To close out Trustwave’s, A LevelBlue Company, Cybersecurity Awareness Month 2025 coverage, we will take a look at securing critical infrastructure, one of the focus areas for the Cybersecurity and Infrastructure Security Agency (CISA).
For our complete coverage, please see: Cybersecurity Awareness Month 2025: The Value of MSSPs and Cybersecurity Awareness Month 2025: 4 Steps to Build a Cyber Strong America.
As CISA notes, these critical services form the backbone of modern society, yet they are under constant threat from cyberattacks. When critical infrastructure is disrupted, the businesses and communities that depend on it suffer as well.
Organizations across the public and private sectors that own, operate, or support critical infrastructure are on the front lines of defending against these growing threats.
The State of Critical Infrastructure Security
Critical infrastructure facilities face a complex and expanding web of cyber risks, amplified by the growing convergence of information technology (IT) and operational technology (OT). Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report examines how threat actors target these systems — and offers actionable recommendations to strengthen resilience.
The integration of IT and OT brings operational efficiencies but also introduces new vulnerabilities. Many organizations still assume their OT systems are isolated or “air-gapped”, leading to complacency in patching and updating legacy systems. In reality, this outdated mindset is leaving many critical systems dangerously exposed.
The Threat Landscape
Recent events underscore how unprepared many infrastructure operators remain. According to the Center for Strategic & International Studies (CSIS), dozens of cyberattacks have targeted critical infrastructure and government systems around the world, including:
- On April 7, 2025, hackers (believed to be pro-Russian) took control of a hydropower facility in Bremanger, Norway, opened a flood gate, releasing ~500 litres of water per second for four hours before the attack was detected and stopped. No injuries were reported. This is significant because a cyber event caused physical manipulation of a water/energy infrastructure asset — a clear example of IT/OT convergence risk.
- From July 25-29, 2025 - A “deliberate, coordinated digital attack” on the city of St. Paul disrupted core city systems, including public WiFi, payments portals, and employee networks. The governor activated the National Guard because the incident exceeded the city's response capacity.
- In February 2025, Italian authorities reported that about 20 websites, including banks, airports, and transport infrastructure, were targeted by alleged pro-Russian hackers.
The Challenges of Securing Critical Infrastructure
The Trustwave SpiderLabs team highlights that critical infrastructure is uniquely difficult to protect due to its diversity, encompassing everything from small utilities to national agencies, and its reliance on decades-old technology. Cost concerns, operational priorities, and fragmented management structures often result in outdated, under-secured environments.
Because these systems are interdependent, a disruption in one area, such as power or water delivery, can cascade across multiple sectors, compounding the impact on communities. Many facilities have also evolved into patchworks of mismatched equipment and systems over time, prioritizing uptime and output over security.
Meanwhile, as IT and OT networks become more integrated, attackers gain new opportunities to move laterally within connected environments. The reliance on third-party vendors further expands the attack surface, especially when those partners are compromised.
The rapid adoption of automated, machine-to-machine communications in critical infrastructure brings additional risks. These systems, not originally designed with cybersecurity in mind, can be manipulated to disrupt or damage physical assets.
Key IT/OT Security Gaps Identified
Trustwave SpiderLabs’ research uncovered several common weaknesses across critical infrastructure environments:
- Limited Asset Management: Many organizations lack full visibility into their OT systems, leaving vulnerabilities undetected.
- Patching Difficulties: Legacy OT systems often can’t be easily taken offline, leading to delays or avoidance of applying essential security updates.
- Resilience and Response: Building redundancy into critical systems is vital for maintaining operations during an attack and minimizing downtime.
Staying Resilient
As we recognize Cybersecurity Awareness Month, it’s a reminder that protecting the systems that sustain our daily lives — from water and energy to healthcare and finance — requires ongoing vigilance, collaboration, and investment.
By understanding the evolving threat landscape and addressing the intersection of IT and OT security, organizations can take proactive steps to safeguard not just their operations but also the well-being of the communities that rely on them.
