Why countries need to prioritize critical infrastructure cybersecurity

Critical infrastructure organizations have seen a swell of attacks in the past few years. Forescout Research – Vedere Labs recorded more than 420 million global cyberattacks against critical infrastructure between January 2023 and 2024. That’s roughly 13 attacks per second. Similarly, the Paris-based International Energy Agency (IEA) reported that the average number of weekly cyberattacks against companies in the utilities sector more than doubled between 2020 and 2022 worldwide. In 2023, that number nearly doubled again. Though the attacks have been occurring around the world, the U.S. has been the primary target.

This trend is worrying, and it’s unlikely to improve until action is taken to better protect critical infrastructure organizations. While many attacks have been thwarted, others have been successful both in terms of shutting down critical systems and in gathering information from foreign entities and government organizations.

Here, we’ll analyze why these attacks differ from traditional financially motivated data grabs, how they have the potential to shut down a country, and why 2025 needs to be the year for improved critical infrastructure security.

Critical infrastructure is becoming a critical target

As the name suggests, critical infrastructure organizations keep a country functioning. Systems can include energy, water treatment and delivery, electric, waste management, transportation, telecommunications, and critical manufacturing companies as well as public services, emergency services, and hospitals. An attack that disrupts any of these sectors could have devastating consequences.

Unlike assaulting most private sector businesses, cyberattacks against critical infrastructure organizations can result in more than financial losses. A successful attack could cause the loss of lives. A disruption to the energy grid would not only turn out the lights but could also cut the heat in the dead of winter. Banks and hospitals would go offline, military bases would be unable to function, and any communication between citizens and emergency services would be cut off. Public water could be turned off or tampered with. Even worse, people would go hungry with no freezers or refrigerators to keep food cold or cargo ships to bring in fresh supplies. With so much potential chaos at stake, leaders are highly incentivized to keep critical infrastructure operations running.

Unfortunately, critical infrastructure and utility organizations are increasingly connected, both geographically and across sectors. So, if a disruption to “the grid” goes undetected long enough, it could take down multiple sectors.

Because these services are essential and highly interconnected, critical infrastructure organizations are an enticing target for ransomware groups. Executives and even government officials are more likely to pay a ransom because their people can’t go without power, water, food, and emergency services. But it’s not just ransomware groups and financially motivated bad actors that critical infrastructure organizations need to worry about. Their list of adversaries is rather extensive, which leads us to our next point. 

Nation-state actors are after more than money

Halted operations at a utility company or a water treatment plant aren’t just an inconvenience to customers — they’re a danger to every citizen in the area. That’s why cyberattacks on critical infrastructure networks are increasingly becoming a weapon in digital warfare. Unlike other types of cyberattacks, the goal of critical infrastructure attacks isn’t financial gain — it’s to disrupt a service and wreak havoc on a region.

The Annual Cyber Threat Report 2022–23 from the Australian Signals Directorate’s Australian Cyber Security Centre stated that government and critical infrastructure networks around the globe were targeted by state cyber actors as part of ongoing information-gathering campaigns or disruption activities.

In the U.S., these types of attacks are often used to conduct espionage. By accessing one government database — whether directly or via a vendor — bad actors can then infiltrate other departments and databases, which could lead to the exposure of state secrets.

Other attacks, both in the U.S. and abroad, are carried out with more malicious intent. In these situations, cybercriminals attempt to alter operations at water and power plants in the hopes of cutting off water supplies or causing massive explosions (see more below).

Critical infrastructure attacks are much more frightening both because the risks are much higher (lives vs. livelihood) and because the attackers don’t need to find and steal sensitive information or collect a ransom to be successful. They simply need to disrupt a system and the resulting chaos can have huge effects on supply chains, government relations, and the daily lives of the nation’s citizens. The result is that threat actors have a much simpler and more direct goal – causing disruptive damage – this is more extreme and far-reaching compared to data exfiltration or ransomware.

Government involvement often results in a higher risk exposure

Complicating matters further is the fact that critical infrastructure is either overseen or closely connected to government agencies which face a number of cybersecurity challenges. Many agencies are underfunded, which means cybersecurity budgets are lean, if they exist at all. Agencies are likely working on outdated systems with software that may no longer be supported. Worse yet, some contractors of major agencies like the EPA have been found to lack even basic cybersecurity best practices.

Government agencies are also notoriously slow moving, so they lack the agility needed to adapt to major shifts in cybersecurity and quickly attain approval for new security tools or resources. This makes them particularly at risk and ill-equipped to handle zero-day vulnerabilities or threats related to entirely new attack vectors such as AI or the cloud. Between red tape, long approval processes, and restrictive regulations, security teams are having trouble protecting current assets and can’t begin to keep up with these infrastructure threats. For instance, in early 2024, the North American Electric Reliability Corporation reported that the number of points in the U.S. power grids that are vulnerable to cyberattacks is increasing at a rate of approximately 60 per day. Today, the number of vulnerable points is between 23,000‑24,000.

Because the critical infrastructure ecosystem is more vulnerable and less agile than the average corporate organization, hacktivists and nation-states are more likely to be successful with an initial compromise and less likely to be caught because incident response is slow.

Attacks on critical infrastructure are happening

These cyberattacks and the resulting consequences aren’t just hypothetical. Hacktivists are launching attacks every day, and many are having some level of success.

In October of last year, cybersecurity and intelligence agencies from Australia, Canada, and the U.S. released a joint advisory about a year-long campaign run by Iranian cyber actors to infiltrate critical infrastructure organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The hacktivists used brute force attacks, password spraying, and multi-factor authentication prompt bombing — a technique in which bad actors flood a user with MFA notifications, hoping they will sign into their account or approve a request without reading it too closely out of sheer annoyance. The joint intelligence agencies claimed that the goal of these attacks is likely to obtain access to networks and sell it to other cybercriminals.

The Change Healthcare ransomware attack from last year massively disrupted the entire U.S. healthcare system, forcing facilities to shut down, leaving patients without access to medication and care, and costing large hospitals and pharmacies upwards of $100 million per day. It took months to get systems back online and was a perilous example of how hacking into one system can bring down an entire industry.

Chinese hackers have been heavily attacking U.S. critical infrastructure networks over the last few years. Investigators recently uncovered a vast Chinese intelligence collection effort

that was aimed at critical infrastructure including communications, electric and gas utilities, as well as a military base in Guam that would be key to a U.S. response should there be an invasion of Taiwan. Roughly a year later, those efforts were intensified as the Chinese government launched a series of attacks targeting internet service providers in an attempt to steal sensitive data.

American Water, the largest regulated water and wastewater utility company in the United States, announced in October that it was the victim of a cyberattack. The company serves more than 14 million people in 14 states and 18 military installations. Though the company stated it doesn’t believe its facilities and operations were tampered with by the hackers, the attack did manage to shut down its customer portal and billing systems for a week.

Perhaps the most infamous attack on U.S. critical infrastructure was the Russian ransomware attack on the Colonial Pipeline in 2021. As the largest oil pipeline in the U.S., Colonial supplies more than 45% of the gas, diesel, and jet to the East Coast. The attack forced the company to shut down operations for 11 days, sending the national price of fuel to its highest point in more than six years.

In other parts of the world, nation-states have come even closer to causing irrecoverable harm. In 2022, a Russian hacker group launched an attack on Ukrainian substation circuit breakers that led to a power outage during missile strikes. The result was the loss of civilian lives, as well as leaving four regions without power and supplies.

Similarly, Russian state-sponsored hackers attacked a Saudi petrochemical plant. The attackers had been lurking in the system for years before taking over the plant’s safety system remotely. A flaw in the malware’s code halted the operation, which was to overload the plant’s safety checks and release toxic hydrogen sulfide gas into the atmosphere or cause massive explosions.

Attacks on critical infrastructure organizations are becoming more pervasive, but state-sponsored hackers are generally using the same techniques as other malicious groups to gain access to systems. Phishing and social engineering attacks are common. In fact, Osterman Research and OPSWAT found that 80% of critical infrastructure organizations have experienced an email breach in the last year and 63.3% of respondents acknowledge that their email security needs to be improved. This new data further emphasizes the need for critical infrastructure organizations to implement basic cybersecurity best practices and controls. If the industry doesn’t prioritize and advance efforts to improve its cyber security posture, it’s likely to experience more attacks and increase the prospect that one of those attacks results in a severe compromise affecting large swaths of the country.

What critical infrastructure organizations can do to become cyber resilient

The risk to critical infrastructure is no longer something that can be ignored — it’s clearly a matter of national security. Organizations and responsible departments need to increase their funding, streamline their processes, and establish more robust plans to become and remain cyber resilient. Government agencies, in particular, also need to retire outdated and vulnerable systems to ensure their software solutions can be properly secured. Short of that, their automated scanning solutions and known exploits will turn these agencies into easy targets.

Government agencies and organizations in the critical infrastructure sector also need to work closely with the cybersecurity community to remain current on new risks and the ability to mitigate them. They need to use cutting-edge cybersecurity technology and techniques and ensure they remain vigilant against emerging attack vectors and strategies. This may include contracting directly with third-party security partners like MDRs, XDRs, or MSSPs, to implement solutions that will help them attain cyber resiliency fast.

Lastly, this directive needs to come from multiple angles – lawmakers, executives, and the security industry need to keep ringing the bell and work together to establish fast-moving strategies that will bolster critical infrastructure. This requires close partnerships and efforts that maximize the strengths of each body involved, whether it’s funding, expertise, or technology. By working together, nations can become much more resilient and stave off these attacks much more successfully.

SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, government agencies and critical infrastructure organizations can ensure they are protected against threats. Reach out to the experts at SolCyber today to learn more about how we help.  

Photo by Matthew Henry on Unsplash