In April 2025, cyber attackers took over the control system of a small dam in Western Norway and opened a valve for four hours. Norway’s security services later publicly attributed the incident to pro-Russian hackers. Reports suggest attackers used weak credentials, on an internet-connected control panel, to gain access.
“The incident didn’t cause injuries, but it did prove a point,” Pedro Umbelino, principal research scientist at Bitsight, told Infosecurity. “Basic industrial control system and operational technology mistakes still create real‑world risk.”
This is the challenge facing critical national infrastructure (CNI) operators and the security teams tasked with protecting them. Critical infrastructure depends heavily on legacy technologies, designed before secure connectivity was a requirement.
Read more: Why Addressing Legacy IT is an Urgent Strategic Priority for CISOs
Moreover, the sector has attracted a growing number of threats, including nation states and hacktivist groups, as well as those who see CNI as a lucrative target for cyber extortion.
The Cybersecurity Challenge for CNI Operators
CNI operators face a delicate balancing act, maintaining robust security and resilience while embracing the efficiencies that connected systems and cloud technologies promise.
“We’re moving towards a more converged, shared infrastructure and shared networking piece,” said Scott McKinnon, UK CSO at Palo Alto Networks. “The technology is increasingly becoming cloud delivered as well. Modern OT systems will probably have a cloud control plane, which means that it’s outside the perimeter security that previously existed. And there’s obviously lots of legacy technology there as well.”
CNI providers are also embarking on extensive upgrade programs because much of the equipment in industries such as utilities, energy and transportation are decades old.
Reconfiguring water systems and power grids to meet modern demands means renewing OT systems. Meanwhile, more distributed systems, such as those needed to support renewable energy or remote telecommunications, also make perimeter security harder.
“CNI and distributed energy resources are the new frontier in cyber warfare,” warned Rob Demain, CEO at e2e-assure. “That attack surface, has expanded in recent years with the addition of green energy solutions. Solar panels, for example, and the inverters they feed into, are seldom protected, making it perfectly plausible that those could be hacked en masse and used to carry out a DDoS attack against the National Grid.”
Such an incident is yet to happen, but attacks on CNI were none the less a growing problem in 2025. Bitsight’s Umbelino pointed to a “measurable increase of around 12%” in cyber-attacks against internet-facing ICS and OT systems.
Bridewell, a UK-based cyber consultancy with a significant CNI practice, has found that 95% of UK CNI providers had been breached in the year to March 2025. The UK’s NCSC also warned of increased attacks against the sector, in its 2025 annual review.
Long-Term Security Risks for Critical Infrastructure
Convergence between OT, IT and the cloud is providing cybercriminal groups with the opportunity to target critical infrastructure. Operators, and regulators, are wrestling with new technology and new manufacturers, outside the traditional OT/ICS supply chain.
“With the geopolitical tensions and the way that the world will look in maybe a few years, they’re starting to scratch their heads and think, ‘okay, is it secure? Is it safe? How was it developed? Is there any remote access? How is it being configured?’ There are things that are being done now, that will have an effect in a few years’ time,” cautioned Daniel dos Santos, head of security research at Forescout’s Vedere Labs.
Given the lifespans of operational technology, installing insecure equipment now can have long-term consequences. Meanwhile, CISOs face dealing with older hardware that was not designed for modern threats. Even where vendors release patches, CNI operators do not always apply them, either because of concerns about business interruption, or a lack of visibility.
“There are assets that have been there for 30 years in the ground, they’re connected and they have an IP address, and people don’t even realize that they’re part of the network,” said Dos Santos.
Technology is not the only challenge for CNI CISOs who face increasingly determined adversaries. As well as financially motivated attacks, in 2025 critical infrastructure operators found themselves targets of hacktivist and state-backed actors too.
“What made 2025 especially dangerous was how the convergence of geopolitics and cybercrime directly increased risk to critical infrastructure,” noted Adam Darrah, VP of intelligence at ZeroFox.
“As geopolitical tensions escalated, CNI became a preferred pressure point: Russia targeted European banking and transportation to weaken NATO resolve; Iran turned to asymmetric cyber activity against Israeli and Gulf state infrastructure; and China intensified espionage against defense, energy, and technology sectors. Even municipal infrastructure wasn’t spared.”
State-backed attackers are looking for intelligence, and to identify vulnerabilities they can exploit in the future. In the short term, they, and aligned hacktivist groups, want to create chaos, Darrah says.
Vedere Labs’ Dos Santos concurred and noted, “They’ve figured out that it’s an effective way to spread a message.”
The threat is not limited to the conventional components of CNI, such as transport energy or water. Governments, and adversaries, increasingly see sectors such as healthcare and financial services as ‘in scope’; the UK recently added data center operators to its list of CNI.
“This shift will intensify in 2026,” said Spencer Starkey, executive VP for EMEA, at SonicWall. “Retail, logistics, automotive manufacturing and even food distribution face rising pressures as they become targets. Adversaries will increasingly lean on AI-assisted hacks to probe and exploit the systems businesses rely on to keep operations running.”
Keeping the Lights on in CNI in 2026
Threats to CNI are not likely to abate in 2026. Legislators are putting more emphasis on cyber resilience and directives, such as the EU’s Cyber Resilience Act, will improve the security of connected devices. But these upgrades take time.
“Threats from criminal groups continue to grow exponentially,” said Phil Tonkin, CTO at OT security specialists Dragos. “In 2026, CISOs need to be prepared for ever increasing risks, across the full spectrum of their digital assets, both IT and OT.”
CISOs, he suggested, should adopt measures such as SANS’ five critical controls for ICS, to reduce risks as quickly as possible.
Cybersecurity leaders in CNI should also consider measures, such as network segmentation, improved identity and access management and even zero trust architectures. These are not unique to CNI but go some way to reduce the likelihood and impact of a breach.
The social, economic and political stakes are too high for CNI to rely on staying safe by staying in the shadows.
