Introduction
In April 2024, hackers breached the control systems of a dam in Norway. With a few keystrokes, they opened a water valve. The attack was unsophisticated, exploiting a weak password, but its implications were profound. This wasn’t about stealing data or demanding a ransom; it was about manipulating the physical world, turning a piece of critical infrastructure into a potential weapon.
For decades, I’ve advised leaders across government and industry on technology strategy, and for most of that time, cybersecurity was treated as an IT problem. It was about protecting data, servers, and networks. But the game has changed. The attacks we’re seeing in 2025 against our utilities, transportation grids, and energy sectors are demonstrating with terrifying clarity that the new front line in cybersecurity is the physical world itself. This is no longer just an IT risk; it’s a direct threat to public safety and national security.
The New Battleground: Operational Technology (OT)
To understand this new threat, you have to understand the difference between Information Technology (IT) and Operational Technology (OT). IT is the world of data: emails, databases, and business applications. OT is the world of action: the industrial control systems (ICS), sensors, and actuators that run our physical world. Think of the Programmable Logic Controllers (PLCs) on a factory floor, the SCADA systems managing a pipeline, or the distributed control systems in a power plant.
For decades, these OT systems were isolated, running on proprietary networks, completely disconnected from the internet. They were “air-gapped” and considered safe. But the drive for efficiency, remote monitoring, and data analytics has led to a convergence of IT and OT. That air gap has vanished. Now, the same networks that carry corporate emails are connected to systems that can, quite literally, open a floodgate.
This convergence has exposed a massive vulnerability. Many OT systems were designed decades ago, with little to no security built in. The attack on the Municipal Water Authority of Aliquippa in the US, carried out by an Iran-backed group, is a perfect example. They didn’t need a sophisticated exploit; they targeted a simple, internet-connected booster station and shut it down. Federal investigators found at least ten other water facilities had been compromised using the same basic method. The front door to our critical infrastructure is, in many cases, wide open.
A Multi-Front War: Key Threats in 2025
The threat isn’t coming from a single source. We’re fighting a multi-front war against a diverse set of adversaries, each with different motives.
1. Nation-State Actors: The Cyber Cold War
Geopolitical tensions are now being played out in cyberspace. Nation-state actors, like China’s Volt Typhoon, are not just stealing secrets; they are embedding themselves within our critical infrastructure, waiting for a moment of conflict to cause disruption. Their tactics are insidious and marked by strategic patience. They practice “living off the land,” using built-in network administration tools to move silently within a network, making their presence incredibly difficult to detect. They might remain dormant for months or even years. They are playing a long game, exploiting vulnerabilities in routers and other network devices to gain persistent access that can be weaponized at a time of their choosing. Similarly, Russia’s cyberattacks on Ukraine’s power grid and government services—surging by nearly 70% in 2024—are a clear blueprint for how digital attacks will be integrated into modern warfare.
2. Ransomware’s Crippling Impact
While nation-states may seek strategic advantage, ransomware groups are motivated by pure profit, and they see critical infrastructure as a lucrative target. The energy and utilities sector saw an 80% surge in ransomware attacks in 2024. When American Water was hit in October 2024, it was forced to shut down its customer portal and billing systems. While they stated that core water systems were unaffected, the attack sowed public distrust and caused significant operational disruption. These attacks are a stark reminder that even if the core OT system is protected, a successful attack on the surrounding IT infrastructure can be incredibly damaging, affecting everything from billing to maintenance scheduling.
3. The Transportation Grid Under Fire
Our increasingly interconnected transportation systems are another prime target. Cyberattacks on the sector are projected to hit a new high in 2025, with ransomware and phishing being the most common vectors. Phishing attacks alone against transportation companies skyrocketed by 175% in the last year. I once advised a major port authority in Southeast Asia, and their biggest fear wasn’t a direct attack on their crane operating systems, but a vendor email compromise that could trick them into rerouting shipping payments or revealing sensitive cargo manifests. The entire logistics chain is vulnerable, from the ships and trains themselves to the fleet management and billing systems that coordinate their movement.
The Road Ahead: AI, IoT, and the Expanding Threat Surface
As if the current situation weren’t challenging enough, emerging technologies are set to expand the threat surface exponentially.
First, the explosion of Internet of Things (IoT) devices is adding billions of new, often insecure, endpoints to our networks. I’ve seen so-called “smart” sensors deployed in everything from electrical grids to railway switches with default passwords and no clear plan for patching. The 107% surge in IoT malware in 2024 is a clear warning. Each of these sensors is a potential foothold for an attacker.
Second, the rollout of 5G networks, while promising incredible new capabilities, also introduces new complexities and potential vulnerabilities. The move to software-defined networking creates new avenues for attack that we are only just beginning to understand.
Finally, the rise of AI-powered cyberattacks is a game-changer. Adversaries will soon be able to use AI to conduct reconnaissance, identify vulnerabilities, and craft highly convincing phishing emails at a scale and speed that human defenders will struggle to counter. We are entering an era where we will be fighting AI with AI, and the side with the better algorithms may well have the upper hand.
The Regulatory Response: A Global Scramble to Catch Up
For years, cybersecurity standards for critical infrastructure were voluntary guidelines. That era is definitively over. Governments around the world are now scrambling to impose mandatory regulations.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is developing its 2025 National Infrastructure Risk Management Plan, which will force sectors to identify and prioritize their most significant cyber risks. The Transportation Security Administration (TSA) has issued new, stricter directives for pipelines and rail operators, mandating specific incident reporting timelines.
This isn’t just a US phenomenon. In Europe, the Digital Operational Resilience Act (DORA) is imposing stringent new requirements on the financial sector and its technology providers. The message is clear: self-regulation has failed. The intent behind these new laws is not just to punish companies that fail to act, but to create a mandatory, common baseline for security. They are designed to facilitate better information sharing between the private sector and government agencies, ensuring that a threat detected at one utility can be quickly communicated to all others. It’s a forced elevation of the entire industry’s security posture. The message is clear: governments are now stepping in to enforce a baseline of security for the services we all depend on.
Conclusion: From Reactive to Resilient
While this new wave of regulation is a necessary step, compliance alone is not the goal. You can be 100% compliant and still be incredibly vulnerable. The ultimate objective must be to achieve true operational resilience—the ability to withstand and recover from an attack with minimal disruption to essential services.
I remember a conversation with a minister responsible for a nation’s energy grid. He was focused entirely on prevention—building higher walls. I told him, “Assume the walls will be breached. What happens then? How do you keep the lights on?” The conversation shifted from buying more firewalls to investing in redundant control systems, training operators for manual overrides, and building strong partnerships with national cybersecurity agencies for rapid threat intelligence sharing.
This is the critical mind shift that every leader in a critical infrastructure sector needs to make. Here are three actionable first steps:
- Create a Unified Risk Register: Your IT and OT teams must work together to create a single, comprehensive inventory of all connected assets and their vulnerabilities. You cannot protect what you cannot see.
- Develop an OT-Specific Incident Response Plan: Your IT incident response plan is not sufficient. You need a plan that accounts for the unique safety and operational considerations of an OT environment. What are the procedures for a manual override of a control system? How do you isolate a compromised PLC without shutting down an entire plant?
- Invest in Your People: The human element is the most critical component of resilience. This means investing in cross-training your IT and OT staff and conducting regular, realistic drills that simulate a cyber-physical attack.
The threat is real, and it is here. The safety of our communities and the stability of our economies depend on our ability to secure the technology that underpins our modern world.