(1 votes, average: 5.00 out of 5)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

July 17, 2025 Comments closed

Critical Infrastructure Protection: Securing Essential Systems Against Cyber Threats

in Beyond Hashed Out, Hashing Out Cyber Security, Monthly Digest

From cyber attacks on emergency call centers to electric and telecom network infiltrations, here’s what to know about the threats plaguing critical infrastructure sectors and how to fight back

“We’re sorry, the number you are calling is not available.”

Service outages can bring emergency services like 911 to a standstill. While old tech is to blame in some cases, data from Carbyne and NENA’s (911 Association) 2025 survey report indicates that telephony denial of service (TDoS) attacks and cyber attacks were to blame for one in 10 outages.

This is particularly worrisome when you consider that NENA estimates that these centers handle the 240 million 911 calls made each year (i.e., 457 calls per minute). But emergency services isn’t the only critical infrastructure sector that needs protection and is at risk due to modern cyber threats:

• Hackers recently opened the water closure system’s valves to full capacity at the Lake Risevatnetdam facility in Norway. (Source: Energiteknikk)  
• In Q1 2025, education as a sector experienced an average of 4,484 weekly attacks per organization. Government and telecom sector organizations came in second and third, totaling 2,678and 2,664 weekly attacks per organization, respectively. (Source: Check Point Research)
• 305 U.S. healthcare-related data breaches involving protected health information (PHI) of 500+ individuals were reported in 1H 2025. (Source: U.S. Department of Health and Human Services).

So, what can organizations do to mitigate these risks and improve critical infrastructure security?

Let’s hash it out.

An Overview of the Growing Need for Critical Infrastructure Protection

Warfare is no longer just a world of gunfire, missiles, and foxholes. Many wars are now waged in cyberspace, targeting countries’ critical infrastructure, including hospitals, power grids, and water facilities.

However, attacks in the digital realm extend far beyond the reach of your company network. They have real-world repercussions that can result in people being hurt or killed. We’ve seen this in Russian hackers’ repeated attacks on Ukraine’s electric grids, causing multiple localized blackouts since 2015.

But what about an attack on the U.S. critical infrastructure facilities and entities?

• We saw that with the Colonial Pipeline ransomware attack by the DarkSide ransomware group, which targeted 90+ critical infrastructure organizations.
• The U.S. faces an increasing risk of critical infrastructure cyber attacks by Iran-affiliated or state-sponsored threat actors. They’ve already been targeting transportation and manufacturing sector organizations, as well as water and wastewater facilities.
• Officials are concerned that China state-sponsored hacker groups Salt Typhoon and Volt Typhoon are embedded throughout North American power grids and telecom networks and pose risks to U.S. and Canada’s critical infrastructures.

If these systems are compromised or become inoperable, it can spell disaster for the thousands or potentially millions of people living in the targeted communities.

Most Targeted Critical Infrastructure Sectors (CIS)

Curious as to which sectors rank as cybercriminals’ top targets? In 2024 alone, the FBI’s Internet Crime Complaint Center (IC3) received 4,878 complaints from organizations across 14 of the 16 critical infrastructure sectors (CIS) that were impacted by cyber threats. That’s more than 18 reported complaints per day.

Of those, the IC3 ranked the following critical infrastructure sectors by the number of reported ransomware attacks and data breaches:

• Critical infrastructure ranked #1 for ransomware attacks and #5 for data breaches.
• Healthcare/public health ranked #2 for ransomware attacks and #1 for data breaches.
• Government facilities ranked #3 for ransomware and #3 for data breaches.
• Financial Services ranked #4 for both ransomware attacks and data breaches.
• Information Technology ranked #5 for ransomware (138) and #2 for data breaches.

Again, these numbers represent strictly the reported issues. How many more went unnoticed or unreported? That’s a good question, and one we’ll likely never know the answer to.

Related: CISA Releases 13 Industrial Control Systems Advisories (July 10, 2025)

Cyber Threats Pose Skyrocketing Financial Concerns for CIS Organizations

Claroty’s independent global survey of 1,100 critical infrastructure professionals (The Global State of CPS Security 2024: Business Impact or Disruptions) provides data showing that in the previous 12 months:

• 45% of critical infrastructure cybersec pros reported financial impacts of at least $500,000 due to cyber attacks on cyber-physical systems (CPS).
• 27% indicated losses stemming from these CPS-targeting attacks surpassed $1 million.
• 12% of respondents said these attacks cost their organizations at least $5 million.

The financial costs of cyber attacks were largely the indirect costs. We’re talking about legal fees (31%), loss of customer and partner relationships (30%), regulatory fines (28%), and brand reputation recovery (27%).

Related: 2 Cyber Incidents That Cost One Company’s Clients $6M+

There Are Also the Non-Financial Costs to Consider…

And while money concerns are significant, there are other considerations related to poor critical infrastructure security that can keep you up at night:

• Consumers lose confidence in public and private sector organizations that can’t (or won’t) do what’s necessary to protect their data.
• Power grid-related disruptions leave entire communities without communications, clean water, and other basic services and necessities.
• Compromised or disrupted traffic control systems for trains, automobiles, and airlines can have devastating consequences.
• Cyber attacks can be a matter of life and death, particularly when it comes to hospitals and other healthcare-related services. Ambulances are diverted to other hospitals, patients may not get their medications, and surgeries get canceled. Change Healthcare’s February 2024 ransomware attack is a perfect example of that, as the attack impacted virtually every U.S. hospital in some way.

Related: By the Numbers: 50 Cyber Crime Statistics for 2025

A Look at the Causes of Critical Infrastructure Cyber Attacks

Hacks and other cyber attacks targeting critical infrastructure stem from many risk factors. And while some may involve complex and intricate plans, it’s often the unsophisticated methods that are most effective.

The following list of factors isn’t comprehensive, but it underscores the growing need to improve critical infrastructure protection.

Poor Security Measures and Practices

Password security is one crucial area in which many organizations fail. Employees using weak, easy-to-guess passwords (or using hard-coded or default credentials) leave organizations across all sectors vulnerable to account compromise.

Poor passwords can be brute forced, which seems to have been the case in the Norwegian dam cyber incident we mentioned earlier. Claroty reports that the cybercriminal(s) gained access to the organization’s OT environment by exploiting a weak password on a “web-accessible control panel” used to manage the dam’s minimum water flow.

Their activities went unnoticed for four hours, during which time (thankfully) no one was hurt. But things could have been a whole lot worse for people living in that region.

Related: Don’t Let These Password Cracking Attacks Catch You Off Guard

Vulnerable, Aging Infrastructure

Industrial systems have lifespans that span decades. According to the U.S. Department of Energy (DOE), many of the power grids operating throughout the U.S. were built when a beehive was a popular (yet questionable) lady’s hairstyle and Freddie Mercury first sang “Bohemian Rhapsody.”

As such, internet security (understandably) wasn’t a consideration when these systems were designed and put into operation. Unfortunately, bad guys also know this and actively seek ways to exploit these legitimate concerns.

Research from the Czech Technical University (CTU) in Prague recently published research covering 376 peer-reviewed Chinese studies relating to attack models on U.S. power grids. According to researcher Erika Langerová, Head of Cybersecurity Research at CTU UCEEB:

“The warning signs are clear. Chinese scholars have built a vast body of detailed, simulation-based research on how to destabilize Western power grids, meanwhile Chinese cyber operators have already proven capable of gaining access to the very same real systems. Whether or not they plan to act, the mere existence of such capability demands serious defensive preparation.”

Poor Cybersecurity Hygiene and Awareness-Related Issues

Did you know that 7 in 10 of the U.S.’s drinking water systems don’t meet baseline security requirements? This lack of even basic security for these essential community water systems is particularly concerning when you consider that there are many ways bad guys can infiltrate or otherwise attack critical infrastructure:

• snooping in insecure communication channels
• exploiting vulnerabilities in industrial control systems and other OT and IoT technologies
• employing social engineering techniques to trick or manipulate privileged users into providing access
• abusing ineffective physical and digital access controls (e.g., exploiting weak, default, or hard-coded credentials, exploiting poorly configured remote services, etc.)

Related: Social Engineering Statistics 2025: When Cyber Crime & Human Nature Intersect

Malicious Insiders

Sometimes, the biggest threats come from within. Research from Everfox shows that one in three security leaders within the financial and banking sector recognize insider threats as a top security concern. 

For example, in 2024, a former Google engineer was indicted for aiding Chinese firms by stealing AI trade secrets from his employer. And the Coinbase insider-assisted crypto data breach involved bribed customer-support agents handing over customers’ personal and financial data, including government documents.

Remote Access and Supply Chain Issues

Data from Claroty’s CPS survey of business disruptions indicates some serious concerns.

• Eight in 10 respondents said at least one cyber attack in the previous 12 months originated from a third-party supplier’s access to their CPS environment.
• Of those, 45% indicated this was the case in 5 or more attacks within the same period.

Furthermore, nearly two-thirds of respondents cop to having “only partial or no understanding of third-party connectivity to the CPS environment.” So, if these numbers are based on an incomplete picture, it makes you wonder how many cyber incidents and data breaches may have gone unnoticed and unreported.

Critical Infrastructure Protection: How to Secure Your Systems Against Cyber Attacks

Critical infrastructure security and cybersecurity ultimately boil down to resilience and having a comprehensive CIP strategy. It’s not only about identifying threats but knowing how to respond while also keeping the lights on (and I mean that quite literally for a certain obvious sector) when crap hits the fan.  

You can’t protect yourself against 100% of threats. However, critical infrastructure protection can be layered to ensure your organization’s communications, devices, networks, and other systems are as secure as possible against external and internal threats. We’ll share some of these highlights and point you to some useful industry resources.

1. Perform Regular Cyber Risk Assessments and Update Response Plans

SAFECOM and the National Council on Statewide Interoperability Coordinators (NCSWIC) reiterate the importance of cyber risk assessments and having current cyber incident response and vulnerability response plans.

The risk assessment helps organizations identify, document, and measure:

• which threats and vulnerabilities bad guys can exploit,
• the likelihood of these risks being exploited,
• the estimated impact of these issues, and

This series of processes helps CIS organizations figure out which risk responses to prioritize and develop and implement plans to address them.

2. Have Clear Visibility of Your Network(s) and Digital Assets

It’s no secret that critical infrastructure organizations are increasingly implementing “smart” technologies across their networks. This means that the apps, IoT devices, or systems that critical infrastructure organizations rely on are connected to the internet. Bad guys can potentially access them, and insecure IoT devices expand organizations’ attack surfaces.

Related: A 5-Minute Guide on How to Secure IoT Devices Within Your Enterprise

As such, all of these things should be closely tracked and monitored within your ecosystem. This way, you know what you have, where everything is, and which entities have access to XYZ.

Track Critical Processes and Permissions

Track and log everything. Log what systems are connected to the internet, which entities have access to them, and which systems and individuals make changes (and specifically what changes are made).

Remember the SolarWinds SUNBURST supply chain attack a few years back? In that situation, cybercriminals targeted the third-party service provider to inject malicious code into the company’s Orion platform updates that went out to ~18,000 customers. The list of potential victims included U.S. government agencies, federal contractors, cybersecurity firms, and software companies (although it’s estimated that “only” 100 were compromised by the attack).

What made things particularly challenging with regard to identifying and tracking the attackers is that:

• The attackers used an employee’s VPN account. (How they got access hasn’t been disclosed.)
• SolarWinds didn’t track everything internally when it came to their build servers (and the attackers deleted some logs as well).
• WIRED reports that many of the affected federal agencies “didn’t maintain adequate network logs” and didn’t even put their servers behind firewalls.
• Many of those impacted by the Sunburst backdoor had misconfigured servers that weren’t restricted to communicating with SolarWinds only.

3. Adopt Strong Authentication Mechanisms and Access Controls

A crucial way to protect your network and all of the devices connected to it is to know who or what connects to it. This requires authenticating the external users, devices, or services that connect to your network, as well as those entities that are already inside it and whether they’re connecting to the internet.

But traditional passwords typically aren’t enough. It’s best to use multiple layers of security:

• Implement multi-factor authentication (MFA) methods across all devices, networks, and systems.
• Deploy certificate-based authentication to authenticate and secure your users, servers, IoT devices, applications, and their sensitive data in transit.
• When passwords are being used, ensure that they’re salted and hashed. Passwords should never be stored in plaintext or encrypted formats — only their salted password hash values should be stored.
• Put specific, documented processes in place for when user accounts must be deactivated (e.g., an employee leaves the company or a contractor’s work is concluded).

Securely Manage These Digital Identities

Much like their non-ICS counterparts, critical infrastructure organizations must have the tools and processes in place to identify and securely manage all human- and non-human identities on their networks. In terms of certificate-based identities, think of IoT device certificates and user authentication certificates.

Regularly scan and monitor your domain and network for any expired, revoked, rogue, or unauthorized certificates. 

4. Update Your Devices and Systems

In 2017, EternalBlue was a harsh reminder of the importance of keeping systems patched and up to date. It’s estimated that 200,000 devices globally fell prey to the critical exploit, which enabled attackers to use a vulnerability in legacy Windows operating systems to carry out remote code execution. These public and private sector organizations’ computers became very expensive paperweights.

Microsoft emphasized the responsibility tech companies and their customers share when it comes to protecting their systems:

“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”

5. Implement Physical Measures to Combat Cyber Threats and Other Dangers

While embracing digital technologies is great in terms of operational improvements, it’s not always great for mitigating cyber threats. Simply relying on digital security tools isn’t enough when it comes to protecting critical infrastructure. Having physical security measures is a must, serving as a failsafe should your organization’s other critical infrastructure protection methods fail.

The idea of using analog mechanisms to build physical resilience and mitigate the physical impacts of cyber attacks aligns with the Idaho National Laboratory’s “cyber-informed engineering” (CIE) strategic initiative. CIE is akin to a marriage between cybersecurity and engineering by using engineering tools and approaches in ways that improve cybersecurity outcomes.

A few quick examples of some physical security measures for critical infrastructure protection include:

• Disabling device ports on devices to prevent USB-based attacks. (Think of Stuxnet, a cyber attack involving a worm installed on a USB device was used to target Iran’s nuclear industrial control systems.)
• Installing monitoring and sensor technologies — one example is using pressure detection and shutoff mechanisms in water facilities. This device serves as a failsafe that’s akin to how a circuit breaker mitigates the risks associated with voltage spikes.
• Ensuring there are manual physical controls in place that are operational. When things are going wrong, you need to know that there’s a way to revert to manual controls when digital ones are compromised or unresponsive.
• Securing access to facilities and sensitive infrastructure. Only the individuals who need access should have access, period.
• Employing ballistic barricades and fencing. This approach adds another layer of protection to critical infrastructure by protecting sensitive equipment against tampering and gunfire attacks. 
• Monitoring and surveillance are non-negotiable. Think PKI key cards, biometrics, cameras, and security personnel — these are just a few examples of the security technologies you can employ to help physically secure your systems.

Ensure Your Organization Meets Regulatory Requirements

Many industry and geographic regulations include cybersecurity-related requirements that applicable organizations must adhere to. This will become even more critical with increasing harvest now, decrypt later attacks, and the ever-growing need for organizations across all sectors to embrace post-quantum cryptography.   

Many regulations vary by industry and geographic location. For example, U.S. electricity service providers must adhere to the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC), with NERC creating and enforcing standards that aim to keep the country’s electrical grids operational and secure.

The Financial Services sector also has experienced some pretty big changes so far in 2025:

• The European Union’s Digital Operational Resilience Act (DORA)officially took effect. This regulation aims to strengthen the sector’s information and communication technology (ICT) security and resilience to help financial entities withstand significant operational disruptions
• Organizations globally felt the impact when the Payment Card Industry’s Data Security Standards (PCI DSS versions 4.0 and 4.0.1) took effect. This updated regulation features 12 key security requirements that aim to address emerging threats and enhanced technologies.
• The new ASC X9 PKI made its debut. Unlike traditional public key infrastructure, this one is independent of traditional browser influences. In June, DigiCert performed its formal key signing ceremony, officially marking the launch of the X9 PKI.

Additional Critical Infrastructure Protection Resources

• MITRE ATT&CK Framework Matrix for Industrial Control Systems
• NIST’s Cyber Security Framework 2.0
• A joint fact sheet from CISA, DC3, FBI, and NSA: Iranian Cyber Actors May Target Vulnerable U.S. Networks and Entities of Interest.
• The Cyber-Informed Engineering Implementation Guide from the U.S. Department of Energy Office of Scientific and Technical Information (OSTI).
• Safety and Security Guidelines for Critical Infrastructure Owners and Operators
• Cybersecurity Capability Maturity Model (C2M2)

• #Critical Infrastructure