It’s tough out there for security professionals on the front lines. The expansive attack surface we must contend with as we dive into 2025 was unfathomable for most just twenty short years ago.
However, the reality is that digital frontiers across the world are highly prized targets for Nation-sponsored threat actors, and this is likely to ramp up in the coming years. Our critical infrastructure has increasingly been singled out for attempted large-scale disruption, with the global agencies all reporting a higher frequency of attacks in the past couple of years.
Incidents in the not-too-distant past affecting Colonial Pipeline, or the widespread fallout from the ransomware attack on Johannesberg’s electricity grid are stark reminders that the digital connectivity of these systems creates a much higher risk profile than many understand. Global governments have released detailed plans on fortifying critical infrastructure from cyberattacks, including measures for a more proactive, resilient approach than we have had in the past.
However, with a software landscape that is growing in complexity, AI tooling being thrown into the mix, and security leaders continually begging for budget, this requires a more granular plan of attack.
The Immediate Risks Emerging for Critical Infrastructure
When electricity grids were first being constructed around the world, the concept of protecting them from invisible, digital threats would be inconceivable, and for many years, any computing was air-gapped. Decades on, we are left with retrofitted, digitized monoliths of legacy physical infrastructure and code, and this requires a careful defensive strategy to fortify in the modern world.
A recent report revealed that, in just one year, cyberattacks on critical infrastructure increased by 30 percent. What does this represent in actual figures? Staggeringly, between January 2023 and January 2024, critical infrastructure worldwide endured over 420 million attacks, up to 13 attacks per second. Clearly, this hotbed of criminal activity points to a high-priority target vertical for threat actors, one that goes far beyond a “flavor of the month.”
Attacks on power grids, oil and gas, water supply, hospitals, and public transport are devastating enough, but the real potency comes from their ability to disrupt proceedings well after the incident is effectively stopped, and the effects they can have on their respective supply chains.
With a rapidly increasing susceptibility to successful attacks – the North American Electric Reliability Corporation (NERC) reported that the number of points in the U.S. power grids that are vulnerable to cyberattacks is increasing at a rate of approximately 60 per day – there is no time to waste in mobilizing security personnel and developers alike to defend these systems efficiently amid the chaos.
Threat Vectors: What Are They, and Who is Responsible?
There is evidence to suggest that the most prominent perpetrators of critical infrastructure attacks are nation-state actors, but realistically, the implications of disruption to the supply chain and access to downstream systems make them attractive for enterprising criminal groups operating for maximum monetary gain.
Either way, threat actors will take any opportunity to seize control, and too often, they gain a foothold in critical systems due to small, exploitable mistakes. For instance, the devastating Colonial Pipeline attack was helped along thanks to a SQL injection bug, which resulted in weeks of disruption to their production and the payment of a ransom of over $4.4M to the criminals.
More recently, in the Netherlands, security researchers alerted solar technology manufacturer Enphase to six zero-day vulnerabilities affecting its Enphase IQ Gateway devices. Many of these vulnerabilities related to poor access control and authentication, and, if connected to an untrusted network, could be exploited to seize control over the Enphase IQ Gateway and any connected devices.
While these researchers were ethical and worked directly with Enphase to patch and disclose the bugs, over four million of these systems are deployed across 150
countries, and if an attacker had discovered them first, they could have leveraged them for a catastrophic incident that would have revealed just how fragile IoT infrastructure can be when not properly secured, and how devastating they can be in the supply chain.
Three Elements for Proactive, Impactful Security
Recent government-level directives, such as the Cyber Resilience Act, the NIS2 directive, and the National Cybersecurity Strategies of the Australian and U.S. governments, call for greater cyber resilience, including more accountability for software developers to ensure the code they produce is free from vulnerabilities.
This advice is sound, but it needs to be more robust, prescriptive, and result in measurable positive outcomes, or we cannot move the needle. We need:
- Measurable developer upskilling. If the development cohort is just being given basic annual compliance training or education solutions that are not applicable to the language and frameworks they use and scenarios they encounter day-to-day, it will be functionally useless. Ideally, developers should be a central fixture in the overall security program, with continuous learning pathways. Their skills should be assessed regularly, with data-driven insights providing visibility into knowledge gaps that must be overcome before they can commit code in more sensitive repositories. Yes, this is more effort than annual video-based training, but it’s a viable method for producing the hands-on security awareness that can actually make a difference.
- Vendor security transparency. Do your vendors, suppliers and contractors care about security as much as your organization? Whether manufacturing physical or digital products, if it runs on software, every component should be disclosed and verified as safe. If your vendors are not forthcoming about their internal security processes, dependencies used, and certifications gained, then there is more chance of supply chain security issues that can dramatically affect the critical infrastructure sector, not to mention the end-user’s reputation;
- Three As: APIs, Access Control, Authentication. While basic, it is these pathways that threat actors target first as the “low-hanging fruit” that can, if exploitable, lead to escalated privileges and vast access beyond the initial point of compromise. Documentation, processes, and know-how in securing these access points is something every developer working on any software powering infrastructure must know like the back of their hand.
There is certainly more to securing the world’s critical infrastructure than a few basic steps, but ultimately, this is something that we as an industry must make a top priority.