Most cyber attacks hit data. Critical infrastructure attacks hit pipelines, power grids, and hospitals. The consequences are physical, and the security disciplines are different.
In May 2021, a ransomware group called DarkSide encrypted the IT systems of Colonial Pipeline, the company that operates a major fuel pipeline running from Texas to the US Northeast. Colonial's response was to shut down pipeline operations proactively, not because the pipeline's control systems were compromised but because the company was not confident it could safely operate with its business systems encrypted. The shutdown lasted about five days. Fuel shortages spread across the Southeast. Prices spiked. Lines formed at gas stations. Colonial paid approximately $4.4 million in ransom, though the US Department of Justice later announced it had recovered a significant portion of that amount.
The thing that stays with me about Colonial Pipeline is that the pipeline itself was not hacked. The operational systems that run the physical infrastructure were separate from the IT systems that were encrypted. Colonial chose to shut down operations because managing a pipeline without working business systems creates risks that the company was not willing to accept. The physical disruption came from the IT attack, through the operational response to it, not from a direct attack on the pipeline's control systems. That gap between where the attack landed and where the consequences appeared is exactly what makes critical infrastructure cybersecurity different.
Most cybersecurity discussions, at least the ones that show up in the news, are about data breaches. Someone stole credit card numbers. A healthcare provider had patient records exposed. Login credentials were sold on a forum. These are real harms, and they cause real costs. But the harm is financial and reputational. People's data was taken. That is bad. Nobody's physical safety was directly at risk in the moment.
Critical infrastructure attacks are a different category. When the target is a pipeline, a power grid, a water treatment plant, or a hospital network, the potential consequences include physical harm to people. A water treatment facility whose control systems are accessed by an attacker could have its chemical dosing manipulated. A hospital whose systems are locked by ransomware has to divert patients and delay procedures. A power grid attack could leave regions without electricity in winter. The stakes are not abstract.
The SolarWinds supply chain attack, disclosed in December 2020, showed a different dimension of this problem. Attackers compromised SolarWinds, a company that makes network monitoring software widely used by governments and large enterprises. By inserting malware into SolarWinds' own software update mechanism, the attackers were able to push malicious code to thousands of organizations that trusted SolarWinds' updates. US federal agencies were among those affected. The attack is widely described as one of the most significant cyber espionage operations discovered in recent memory, and it worked because the attackers understood that the target was not any individual organization but the software supply chain that connected them all.
SolarWinds and Colonial Pipeline are different in their method and their immediate consequences. But both point to the same structural problem: the systems that run physical and governmental infrastructure are increasingly connected to networks and software supply chains that introduce vulnerabilities those systems were not originally designed to handle.
There is a specific concept in industrial security that explains this: operational technology, or OT. OT systems are the computers, sensors, and controllers that run physical processes. A pump controller, a conveyor system, a voltage regulator, a water treatment dosing system. These systems were historically isolated from internet-connected networks by design, the so-called "air gap." An attacker who could not reach the OT network could not affect the physical process. The isolation was the security model.
That isolation is disappearing. Organizations connect OT systems to IT networks for legitimate reasons: remote monitoring, predictive maintenance, efficiency improvements, integration with enterprise systems. Every connection that improves operational visibility also reduces the isolation that was providing security. The air gap, once gone, is very hard to restore. And OT security is a different discipline from IT security in ways that matter enormously.
IT security has decades of tooling, best practices, patching cycles, and vendor support. OT systems were built with reliability and long operational lifetimes as the primary goals, not patchability. Some OT systems run software that is ten or twenty years old and cannot be updated without taking the physical process offline, which itself carries risks. Antivirus software that works on a Windows laptop may interfere with the deterministic operation of an industrial controller. A security patch that takes a few minutes to apply on a workstation might require a scheduled maintenance window and a shutdown procedure on a plant control system.
NIST published its Cybersecurity Framework precisely because this gap was recognized at a policy level. The framework provides guidance for critical infrastructure protection and has become a widely referenced baseline for how organizations should approach cybersecurity risk management. It is not specific to OT, but its risk-based approach is applicable to environments where patching cycles and isolation strategies look very different from the enterprise IT context.
I wrote earlier about how fear-based security awareness training often produces the wrong response. The organizational dynamics in critical infrastructure are a scaled-up version of that problem. The people managing OT systems are often engineers whose primary concern is operational continuity, not cybersecurity. Introducing security controls that might interfere with a process that must not stop is not a straightforward sell. The perceived cost of a security control that might cause an unplanned outage is very concrete. The perceived risk of a cyberattack that might someday cause an outage is abstract until it happens.
What makes critical infrastructure cybersecurity hard is not only that the stakes are higher. It is that the organizations responsible for it were built around different risk models, use different technology stacks, have different operational priorities, and often lack the security expertise that has developed over decades in the IT security space. Closing the gap requires something that takes years: building OT security as a genuine discipline inside organizations that have historically not needed it, with the organizational resources and expertise to match the threat.
About the author
Share
More notes
Related notes