Nation-state cyberattacks expose weaknesses in vital infrastructure

Critical infrastructure sectors including energy, water, telecommunications, finance, transportation, and healthcare are increasingly the focus of cyberattacks from nation-state actors, prompting calls for more resilient approaches to cybersecurity.

Nation-state cyber actors are described as being distinct from typical hacktivists or criminal groups, due to their significant resources, technical capability, and political motivations that often extend beyond financial gain. Their objectives can include espionage, sabotage, coercion, or demonstrating technical prowess against rival states or critical industries.

Notable incidents such as the Stuxnet worm in 2010, which targeted Iranian nuclear centrifuges, and the SolarWinds attack in 2021, which compromised numerous US government networks, underscore the potential scale and impact of these operations. Cyber campaigns can extend over months or years, utilising zero-day vulnerabilities and supply chain attacks, as well as social engineering, to maintain undetected access within target networks.

The consequences of such attacks are wide-ranging and significant, potentially disrupting essential services, damaging physical infrastructure, eroding public trust, and imperilling national security.

Vulnerabilities in core systems

Legacy systems are commonplace throughout critical infrastructure sectors. Many facilities continue to rely on outdated hardware and software, which often lack contemporary security features and may no longer receive vendor support. These legacy systems are challenging to patch and can be interconnected in ways not originally anticipated when first designed.

The convergence of information technology with operational technology, such as Supervisory Control and Data Acquisition (SCADA) systems, has also expanded the attack surface. Systems that once operated in isolation are now frequently connected to broader networks, increasing opportunities for remote compromise.

Supply chain vulnerabilities also pose risks, whether due to unintentional lapses or compromise of third-party vendors. Previous supply chain attacks have demonstrated how sophisticated actors can exploit these weaknesses to gain access. Limited budgets in public utilities and service organisations further constrain the ability to continually invest in cybersecurity defences.

Defence strategies

Although achieving perfect protection is not possible, a layered and proactive defence significantly lowers the risk of successful attacks. This includes risk assessment and asset inventory, network modernisation and segregation, improved monitoring and response, supply chain security, and staff training.

Effective defence requires identifying and classifying critical assets, mapping dependencies, and regularly updating inventories to account for evolving threats. Organisations are encouraged to patch or replace obsolete systems where possible, and if not possible, to isolate legacy equipment behind firewalls and restrict access.

"Effective protection begins with understanding what needs defending. Organisations must identify and classify critical assets, map out dependencies and interconnections, assess potential impact of various attack scenarios, and regularly update inventories and risk profiles to account for changes in systems and threats," said Himali Dhande, Cybersecurity Operations Lead at BorderlessCS.

Network segmentation and zero-trust principles help limit the potential impact of compromise. Multifactor authentication and a least-privilege approach are recommended to secure remote access to sensitive systems. Advanced intrusion detection, continuous monitoring, and routine incident response drills are essential to identifying and responding to threats promptly. Sharing threat intelligence with sectoral and national bodies can enhance overall sector resilience.

"Patch and Replace Legacy Systems: Replace obsolete hardware/software where possible. Where replacement isn't feasible, isolate legacy systems behind firewalls and restrict access. Network Segmentation: Implement strict separation between IT and OT environments. Use segmentation and zero-trust principles to control access, so that compromise in one segment does not threaten the whole. Multifactor Authentication and Least Privilege: Limit privileges and require strong authentication, especially for remote access to sensitive systems," Dhande added.

Organisations are also urged to scrutinise vendors for security practices, require adherence to standards, and include contractual obligations for prompt disclosure of vulnerabilities and delivery of patches. Ongoing staff training is necessary to counteract social engineering and foster a culture of reporting suspicious activity.

Government and regulatory role

Governments play an important part in supporting cybersecurity across critical infrastructure sectors. This includes issuing guidance, sharing threat intelligence, and setting minimum security standards for operators.

"Government agencies play a crucial coordinating role - issuing guidance, sharing intelligence, and, in many jurisdictions, mandating minimum security standards for critical infrastructure sectors. In the US, for example, the Cybersecurity and Infrastructure Security Agency (CISA) provides resources, threat alerts, and support to public and private sector operators. International cooperation is also growing, with forums for joint exercises and rapid response to transnational threats," said Dhande.

Ongoing risk

Nation-state attacks on critical infrastructure are no longer a distant possibility but a current and evolving reality. As attackers grow more sophisticated, defenders must anticipate, adapt, and build resilience. Protecting critical infrastructure demands not only advanced technologies but also vigilant people, effective processes, and strong public-private collaboration. The stakes - national security, economic stability, and public safety - require nothing less than urgent and sustained action.