 2025. Armonk, NY: IBM Corporation.
• Cybersecurity and Infrastructure Security Agency. (2025). Critical Infrastructure Cyber Risk Assessment: Annual Report. Washington, DC: CISA.
• Dragos, Inc. (2025). OT Cybersecurity Year in Review 2024. Hanover, MD: Dragos.
• SANS Institute. (2025). ICS/OT Cybersecurity Survey: Workforce, Budgets, and Technology Gaps. Bethesda, MD: SANS.
• North American Electric Reliability Corporation. (2025). State of Reliability Report and Grid Security Update. Atlanta, GA: NERC.
• European Union Agency for Cybersecurity (ENISA). (2025). NIS2 Implementation Status and Critical Infrastructure Threat Landscape. Athens: ENISA.
• National Institute of Standards and Technology. (2024). Cybersecurity Framework 2.0 and Zero Trust Architecture for Industrial Control Systems. Gaithersburg, MD: NIST.