Dennis Martin, crisis management and business resilience specialist at technology services partner Axians UK looks at critical infrastructure.
Between late 2024 and 2025, a wave of coordinated power disruptions in Eastern Europe and localised grid failures in South America made one thing clear: the era of hypothetical threats to critical infrastructure is over. The real danger lies in the unseen incursions, silently probing and mapping our systems long before anyone notices.
Take, for example, the 2023 compromise of the Littleton Electric Light and Water Departments (LELWD). A Chinese state-sponsored cyber group maintained access for several months before being detected. While it may seem like a small, isolated incident of “back luck”, it acted as a proof of concept, showing how attackers can map critical national infrastructure (CNI) and identify potential points of leverage for future operations at the most optimal time.
The rise of sub-threshold conflict
We are now operating within an increasingly unstable geopolitical landscape defined by what is often termed "sub-threshold conflict." In this grey zone, nation-states engage in aggression that stops just short of traditional warfare, making cyberattacks an ideal tool for modern statecraft. These operations are relatively low-cost, provide a degree of plausible deniability by operating through proxies, and deliver outsized psychological and physical impact.
By targeting the systems that provide heat, water, and power, adversaries can exert immense pressure on a government by eroding the public’s sense of safety. In this context, a substation is no longer just a piece of electrical equipment but a high-value target in a global game of digital brinkmanship. Infrastructure is the ultimate target because its disruption creates immediate, visceral consequences for the population.
The connectivity paradox: IT and OT convergence
The vulnerability of these systems is not just a result of increased malice, but of increased complexity. Historically, Operational Technology (OT) - the tech that detects or causes a change through the direct monitoring and control of physical devices - was air-gapped and isolated from the wider world. Today, the drive for efficiency and data-driven insights has led to a massive wave of IT/OT convergence, connecting legacy mechanical systems directly to the internet.
Many of these environments were never designed for modern threat models. We are dealing with legacy hardware built decades ago that lacks basic encryption, and flat networks where a single compromised laptop in an administrative office can provide a lateral pathway into the heart of a control center. Furthermore, OT environments are notoriously difficult to patch because they cannot be taken offline without disrupting essential services. This creates a massive "blast radius" where a localised breach can cascade into a regional crisis.
People, process, and clarity
Technical vulnerabilities are only part of the story. More often than not, the real gaps in resilience are human and procedural. When something goes wrong, coordination and decisive action matter more than another tool or dashboard. Clear roles, practiced decision-making, and rehearsed emergency procedures can mean the difference between a contained incident and cascading failure. In high-stakes operations, having the right people do the right thing at the right moment is as critical as any security control.
Regulation as a floor, not a ceiling
Governments have recognised this fragility and are responding with increasingly stringent legislation. We are seeing a global push toward mandatory risk-based security frameworks, accelerated incident reporting timelines, and deeper coordination between state intelligence and private operators. The directive from governments is clear on the fact that organisations must take a more strategic approach to their security posture.
However, while regulation is a necessary step, it is not a silver bullet. Compliance often focuses on raising the minimum floor of security across an industry. For an operator responsible for national stability, meeting a regulatory baseline is merely the starting point. True security requires moving beyond a simple checklist and toward a strategic defense that identifies where the stakes are highest.
Designing for the "worst day"
Operators must prioritise their defenses where the consequences of failure are most severe. This means layering aggressive controls around control centers, high-impact substations, and the remote access pathways that serve as the primary entry points for attackers. If we accept that a breach is eventually possible, our architectural philosophy must shift toward containment-by-design.
Strategic resilience involves identifying critical dependencies -not just in the hardware on-site, but across the entire supply chain and third-party service providers. We must move away from the hubris of dreaming up impenetrable systems and instead plan for the moment they fail. Every organisation must define and, crucially, rehearse "emergency runmodes." What does the grid look like when stripped to its barest essentials? Can your team operate manually if the digital overlay is wiped out?
Safety as the core outcome
We cannot lose sight of the fact that critical infrastructure is ultimately a public safety function. Cyber incidents in OT aren’t just about downtime, more so the real-world implications for staff, communities, and system stability. True resilience means integrating cybersecurity, engineering, and process safety into a single discipline. Cases like Colonial Pipeline demonstrate that even IT-side disruption can force OT shutdowns if operators cannot guarantee safe operation. When assurance drops, operations stop. Resilience planning must therefore cover the whole organisation end-to-end, not just the technical controls.
Proving capability before the crisis
As the line between digital and physical security continues to blur, our definition of success must evolve. Resilience is not the absence of an attack; it is the ability to keep delivering an essential service safely through disruption, regardless of whether the trigger is a cyberattack, a natural disaster, or a technical failure.
Ultimately, resilience is the ability to keep delivering an essential service safely through disruption - and to prove that capability before a crisis hits. Through governance, containment-by-design, and practiced degraded operations, we can move from a state of vulnerability to a state of readiness. In the current climate, proving that capability is the only way to ensure that when the worst day comes, the lights stay on.