The dangerous blind spot in critical infrastructure cybersecurity

Disruptions to critical infrastructure occur, but as our systems become more complex, we don’t always know whether the incident was due to a maintenance issue, a configuration change, a cyberattack, or something else.

The power blackouts in Spain and Portugal in April 2025 are recent examples in a growing list of disruptions that have left millions without electricity, sometimes for hours or even days. In these cases, engineers work urgently to restore service while investigators try to determine the cause. Was it a technical malfunction? Human oversight? Or a deliberate cyberattack probing for weaknesses or testing emergency responses? These questions arise every time, yet far too often, the answer is: 'We don’t know.'

Critical infrastructure, including electric grids, water treatment facilities, transportation networks, pipelines and industrial plants, is deeply interconnected and digitalized. Yet, despite their strategic importance, many of these essential systems remain alarmingly under-equipped when it comes to cybersecurity.

While information technology (IT) cybersecurity has long received attention and investment, operational technology (OT) systems, the industrial control systems and devices that make critical infrastructure critical are often overlooked, presumed secure simply because they traditionally operated offline or in isolated networks.

But times have changed. Digitalization, automation and interconnectedness mean these OT environments are no longer isolated. And, just as connectivity has increased convenience and efficiency, it has also dramatically expanded the attack surface available to malicious actors. Sophisticated state-sponsored hackers and other bad actors now routinely probe and target OT networks, seeking vulnerabilities that they can exploit to cause catastrophic disruptions. Too often, security investments in OT haven’t kept up with the growing threat, leaving these networks unmonitored and vulnerable.

The result is that when a serious outage occurs without adequate monitoring, investigators and incident response teams find themselves largely in the dark in determining whether the cause was a software or equipment failure, mis-operation, a cyber attack or another factor. The data crossing OT networks is often transitory and, if no provision has been made to record it, it is lost forever. Responders must rely on guesswork, forensic speculation, or incomplete and inconclusive evidence, much like a doctor attempting to diagnose a patient’s illness without medical history, tests, or diagnostic tools. Symptoms alone cannot accurately reveal the underlying cause.

The inability to do a timely root cause analysis of an outage can lead to cascading problems. It becomes hard to determine the best course of action and how to recover assets safely. Incident response teams are left without the information needed to warn other critical infrastructure operators of ongoing threats, fortify their own networks and evict cyber intruders. They lose the ability to learn from what went wrong and make improvements that prevent further exploitation or protect them from similar attacks in the future.

This ambiguity goes beyond a cybersecurity issue. It has serious implications for the organization and its leadership regarding transparency and accountability. Stakeholders, whether investors, insurers or the general public, expect and depend on reliable, accurate information to assess risk, allocate resources and make informed decisions. Investors need to understand the true cybersecurity posture of the companies managing critical infrastructure. Insurers must accurately attribute the cause of outages to process and settle claims fairly and set premiums properly. Many jurisdictions now require disclosure of cyber incidents affecting critical systems.

In the absence of proper OT cybersecurity detection capabilities, companies unintentionally violate the letter or, at a minimum, the spirit of these laws, hindering effectiveness and public oversight. It’s only a matter of time before stakeholders deem that allowing an addressable cybersecurity blind spot to persist, when it could have prevented or minimized a successful attack, is a breach in trust and a liability for the organization.

Perhaps the most troubling consequence of inadequate OT cybersecurity is its national security implications. An adversary who can infiltrate critical infrastructure networks undetected gains plausible deniability, complicating any diplomatic, legal, or military response. Consider the scenario where a hostile state-backed actor quietly penetrates a state’s electric power system or water infrastructure. Undetected, the intruder can quietly conduct reconnaissance, test defences, map vulnerabilities, or even launch covert operations disguised as normal technical failures. Without clear proof of malicious intent, governments find it politically and strategically challenging to respond decisively. This delay in attribution and response empowers adversaries, incentivizing further aggression.

We do see countries taking steps to ensure better visibility into what is really happening in critical infrastructure networks. The US Federal Energy Regulatory Commission (FERC), for example, recently approved an Internal Network Security Monitoring (INSM) Standard. The Standard, CIP-015-1, enhances cybersecurity by mandating the monitoring of internal network traffic and detecting malicious activity that may have bypassed perimeter defences for some of the most critical electric utility OT environments.

OT monitoring technologies already exist to provide the forensic visibility needed to determine whether an incident stems from a cyberattack, technical failure, or human error. These enable organizations to respond more effectively, recover faster and strengthen their defences.

In a world where critical infrastructure is increasingly digitalized and targeted, treating OT monitoring as a core operational necessity is essential. It requires focus from everyone, from the operators on the plant floor, to the cyber defenders for the organization, to the C-suites and countries who must protect their communities against economic, public safety and national security consequences.