How to protect critical infrastructure from cyberthreats

Opswat SVP James Neilson discusses the latest cyber defence tactics to protect critical national infrastructure.

Our critical national infrastructure (CNI) is under unprecedented pressure. Vital services such as healthcare, energy and financial services are not only grappling with surging public demand and regulatory pressures, but they have also become prime targets for cybercriminals and nation-state threat actors.

We have already seen the impact that attacks on CNI and their third-party supply chain providers can have.

For example, last year a cyberattack on pathology services provider Synnovis resulted in significant delays to thousands of NHS appointments and procedures.

In fact, in September last year, the ‘Five Eyes’ alliance warned about the “particularly sophisticated threats posed by nation-state attackers, in addition to cybercriminal activities and state-aligned actors”.

As Five Eyes emphasised, there is an urgent “need for critical infrastructure networks to have a strong security baseline”.

To this end, CNI providers must implement multiple layers of security controls to improve their resilience against attacks.

Attacking styles

There are a multitude of cyberthreats targeting CNI, aiming to disrupt operations, hold critical systems to ransom or exfiltrate sensitive information.

With increasing global tensions, state-sponsored groups are increasingly targeting CNI to commit espionage or disrupt vital services on which a nation’s citizens depend. This approach effectively allows countries to undermine other states and cause instability with a high degree of deniability.

For example, in 2024, Volt Typhoon, a Chinese state-sponsored group, targeted US critical infrastructure using living-off-the-land techniques.

However, CNI organisations are also an attractive target for financially motivated groups. The likelihood of ransom demands being paid is higher because victims are often willing to do whatever it takes to restore critical systems. For example, a hospital cannot afford for an MRI scanner to be compromised.

It is not just about who is attacking but also the methods they are using. While common threats such as ransomware and phishing remain widespread, attackers have adapted their tactics in recent years and are increasingly focusing on file-borne malware to target CNI organisations. These evolving strategies include deploying botnets, exploiting zero-day vulnerabilities and utilising advanced persistent threats (APTs).

The perpetrators of CNI attacks aim to maximise the scale and severity of their impact. Although breaches in CNI organisations typically start on IT networks, attackers often shift their focus to operational technology (OT) assets, enabling them to cause significant operational disruption.

The complex and highly interconnected nature of CNI network infrastructure amplifies the risk. Vulnerabilities in one area can cascade into broader, systemic failures, making robust cybersecurity measures essential.

CNI’s security challenges

Security teams are facing a number of challenges that prevent them from addressing these threats effectively.

For instance, Opswat research revealed that only 25pc of security leaders consider themselves “extremely prepared” for DDoS attacks. Readiness for other threats, such as APTs, botnets, API security vulnerabilities and zero-day malware, is even lower, ranging between 12pc and 15pc. So, why is this such a problem?

The first challenge is that security strategies must start with buy-in from the board. However, there is often a gap between what security leaders need and the resources and budget provided to implement their plans.

Despite the growing number of threats, cyber budgets remain stagnant or have been reduced. This financial strain forces security teams to focus on immediate risks, leaving them unprepared for evolving attacker tactics and new methods.

In addition to limited budgets, changing environments are placing further burdens on security teams. IT and OT systems previously operated as two separate environments with dedicated teams. However, in recent years, the convergence of IT and OT has resulted in security teams being tasked with managing systems for which they have little or no experience.

For example, CNI organisations have linked SCADA systems to standard IT networks for remote access and telemetry capture. This integration has expanded the attack surface and increased the knowledge and resources required for effective defence.

The lack of deep expertise in both IT and OT creates a knowledge gap in understanding how IT threats impact OT systems and their broader implications. Meanwhile, a shortage of trained cybersecurity professionals leaves overstretched teams struggling to manage the complexities of hybrid environments, which include cloud storage, open-source tools and interconnected platforms.

Given these challenges and the increasing sophistication of cyberthreats, adopting multilayered strategies, such as defence in depth, is essential.

Why defence in depth is the way forward

Defence in depth is a multilayered security framework designed to minimise reliance on a single point of failure. This framework is recommended by the UK’s National Cyber Security Centre (NCSC) and other Five Eyes agencies.

By integrating multiple security controls, it helps close gaps, reduce the risk of compromise, improve threat detection when traditional perimeter defences are bypassed, and accelerate responses to breaches. It also neutralises malicious content and identifies anomalies effectively.

Organisations should tailor their defence-in-depth approach to prioritise the protection of critical assets essential for operational uptime.

The first layer of defence incorporates network security controls, employing firewalls, gateways and data diodes to regulate traffic flow and block unauthorised access or data exfiltration. Network segmentation provides an additional safeguard by isolating threats, ensuring that breaches in one area do not compromise the entire system.

Data security is equally vital, mitigating risks posed by malware hidden in files. File multiscanning technologies, integrated with network appliances, sanitise or block harmful content before it reaches sensitive systems. These technologies can detect and block known malware with extremely high efficacy rates – exceeding 99pc. Previously unknown threats can be identified through advanced sandbox inspection and tailored threat intelligence, which identifies known threat actors and their infrastructure.

Advanced techniques such as content disarm and reconstruction (CDR) further cleanse files. These sanitised files are stored in isolated data vaults, ensuring only thoroughly validated data enters OT networks, thereby maintaining their integrity.

Endpoint protection forms another key layer, securing devices like laptops and desktops –common targets for attacks via removable media. Comprehensive endpoint solutions combine multiple malware detection engines, behavioural analysis and threat intelligence feeds to combat both known and zero-day threats.

Advanced email security tools that block phishing attempts and scan attachments or URLs for malicious content are also crucial in reducing risk and enhancing overall organisational resilience.

These interconnected layers create a robust and comprehensive defence, securing systems and preventing the damage that cyberattacks can cause.

By adopting a multilayered approach, CNI organisations can establish a resilient cybersecurity posture, effectively safeguarding their most critical assets against increasingly sophisticated and pervasive threats.

By James Neilson

James Neilson is SVP international at Opswat, where he oversees the go-to-market function and is responsible for scaling the business. He has more than 25 years of experience in the IT industry, 18 of which in leadership positions for cybersecurity companies. Prior to joining Opswat, he served as VP of EMEA at Immersive Labs – a UK-based cyber start-up – and held leadership roles at Forcepoint and Symantec.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.