Trend analysis: Critical infrastructure cybersecurity — where the value pools are (and who captures them)
Signals to watch, value pools, and how the landscape may shift over the next 12–24 months. Focus on attack paths, detection/response, and how to harden real-world systems.
In Q3 2024 alone, BlackBerry detected over 600,000 cyberattacks targeting critical infrastructure globally, with 45% directed at financial sector systems and 70% of all cyberattacks now involving critical infrastructure targets (BlackBerry Global Threat Intelligence Report, 2024). This unprecedented attack volume, combined with nation-state actors systematically probing energy grids, water systems, and healthcare networks, has transformed critical infrastructure cybersecurity from a compliance checkbox into an existential business priority.
Why It Matters
The critical infrastructure cybersecurity market reached $54.6 billion in 2024 and is projected to grow at a 5.6% CAGR to $87.7 billion by 2033 (Grand View Research, 2025). This growth trajectory understates the strategic importance: the broader critical infrastructure protection market, encompassing both physical and cyber defenses, exceeded $147 billion in 2024. For policy professionals, compliance officers, and security architects, understanding where value accrues—and which attack vectors demand priority—is essential for allocating limited resources effectively.
The threat landscape has fundamentally shifted. Nation-state actors from China, Russia, and Iran now systematically target U.S. infrastructure with sophisticated persistent access campaigns. The July 2025 disclosure that PRC-affiliated hackers compromised 400+ organizations via Microsoft SharePoint vulnerabilities—including the Departments of Energy, Homeland Security, and Health and Human Services—demonstrated that even well-resourced federal agencies face significant exposure. Meanwhile, ransomware operators extracted $2.87 billion from Change Healthcare alone in 2024, affecting 100 million Americans and forcing a $22 million ransom payment.
The financial calculus is stark: 45% of organizations reported losses exceeding $500,000 from cyber-physical system attacks in 2024, with 27% experiencing losses over $1 million. The average data breach cost in the United States reached $10 million in 2025—double the global average. These figures represent direct costs; the cascading economic impacts on supply chains, customer trust, and regulatory standing amplify the total exposure significantly.
Key Concepts
Operational Technology (OT) Security
Critical infrastructure increasingly depends on operational technology systems—SCADA, industrial control systems, and building management platforms—that were designed for reliability rather than security. These systems often run legacy software with known vulnerabilities, lack encryption, and connect to corporate networks in ways that create attack paths from IT to OT environments. The convergence of IT and OT systems has expanded the attack surface dramatically while complicating detection and response.
Zero Trust Architecture (ZTA)
The traditional perimeter-based security model has proven inadequate for distributed critical infrastructure. Zero Trust principles—verify explicitly, use least privilege access, assume breach—are now mandated by federal cybersecurity orders and increasingly adopted by private sector operators. Implementation requires identity management overhauls, network micro-segmentation, and continuous monitoring capabilities that represent significant capital investment.
Supply Chain Security
Critical infrastructure operators depend on complex supply chains of hardware, software, and service providers, each representing potential attack vectors. The SolarWinds compromise demonstrated how a single software vendor breach could provide access to thousands of downstream organizations. Securing the supply chain requires vendor risk assessments, software bill of materials (SBOM) requirements, and contractual security obligations.
| KPI | Baseline (2023) | Current (2024-2025) | Target | Best-in-Class |
|---|---|---|---|---|
| Mean Time to Detect (MTTD) | 207 days | 194 days | <30 days | <24 hours |
| Mean Time to Respond (MTTR) | 73 days | 64 days | <7 days | <1 hour |
| OT Asset Visibility | 35% | 48% | 90%+ | 99% |
| Patch Compliance (Critical) | 62% | 71% | 95% | 99% |
| Security Training Completion | 78% | 84% | 100% | 100% |
| Third-Party Risk Assessments | 45% | 58% | 100% | 100% |
What's Working
AI-Enabled Threat Detection
Machine learning systems have dramatically improved anomaly detection in OT environments, identifying behavioral deviations that rule-based systems miss. Dragos, Claroty, and Nozomi Networks have deployed AI-powered platforms that reduced false positive rates by 60-80% while identifying novel attack patterns. The April 2025 launch of Forcepoint's AI-powered Data Security Cloud demonstrates continued investment in intelligent threat detection.
Public-Private Intelligence Sharing
CISA's Joint Cyber Defense Collaborative (JCDC) has improved coordination between government agencies and private sector operators. In 2024, CISA managed 430 cyber incidents, with 89 classified as nationally significant. Rapid sharing of indicators of compromise (IOCs) and tactical threat intelligence has accelerated response times and enabled proactive defense postures across sectors.
Segmentation and Network Isolation
Organizations implementing robust network segmentation between IT and OT environments have demonstrated significantly reduced blast radius from breaches. Duke Energy's implementation of industrial DMZ architectures and unidirectional security gateways has become a model for utility sector hardening, limiting lateral movement even when initial access is achieved.
What's Not Working
Legacy System Vulnerabilities
Critical infrastructure operators face a fundamental tension between operational continuity and security modernization. SCADA systems with 20+ year lifecycles cannot be patched without risking operational disruption, yet they contain known vulnerabilities exploitable by adversaries. The average industrial control system contains 11 distinct vulnerabilities, with many operators unable to remediate without complete system replacement.
Workforce Shortages
The United States requires approximately 225,000 additional cybersecurity professionals, with only 85% of current vacancies fillable from the existing talent pool. OT security expertise is particularly scarce—specialists command average salaries of $117,000 and face intense competition. This shortage forces organizations to rely on understaffed security operations centers or expensive managed service providers.
Inconsistent Regulatory Frameworks
Despite increased regulatory attention, critical infrastructure cybersecurity requirements vary significantly across sectors and jurisdictions. Water utilities face minimal federal mandates while financial services operate under prescriptive frameworks. This inconsistency creates compliance complexity, enables regulatory arbitrage, and leaves some sectors dangerously underprotected. The EU's NIS-2 Directive, expanding mandatory requirements to 18 sectors, highlights the gap between European and U.S. approaches.
Key Players
Established Leaders
Palo Alto Networks has emerged as a leading provider of comprehensive cybersecurity platforms, with their Cortex XSIAM consolidating detection, investigation, and response capabilities. Their OT security acquisitions position them strongly for critical infrastructure deployments.
Cisco Systems leverages its networking infrastructure dominance to deliver integrated security solutions for industrial environments. Their SecureX platform provides visibility across IT and OT networks, while industrial-grade switches and routers embed security at the network layer.
Fortinet specializes in high-performance security appliances suitable for operational technology environments, with rugged form factors designed for industrial deployment. Their Security Fabric architecture enables coordinated defense across distributed infrastructure.
CrowdStrike leads in endpoint detection and response (EDR) for IT environments and has expanded into OT asset discovery through their Falcon for IT/OT solution. Their threat intelligence capabilities draw on data from millions of endpoints globally.
Emerging Startups
Dragos pioneered industrial cybersecurity with purpose-built OT threat detection and response capabilities. Founded by former NSA analysts, Dragos maintains the industry's most comprehensive industrial threat intelligence program and has responded to the majority of publicly disclosed ICS incidents.
Claroty provides comprehensive visibility into cyber-physical systems across manufacturing, healthcare, and critical infrastructure. Their platform maps asset inventories, identifies vulnerabilities, and detects threats in environments where traditional IT security tools fail.
Armis focuses on agentless device visibility and security for unmanaged and IoT assets. Their platform discovers and classifies devices that cannot run endpoint agents—a critical capability for medical devices, building systems, and industrial equipment.
Key Investors & Funders
Insight Partners has invested over $1 billion in cybersecurity companies including Armis, Recorded Future, and Wiz, demonstrating continued confidence in the sector's growth trajectory.
CISA (Cybersecurity and Infrastructure Security Agency) provides direct technical assistance to critical infrastructure operators, operates the National Cybersecurity Protection System, and coordinates federal cybersecurity policy. Their 2024 Year in Review highlighted $250 million in direct support to state and local governments.
General Atlantic led a $400 million growth investment in Claroty in 2024, valuing the company at $1.8 billion and signaling institutional conviction in OT security market expansion.
Real-World Examples
Example 1: Change Healthcare Ransomware Attack
In February 2024, the ALPHV/BlackCat ransomware group compromised Change Healthcare, processing approximately 15 billion healthcare transactions annually. The attack disrupted claims processing for weeks, prevented patients from filling prescriptions, and forced providers to operate without payment visibility. UnitedHealth Group, Change Healthcare's parent company, reported response costs exceeding $2.87 billion and confirmed that attackers accessed data on 100 million Americans. The $22 million ransom payment—and subsequent ransomware group collapse—illustrated both the scale of potential impact and the complexity of payment decisions.
Example 2: Volt Typhoon Infrastructure Infiltration
In 2024, U.S. intelligence agencies disclosed that the Chinese state-sponsored group Volt Typhoon had maintained persistent access to U.S. critical infrastructure for years, pre-positioning for potential disruption during a Taiwan conflict. The group targeted water utilities, power companies, and transportation systems using living-off-the-land techniques that evaded traditional detection. This campaign demonstrated that nation-state adversaries view infrastructure access as strategic military capability, not merely intelligence collection opportunity. The response required coordinated government-industry action to identify and evict the threat actors across dozens of organizations.
Example 3: Halliburton Operational Disruption
In August 2024, oilfield services giant Halliburton experienced a cyberattack that forced systems offline and disrupted operations at drilling sites globally. The company reported $35 million in direct losses from the incident, though the full operational impact on customer relationships and project timelines remained difficult to quantify. The attack demonstrated that even companies with sophisticated security programs face significant exposure when adversaries identify gaps in detection or response capabilities.
Action Checklist
- Conduct comprehensive OT asset inventory including legacy systems, embedded devices, and third-party connections to establish baseline visibility
- Implement network segmentation between IT and OT environments with documented data flows and access controls
- Deploy OT-specific threat detection capabilities that understand industrial protocols and normal operational patterns
- Establish incident response plans with defined roles, communication protocols, and manual operation procedures for extended outages
- Assess third-party vendor security practices and require contractual security obligations for critical suppliers
- Participate in sector-specific ISACs (Information Sharing and Analysis Centers) to receive threat intelligence and share incident data
- Develop workforce training programs covering both technical skills and security awareness for operational personnel
FAQ
Q: What are the most common attack vectors targeting critical infrastructure? A: Phishing remains the dominant initial access vector, accounting for approximately 41% of successful intrusions. However, the attack paths vary significantly: ransomware operators typically move from corporate IT networks into OT environments through poorly segmented connections, while nation-state actors like Volt Typhoon exploit internet-facing devices and use legitimate credentials to avoid detection. Remote access solutions, including VPNs and remote desktop protocols, represent particularly high-value targets given their prevalence in distributed infrastructure operations.
Q: How do regulatory requirements differ across critical infrastructure sectors? A: Requirements vary dramatically. Financial services operate under prescriptive frameworks including the NYDFS Cybersecurity Regulation and SEC disclosure rules. Energy sector operators face NERC CIP standards with significant penalties for non-compliance. Healthcare entities must comply with HIPAA security rules, though enforcement has been inconsistent. Water utilities face minimal federal mandates despite significant vulnerability, though the EPA has increased enforcement attention. The EU's NIS-2 Directive, effective 2024, establishes baseline requirements across 18 sectors that exceed U.S. frameworks in many areas.
Q: What is the realistic cost of implementing Zero Trust architecture for critical infrastructure? A: Implementation costs vary significantly based on existing infrastructure maturity. Organizations typically report 18-36 month implementation timelines with costs ranging from $2-15 million for mid-sized utilities to $50-200 million for large enterprises. Key cost drivers include identity management system overhauls, network microsegmentation infrastructure, and the operational disruption of transitioning legacy systems. However, organizations with mature Zero Trust implementations report 50-80% reduction in breach impact and improved insurance terms that offset implementation investment.
Q: How should organizations prioritize security investments given limited budgets? A: Prioritization should follow threat-informed defense principles. Start with asset inventory and visibility—you cannot protect what you cannot see. Then implement network segmentation to limit blast radius of inevitable breaches. Detection capabilities come next, focusing on high-fidelity alerts in critical areas rather than comprehensive but noisy monitoring. Response planning and exercises ensure that security investments translate into effective incident management. Finally, address supply chain security through vendor assessments and contractual requirements.
Q: What role do cyber insurance policies play in critical infrastructure risk management? A: Cyber insurance has become both a risk transfer mechanism and a security baseline driver. Insurers increasingly require specific controls—multi-factor authentication, endpoint detection, and backup practices—as underwriting conditions. However, policy exclusions for nation-state attacks and "acts of war" create uncertainty about coverage for state-sponsored intrusions. The Change Healthcare attack tested policy limits, with UnitedHealth reporting that insurance recovered only a fraction of total costs. Organizations should treat insurance as one component of risk management rather than a substitute for security investment.
Sources
- BlackBerry Global Threat Intelligence Report Q3 2024. https://www.blackberry.com/us/en/company/newsroom/press-releases/2025/blackberry-reports-600000-cyberattacks-on-critical-infrastructure-in-q3-2024
- Grand View Research. "Cybersecurity in Critical Infrastructure Protection Market Report 2033." https://www.grandviewresearch.com/industry-analysis/cybersecurity-critical-infrastructure-protection-market-report
- CISA. "2024 Year in Review." https://www.cisa.gov/about/2024YIR
- CSIS. "Significant Cyber Incidents." Strategic Technologies Program. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
- Thales. "2025 Data Threat Report - Critical Infrastructure Edition." https://cpl.thalesgroup.com/critical-infrastructure-data-threat-report
- SNS Insider. "Critical Infrastructure Protection Market Size Report 2032." https://finance.yahoo.com/news/critical-infrastructure-protection-market-size-133000569.html
Related Articles
Myth-busting Critical infrastructure cybersecurity: 10 misconceptions holding teams back
Myths vs. realities, backed by recent evidence and practitioner experience. Focus on attack paths, detection/response, and how to harden real-world systems.
Critical infrastructure cybersecurity KPIs by sector (with ranges)
The 5–8 KPIs that matter, benchmark ranges, and what the data suggests next. Focus on attack paths, detection/response, and how to harden real-world systems.
Interview: practitioners on Critical infrastructure cybersecurity — what they wish they knew earlier
A practitioner conversation: what surprised them, what failed, and what they'd do differently. Focus on attack paths, detection/response, and how to harden real-world systems.