In February, U.S. officials revealed that the Chinese group Volt Typhoon had maintained undetected access to power grids, ports, and telecommunications providers for as long as five years—long enough to map every breaker, valve, and switch they might someday wish to sabotage.
The opening months of 2025 have been sobering for anyone who depends on electricity, water, transport, or healthcare, which is to say, everyone. Repeated, high-profile intrusions into pipeline operators, hospital networks, and even traffic-signal systems have shown how tightly our daily routines are bound to digital processes that were never designed for a prolonged siege.
The U.S. Department of Homeland Security's Homeland Threat Assessment 2025 warns that adversaries "almost certainly" view critical infrastructure as the most effective coercive lever they can pull short of open war.
Digitization has brought undeniable efficiencies, but it's also removed many of the physical and logical barriers that once protected industrial operations. As operational technology (OT) networks converge with traditional IT, the "air gaps" that once insulated plant floors have shrunk to a few routed packets. There are search engines, such as Shodan or FOFA, that let attackers scan for exposed controllers in minutes. State-sponsored hackers can use those scans to pre-position in U.S. infrastructure for possible later disruption.
The barrier to entry has also plummeted. Hacktivist collectives such as the Cyber Army of Russia Reborn, loosely aligned with Sandworm (APT44), routinely seize poorly configured water treatment systems using brute-force tools and leaked credentials. Ransomware-as-a-Service collectives go even further in allowing practically anyone to enact cyberattacks; the Play gang weaponized a 2025 Windows zero-day just days after it was introduced, bundling the exploit into its affiliate kit for paying customers.
These groups mean that the only barrier to entry for committing sophisticated cyberattacks at scale against critical infrastructure is having a healthy enough crypto wallet to pay for their services.
Recent geopolitics is adding fuel to the fire. A June 2025 National Terrorism Advisory System bulletin warns that Iranian operators are probing U.S. hospitals and logistics hubs for retaliation pathways after strikes on its nuclear facilities. In Europe, intelligence officials say Moscow's strategy now emphasizes "hybrid warfare," including cyber sabotage, disinformation, and physical disruption, to weaken support for Ukraine.
Artificial intelligence is multiplying attacker speed. AI enables adaptive malware that rewrites its own indicators of compromise in memory to evade detection. Generative AI sustains sophisticated, multi-channel social engineering for phishing campaigns to gain access privileges to critical infrastructure.
Critical infrastructure is particularly vulnerable at a device level. There has been a record vulnerability growth in unmanaged IoT sensors and medical devices, giving adversaries millions of new footholds.
While the attacks against critical infrastructure might by cyber, their impacts are very real.
In July 2024, a cascading outage at several backbone providers, quickly dubbed "the Great IT Outage," knocked out connectivity for millions of Americans, stranding truck fleets, freezing retail systems, and forcing hospitals back onto clipboards for nearly eight hours. Two months later, a Kansas water treatment facility switched to manual operations after its supervisory controls were breached. Residents were assured the water was safe, but local confidence plummeted.
The economic price tag is steep. It's estimated that the economic impact of a severe enough cyberattack against the U.S. power grid could be in excess of $240 billion.
The human toll can be equally stark. UnitedHealth now estimates that the February 2024 breach of its Change Healthcare subsidiary compromised data for 190 million Americans, delaying prescriptions and disrupting insurance billing nationwide. Malicious changes to chemical dosing at water plants or pressure manipulations in pipelines could trigger instant public safety crises. Even near misses erode institutional legitimacy and public trust.
Strategically, persistent intrusions foreshadow a nightmare scenario in which multiple sectors fail at once. Grid instability leads to telecom outages; telecom outages paralyze payment systems; hospitals running on generators must triage surgeries. U.S. CISA, the NSA, and the FBI warn that such cascade planning is now embedded in adversary playbooks.
Legacy technology is the soft underbelly of critical infrastructure. Many industrial control systems still run on old operating systems for which vendors no longer publish patches. Attackers scan for those soft spots with commodity tools, then pivot through forgotten remote desktop servers or unpatched VPN concentrators.
CISA's September 2024 alert to the water sector laid bare how default passwords and internet-exposed controllers make even simple brute-force campaigns alarmingly successful.
Once inside, sophisticated groups can keep a low profile. Volt Typhoon operators "live off the land" by harvesting existing Windows credentials, scheduling native PowerShell tasks, and exfiltrating data through legitimate cloud services—tactics that blend neatly with normal network noise.
Supply chain weaknesses compound the risk. The SolarWinds campaign remains the benchmark for how a single compromised update server can seed malware across hundreds of trusted networks before alarms sound, and many vendors still lack telemetry to prove their build pipelines are clean.
Engineers often lack a unified inventory of every controller, sensor, or maintenance laptop attached to a production line, making network visibility a major blind spot (no pun intended). Unmanaged devices account for 66% of critical vulnerabilities this year, underscoring how defenders cannot protect what they cannot see.
The human element remains a vulnerability. A decade after the Ukraine blackout began with a spear-phishing email, social engineering remains potent. Modern phishing campaign kits scrape LinkedIn in real time to personalize lures, while AI voice-cloning makes fraudulent "boss calls" eerily convincing.
The advanced nature of the cyber threats to our critical infrastructure means it's unlikely we'll ever make them completely immutable against attacks. Instead, we should treat attacks as inevitabilities and focus on building resilience into our essential networks.
Resilience begins with a mindset shift from perimeter defense to continuous, assumption-of-breach vigilance. CISA's Federal Civilian Executive Branch Operational Cybersecurity Alignment (FOCAL) Plan, released in September 2024, offers a template any operator can borrow: maintain real-time asset inventories, patch relentlessly, design for graceful failure, scrutinize the supply chain, and rehearse incident response until it becomes muscle memory.
That blueprint pairs neatly with the steps U.S. allies are taking. The United Kingdom's Cyber Assessment Framework (CAF) measures maturity across risk management, protection, detection, and recovery. The most recent version emphasizes that multi-factor authentication is no longer a "nice to have"—it must be a baseline for every user, privileged or not.
Zero-trust segmentation must reach beyond the IT stack. Smart utilities isolate supervisory-control networks behind one-way gateways, enforce allow-listed protocols, and log every southbound packet for out-of-range commands.
Where legacy equipment can't be patched, compensating controls, like virtual patching or protective relays, can buy time until replacements are feasible.
People remain the firewall of last resort. Continuous security training that goes beyond annual slide decks reduces click-through rates on phishing tests and, more importantly, encourages rapid internal reporting. In the case of the attack on the Kansas water treatment facility, it was quick operator action that meant the attacker never altered chemical dosing, averting a public health scare.
Collaboration multiplies scarce resources. We can utilize Information Sharing and Analysis Centers (ISACs) to translate raw indicators into sector-specific advisories within hours. The U.S. State and Local Cybersecurity Grant Program is funneling nearly $280 million USD into municipal resilience projects this fiscal year, many of which fund OT monitoring platforms that small water utilities could never afford on their own.
Technology investment is moving in the same direction. Venture capital is flocking to AI-driven anomaly detection engines that correlate OT signal changes with IT logs in real time, spotting voltage shifts before they cascade into grid failures.
Reports show rapid adoption rates as executives realize that signature-based tools lag behind attacker automation. Crucially, these platforms are now being integrated directly into plant-floor safety systems to automate shutdowns if anomalous commands persist for more than a few seconds.
Securing critical infrastructure can't be a box-ticking exercise; it's an existential imperative. The attackers of 2025 move faster, hide better, and aim for tangible disruption. Yet the playbook for resilience is increasingly clear: understand the threat landscape, accept that vulnerabilities span people, process, and technology, and commit to layered defenses rooted in full-spectrum visibility.
Above all, boards must treat cyber risk exactly as they treat financial or safety risk: as an operational reality that deserves continuous attention and budget.
For more insights on this topic, attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. See the agenda and register here.