Playbook: adopting Critical infrastructure resilience in 90 days

In 2024, the United States experienced 27 billion-dollar disasters causing $182 billion in damages—a sevenfold increase in economic losses compared to the 1970s (NOAA, 2025). Meanwhile, cyberattacks on critical infrastructure surged 70% year-over-year, with utilities facing an average of 1,728 weekly attacks per organization (IBM X-Force, 2024). The critical infrastructure protection market has ballooned to $148.64 billion globally, yet cities report a $40.8 billion funding gap across 484 climate resilience projects. For product and design teams charged with building resilient systems, this is not abstract policy—it is the operational environment in which your infrastructure must survive. This playbook provides a 90-day implementation framework to move from vulnerability assessment to measurable resilience, with clear milestones, ownership structures, and metrics that distinguish genuine progress from measurement theater.

Why It Matters

Critical infrastructure—energy grids, water systems, transportation networks, telecommunications, and healthcare facilities—forms the backbone of modern society. When these systems fail, the consequences cascade: power outages disable water treatment plants, hospital equipment loses functionality, supply chains fracture, and economic activity grinds to a halt. The Department of Homeland Security's 2024–2025 Strategic Guidance identifies five priority risk areas: cyber threats from state actors, AI and emerging technology vulnerabilities, supply chain fragility, climate impacts, and space systems dependencies (DHS, 2024).

The economic case for resilience investment is compelling. Analysis from the World Resources Institute demonstrates that every dollar invested in climate-resilient infrastructure produces a 4:1 benefit-cost ratio, with $1 invested yielding $13 in avoided recovery expenses over a ten-year horizon (WRI, 2024). However, current adaptation finance flows of approximately $65 billion annually fall dramatically short of the $845 billion needed by 2050—a 13-fold gap (UNEP, 2024).

For European product teams, the regulatory environment adds urgency. The EU's NIS2 Directive mandates enhanced cybersecurity measures for essential services, while the European Climate Law requires member states to integrate climate adaptation into infrastructure planning. Failure to build resilience is not merely a technical shortcoming—it exposes organizations to regulatory penalties, reputational damage, and operational failures that can destroy market position overnight.

Key Concepts

Understanding critical infrastructure resilience requires familiarity with several foundational frameworks that structure assessment and implementation.

The 4Rs Framework defines resilience through four complementary capabilities: Robustness (structural integrity under stress), Redundancy (backup capacity and alternative pathways), Resourcefulness (emergency response capabilities and funding availability), and Rapidity (speed of recovery and service restoration). Effective resilience programs must address all four dimensions, as optimizing one while neglecting others creates brittle systems that fail unpredictably.

Risk Component Analysis breaks vulnerability into discrete elements: Hazard (the climate or threat stressor itself), Exposure (which assets sit in harm's way), Sensitivity (how vulnerable those assets are to damage), and Adaptive Capacity (the organization's ability to respond and recover). This decomposition enables targeted interventions rather than scattershot spending.

Cascade Failure Modeling recognizes that infrastructure systems are deeply interdependent. Power failures disable telecommunications; telecommunications failures prevent emergency coordination; emergency coordination failures amplify health system strain. Any resilience strategy must map these interdependencies and address single points of failure that can trigger cascading collapse.

Multi-Hazard Assessment acknowledges that infrastructure faces compound threats: extreme temperatures combine with drought; flooding coincides with wind damage; cyberattacks exploit the chaos of natural disasters. Siloed hazard analysis systematically underestimates true risk exposure.

What's Working

Integrated IT-OT Security Architectures

The convergence of information technology (IT) and operational technology (OT) security has matured significantly. Organizations deploying unified platforms from vendors like Dragos, Claroty, and Nozomi Networks report substantially improved threat visibility across previously siloed industrial control systems. The operational technology security market is projected to reach $95.1 billion by 2030, reflecting widespread recognition that protecting physical infrastructure requires purpose-built solutions distinct from traditional enterprise security (MarketsandMarkets, 2024).

Zero Trust Implementation

Zero Trust architectures—which assume no implicit trust based on network location—have proven particularly effective for distributed infrastructure. Rather than defending a perimeter, Zero Trust continuously validates every access request against policy, dramatically reducing the blast radius of successful intrusions. CISA's Cybersecurity Performance Goals explicitly recommend Zero Trust adoption for critical infrastructure operators.

Climate Risk Integration in Design Standards

Leading infrastructure developers now embed climate projections into design specifications from project inception. The DOT's PROTECT program has allocated over $9 billion for climate resilience projects, while updated design standards account for sea-level rise, extreme heat, and precipitation changes over infrastructure lifecycles of 50–70 years. This represents a fundamental shift from reactive retrofitting to proactive design.

Public-Private Threat Intelligence Sharing

Information sharing and analysis centers (ISACs) for energy, water, transportation, and other sectors have matured into effective threat intelligence networks. Real-time sharing of indicators of compromise, attack patterns, and defensive measures allows smaller operators to benefit from the security investments of larger peers.

What's Not Working

Measurement Theater

Many organizations conflate activity metrics with outcome metrics, generating dashboards that measure compliance checkbox completion rather than actual resilience improvement. Common failure modes include tracking vulnerability scan completion rates without measuring remediation velocity, counting tabletop exercises without assessing actual response capability, and reporting backup system existence without testing recovery time objectives.

Siloed Risk Assessment

Despite rhetorical commitment to integrated risk management, most organizations still assess cyber risk, physical security, and climate risk through separate processes with different owners, timelines, and risk appetite statements. This fragmentation prevents identification of compound risks and creates governance gaps where threats fall between organizational boundaries.

Underinvestment in Workforce Development

The critical infrastructure security workforce gap remains severe, with demand far outpacing supply for professionals who understand both OT environments and cybersecurity principles. Technology investments cannot compensate for undertrained operators who misconfigure systems, fail to recognize attack indicators, or cannot execute incident response procedures under pressure.

Adaptation Finance Shortfall

While the investment case for resilience is strong, capital allocation remains inadequate. US cities report funding only $22 billion of $62.7 billion in identified climate adaptation needs—a 35% fulfillment rate. Private capital flows toward higher-return opportunities, while public budgets face competing demands. This persistent underinvestment guarantees that infrastructure will remain more vulnerable than technical solutions would permit.

Key Players

Established Leaders

Honeywell International provides building automation, industrial security, and operational technology solutions across energy, manufacturing, and building management sectors. Their integrated approach addresses both physical and cyber resilience for critical facilities.

Palo Alto Networks has expanded aggressively into OT security through acquisitions including Cider Security, offering unified threat management that spans enterprise IT and industrial control environments.

Siemens delivers comprehensive infrastructure solutions including smart grid technology, building management systems, and industrial cybersecurity, with particular strength in European energy and transportation sectors.

Schneider Electric focuses on power management and automation, providing resilience solutions for energy infrastructure, data centers, and industrial facilities with strong sustainability integration.

BAE Systems applies defense-grade security capabilities to critical infrastructure protection, with particular expertise in secure communications and threat intelligence.

Emerging Startups

Dragos specializes in industrial control system security with deep expertise in energy and utility environments, providing threat detection, incident response, and vulnerability assessment specifically designed for OT environments.

Claroty offers asset visibility and threat detection across extended industrial networks, with particular strength in healthcare, manufacturing, and pharmaceutical infrastructure.

Nozomi Networks provides network visibility and anomaly detection for industrial environments, with partnerships across the energy sector including GE Power.

Dream Security raised $100 million in 2025 for nation-state threat defense capabilities purpose-built for critical infrastructure protection.

Upwind Security secured $100 million in late 2024 for cloud runtime security, addressing the growing attack surface as infrastructure operators migrate to cloud-native architectures.

Key Investors

National Grid Partners actively invests in OT security and grid resilience solutions, leveraging utility operational expertise to identify promising technologies.

Chevron Technology Ventures funds industrial cybersecurity and energy infrastructure resilience, with portfolio companies including Dragos and Claroty.

Andreessen Horowitz has expanded its cybersecurity investment thesis to include critical infrastructure protection, participating in several large rounds during 2024–2025.

Sector-Specific KPI Framework

Sector	Metric	Target Range	Measurement Frequency
Energy	Mean Time to Detect (MTTD)	<24 hours	Continuous
Energy	N-1 Redundancy Coverage	>95% of critical substations	Quarterly
Water	SCADA Vulnerability Remediation Rate	>90% within 30 days	Monthly
Water	Backup Power Duration	>72 hours	Annually
Transportation	Recovery Time Objective (RTO)	<4 hours for critical systems	Per incident
Transportation	Climate Hazard Exposure Mapped	100% of assets	Annually
Telecommunications	Network Redundancy Index	>2.5 path diversity	Quarterly
Telecommunications	Incident Response Drill Score	>85% objectives met	Bi-annually
Healthcare	Critical System Uptime	>99.95%	Continuous
Healthcare	Medical Device Inventory Accuracy	>98%	Monthly

Examples

1. Tennessee Valley Authority (TVA)

The Tennessee Valley Authority, one of the largest public power providers in the United States, implemented a comprehensive resilience program following increasing climate-related disruptions. TVA invested $2.2 billion in grid modernization including advanced metering infrastructure, self-healing distribution networks, and hardened transmission corridors. Their approach integrated cyber and physical security under unified governance, with real-time threat monitoring across 16,000 miles of transmission lines. By 2024, TVA reported a 40% reduction in customer outage duration despite increasing severe weather frequency, demonstrating that sustained investment in resilience capabilities produces measurable operational improvements.

2. Rotterdam Port Authority

The Port of Rotterdam, Europe's largest seaport, developed a multi-hazard resilience framework addressing climate change, cyber threats, and supply chain disruptions. Their Digital Twin initiative creates real-time simulation capability for the entire port complex, enabling scenario modeling for flooding, vessel traffic disruptions, and infrastructure failures. The port authority invested €300 million in physical flood defenses while simultaneously deploying OT security solutions across terminal operating systems. Rotterdam's approach demonstrates that critical infrastructure resilience requires parallel investment in physical hardening and cyber protection, governed through integrated risk management structures.

3. Thames Water

Thames Water serves 15 million customers in London and the Thames Valley, facing compound pressures from aging infrastructure, climate variability, and regulatory requirements. Their resilience strategy prioritizes water supply security through interconnection with neighboring utilities, creating alternative supply pathways when primary sources are compromised. Thames Water deployed industrial control system monitoring across treatment plants and pumping stations following sector-wide threat assessments. Their experience illustrates both the potential and challenges of resilience transformation in heavily regulated utility environments, where capital constraints and regulatory timelines shape what is achievable within 90-day implementation windows.

Action Checklist

The following checklist structures a 90-day implementation program across three phases:

Phase 1: Assessment (Days 1–30)

• Complete asset inventory across IT, OT, and physical infrastructure with criticality ratings
• Map interdependencies between systems identifying single points of failure
• Assess current-state maturity against the 4Rs framework (Robustness, Redundancy, Resourcefulness, Rapidity)
• Identify regulatory requirements and compliance gaps (NIS2, sector-specific mandates)
• Establish baseline metrics for detection, response, and recovery capabilities
• Conduct tabletop exercise simulating compound threat scenario

Phase 2: Planning (Days 31–60)

• Define explicit resilience objectives with measurable targets and timelines
• Prioritize interventions based on risk reduction per euro invested
• Assign ownership for each resilience workstream with accountability metrics
• Develop procurement specifications for technology and service requirements
• Create stakeholder communication plan including board reporting framework
• Establish governance structure integrating cyber, physical, and climate risk

Phase 3: Implementation (Days 61–90)

• Deploy monitoring capabilities for highest-criticality assets
• Implement backup power and communications for critical control systems
• Execute initial hardening measures for identified vulnerabilities
• Conduct functional exercise testing response and recovery procedures
• Establish recurring review cadence for resilience metrics
• Document lessons learned and update roadmap for subsequent quarters

FAQ

Q: How should we prioritize between cyber resilience and climate resilience investments?

A: The distinction between cyber and climate resilience is increasingly artificial. Climate events create conditions that cyber adversaries exploit—stressed operators, degraded communications, and emergency decision-making environments. Prioritization should focus on protecting the assets most critical to organizational mission regardless of threat vector. Start with assets whose failure would cause irreversible harm or prolonged service disruption, then work outward based on impact severity and recovery time requirements.

Q: What does meaningful measurement look like versus measurement theater?

A: Meaningful measurement focuses on outcomes rather than activities. Instead of tracking "number of vulnerability scans completed," measure "percentage of critical vulnerabilities remediated within SLA." Instead of counting "tabletop exercises conducted," assess "time to detect simulated incident" and "accuracy of initial containment decisions." Measurement theater generates reports; meaningful measurement changes behavior and improves outcomes.

Q: How do we justify resilience investment when ROI is uncertain?

A: Frame resilience investment as insurance with asymmetric payoffs. The 4:1 benefit-cost ratio from WRI analysis provides one reference point. More compelling is scenario analysis: quantify the cost of a 72-hour power outage to your operations, then compare against hardening investment required to prevent it. Resilience investment typically looks expensive until you calculate what happens without it. Regulatory penalties under NIS2 and reputational damage provide additional financial justification.

Q: What is a realistic timeline for meaningful resilience improvement?

A: Ninety days is sufficient to establish assessment baselines, implement monitoring for critical assets, and address the highest-priority vulnerabilities. Comprehensive resilience transformation requires multi-year commitment as infrastructure lifecycles span decades. The goal of a 90-day program is not perfection but establishing the governance structures, measurement capabilities, and initial protections that enable sustained improvement.

Q: How do we address workforce capability gaps?

A: Workforce development requires parallel investment alongside technology deployment. Options include upskilling existing OT staff in cybersecurity fundamentals, recruiting from adjacent fields (industrial engineering, network operations), and engaging managed security service providers to augment internal capabilities. Long-term, partnerships with universities and technical training programs build sustainable talent pipelines.

Sources

• Department of Homeland Security. "Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience (2024-2025)." DHS, June 2024. https://www.dhs.gov/publication/strategic-guidance-and-national-priorities-us-critical-infrastructure-security-and

• National Oceanic and Atmospheric Administration. "U.S. Billion-Dollar Weather and Climate Disasters." NOAA National Centers for Environmental Information, 2025. https://www.ncei.noaa.gov/access/billions/

• World Resources Institute. "The Case for Climate-Resilient Infrastructure." WRI, July 2024. https://www.wri.org/research/climate-resilient-infrastructure

• UNEP. "Adaptation Gap Report 2024." United Nations Environment Programme, November 2024.

• CDP. "From Climate Risk to Investment Opportunity: Filling the Funding Gap for Cities." CDP, 2024. https://www.cdp.net/en/insights/from-climate-risk-to-investment-opportunity

• OECD. "Infrastructure for a Climate-Resilient Future." OECD Publishing, April 2024. https://www.oecd.org/environment/infrastructure-for-a-climate-resilient-future.htm

• CISA. "Cybersecurity Performance Goals." Cybersecurity and Infrastructure Security Agency, 2024. https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

• MarketsandMarkets. "Critical Infrastructure Protection Market Report." MarketsandMarkets Research, 2024.