As different businesses and industries become increasingly interdependent, the ability for security breaches to cascade through multiple sectors has grown. Evolving regulation seeks to build resilience by starting with the critical infrastructure upon which we depend.
null

Cyber attacks on critical infrastructure can cause significant operational downtime and financial loss, both to the provider itself and for the many customers that rely on the supplier for critical services such as power, water and internet.

One of the more recent reminders of this risk came in July 2024 when hackers targeted internet service provider (ISP) networks across the US, disrupting the operations of millions of commercial and personal customers.

A single, more targeted attack can also have major ripple effects due to the interdependency within critical infrastructure sectors. A ransomware attack on energy giant Colonial Pipeline in May 2021 caused widespread fuel shortages and a commodity price spike, affecting truck fleets, filling station customers and airline operators across multiple US states.1

And the February 2024 data breach of a large health-tech provider impacted billing, insurance processing and access to care for hospitals, pharmacies and medical practices across the US, ultimately affecting around 190 million people.2

In a world where so much of our day-to-day operations depend on the critical infrastructure sectors to function, the impact of a disruption can be felt far and wide, with implications for safety, security and economic stability.

What is critical infrastructure?

Critical infrastructure includes both physical and virtual components and refers to the systems, facilities and assets that are essential for society and the economy to function.
Critical infrastructure crosses some of these sectors, with interdependencies and linkages between them:
  • Energy
  • Transport systems
  • Air and seaports
  • Health
  • Drinking water
  • Crisis response
  • Food and agriculture
  • Waste water and water management
  • Space
  • Certain central public administrations
  • Critical manufacturing

Domino effect in an interconnected era

When critical infrastructure is the target of a cyber intrusion, the impact is widespread. For example, disruption to communication networks, power outages across the electric grid and transportation gridlocks can cause substantial business interruption across multiple industry verticals.

The ongoing digitization of modern economies has exacerbated these interdependencies. With growing reliance on cloud services, for instance, the consolidation among providers has increased the risk of a single supplier outage having a global impact. The lack of cloud provider diversification is a factor that came into sharp relief in 2024 due to the CrowdStrike IT outage, which was the results of a faulty update rather than a cyber attack. In total, there were six significant cloud outages over the course of the year.3

Meanwhile the attack perimeter is also expanding. The growth in the number of connected devices, known as the Internet of Things (IoT), means that hacking a specific device — something as innocuous as a smart thermostat or webcam — could provide a point of entry into a company's wider network.

The challenge with many original connected devices is that consumer appeal took precedent over security. The weaponization of devices during distributed denial of service (DDoS) attacks has highlighted this vulnerability, and newer generations have been designed with more robust security in mind.4

Why critical infrastructure is a target

Critical infrastructure is an attractive target for cyber attacks because of its inter-relationships with nearly all sectors of business, government and society. It's the infrastructure underpinning economies, so a successful attack is likely to cause a big impact, enabling attackers to make a name for themselves in the criminal world in which they operate.

For politically motivated hackers, disruption to critical systems is designed to unleash chaos — threatening public safety and social cohesion.

State-sponsored attacks often stem from geopolitical conflicts, reflecting the shift from physical to cyber warfare as hackers seek to cause disruption and gather intelligence.

Where attack groups cast a wide enough net, critical services can also be among the many victims caught in it. The latter scenario has been a particular feature of ransomware attacks, including WannaCry and NotPetya, which counted e-commerce providers, major shipping firms and healthcare services among their victims.

Such attacks may deliberately target essential services, to cause the greatest disruption and focus media attention. The healthcare sector accounted for nearly a quarter of all data breaches in 2024.5 Digitization of the sector has increased its vulnerability to cyber attacks, and facilities are often targeted because the protected health information they hold is extremely valuable and can be readily sold or exploited.

For cyber attackers, the biggest bang for their buck is going to be assets that most people depend on. Supply chains, logistics, power and energy, telecommunications, transport networks and healthcare systems are all attractive targets.
Johnty Mongan, head of Cyber Risk Management at Gallagher.

 

A shifting focus to operational technology exposures

Protecting people and systems means staying informed and keeping up in the arms race against malicious actors. This protection includes investing in automated vulnerability assessments and intrusion detection, while also training staff to be a vigilant frontline of defense.

The challenge for businesses in industrial sectors that rely on operational technology (OT) is coping with legacy systems that are costly to update. But with the OT landscape becoming more interconnected, updating systems has become even more challenging.

The preponderance of aging OT dramatically increases vulnerability to cyber attack. Whereas once such systems could rely on the "air gapping" defense — whereby a computer or network is isolated with no connection to outside networks — this practice is becoming more difficult.

"Ultimately, it's crucial to consider how to segregate these systems and build an IT infrastructure to ensure it remains isolated from the broader network and not connected to the Internet," says Aldo Borsani, Gallagher's head of Cyber, Europe. "However, you will still need some level of connectivity in operational technology for management and control purposes."

He adds, "The Internet of Things adds complexity to the situation and, specifically within the OT environment, risks associated with cyber threats become even more pronounced."

What is OT and how does it differ from IT?

The main difference between operational technology (OT) and Information Technology (IT) lies in their focus and application. Understanding the differences is crucial as the convergence of these technologies continues to grow, leading to new opportunities and challenges in cybersecurity, data management, and operational efficiency.

OT refers to the hardware and software that systems used to monitor and control physical processes, devices and infrastructure. OT is commonly found in industries where physical processes are critical, such as manufacturing, energy, utilities and transportation. Examples of OT include industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
OT IT
Purpose and functionality Controls and monitors physical processes and machinery, with a focus on reliability, safety and efficiency of operations Manages and processes data and information, with a focus on data integrity, security and availability
Environment Industrial environments where systems run continuously and are often subject to harsh conditions Offices or data centers and focuses on business processes and data management
System lifespan Long lifespan — sometimes decades — and isn't frequently updated or replaced Updated regularly to keep up with technological advancements and security requirements
Security Ensures the safety and reliability of physical processes, with an emphasis on preventing disruptions that could lead to physical harm or operational downtime Protects data from unauthorized access, breaches, and cyber threats
Integration and interoperability Historically not connected to external networks, but with the rise of the Industrial Internet of Things (IIoT), increasing integrated with IT systems Interconnected and integrated across various platforms and networks

Growing cyber re/insurance maturity and regulation are driving resilience

With systemic cyber risk remaining a primary concern for insurers, Gallagher Re, Beazley and Munich Re produced a whitepaper and model for stress testing the industry's ability to respond to systemic risks from a claims perspective.

The most encouraging finding of the whitepaper is that the industry has increased its skills and capacity for managing cyber risks.

At the same time, tailored regulations for systemic cyber risk are increasing, with the US, EU, Australia and Singapore all having implemented cybersecurity legislation that specifically targets critical infrastructure protection.

A key regulatory framework is the NIS2 Directive, the extension to the EU's Network and Information Security Directive. This framework establishes specific practices for risk management aimed at enhancing resilience and improving cybersecurity, and outlines reporting practices and guidelines to ensure authorities are informed about incidents.

In October 2024, European Commission's Critical Entities Resilience (CER) Directive also came into force in the EU, offering a blueprint for member states to build resiliency and coordinate their response to critical infrastructure attacks. It is focused on three key priority areas: preparedness, response and international cooperation.

Avoid becoming the low-hanging fruit as cyber threats grow

The financial and reputational impact of a cyber intrusion remains a leading source of concern for the C-suite, with the use of artificial intelligence (AI) in social engineering and phishing attacks increasing hackers' ability to carry out more convincing and targeted attacks.

According to Gallagher's Attitudes to AI Adoption and Risks survey, business leaders see the increased threat of privacy violations and data breaches and greater vulnerability to cyber attacks and fraud as among the top four risks to the business arising from AI.

Not only is it important that companies have the right controls in place and a robust approach to cybersecurity, but also that they don't ignore the human factor, particularly as the threat landscape becomes more sophisticated.

Globally, we are witnessing a rise in tailored regulations for critical infrastructure. This trend reflects a growing awareness of the potential impact that cyber threats can have on society and the economy, as well as the heightened attention that hacking groups are receiving today.
Aldo Borsani, head of Cyber, Europe, Gallagher

 

As cyber attacks become more complex and challenging to mitigate, ongoing employee training and education to reduce the risk of potential data breaches will be crucial to building and maintaining resilience.

Meanwhile, implementing zero-trust architecture and multi-factor authentication helps ensure that users, devices and applications are continuously verified before access is granted.

Check your exposure to critical systems

Businesses should factor in disruption to critical infrastructure when carrying out scenario analysis and building in redundancies. Risk mitigation techniques, such as diversifying internet routes, can mitigate the impact of one provider going down.

As the 2017 NotPetya attack demonstrated, the target may be critical infrastructure, but vulnerable networks can be caught in the crossfire of an attack that exploits a common vulnerability.

As part of an ongoing arms race against attackers, AI is being used to analyze and predict these potential threats, helping organizations stay ahead of attackers.

The need to build critical infrastructure protection against cyber attacks is an issue for all businesses and industries in today's interconnected world. The examples of disruptions in energy, healthcare, and internet services underscore the far-reaching consequences of targeting the services we all rely on.

Regulatory frameworks like the NIS2 Directive and CER Directive are crucial in building resilience and coordinating responses to critical infrastructure attacks. Equally, by proactively assessing their exposure to critical systems and implementing risk mitigation strategies, businesses can avoid being picked off as low-hanging fruit in attacks designed to exploit unpatched vulnerabilities.

By staying informed and investing in cybersecurity measures, businesses can better protect themselves and contribute to the resilience of the wider global economy.

Published May 2025

Sources

1"Colonial Pipeline Confirms It Paid $4.4m Ransom to Hacker Gang After Attack," The Guardian, 20 May 2021.

2Whittaker, Zack. "How the Ransomware Attack at Change Healthcare Went Down: A Timeline," TechCrunch, 27 Jan 2025.

3"Cloud Outage Risk Report 2024," Parametrix, accessed 20 Mar 2025.

4Kumari,Pooja and Ankit Kumar Jain. "A Comprehensive Study of DDoS Attacks over IoT Network and Their Countermeasures," ScienceDirect, Apr 2023.

5Green, Denyl. "Data Breach Outlook: Healthcare Most Breached Industry in 2024," Kroll, 18 Feb 2025.