Securing U.S. Critical Infrastructure against Evolving Cyber Threats

In early 2024, security researchers disclosed that Volt Typhoon, a China-linked threat actor, had maintained unauthorized access to the operational technology (OT) network of Littleton Electric Light & Water Departments, a small public utility in Massachusetts, for nearly a year. The attackers were not there to cause an immediate blackout. They aimed to exfiltrate data related to OT operating procedures and the layout of the energy grid, intelligence crucial for planning future attacks targeting physical infrastructure. 

Littleton was not an anomaly. That year, Check Point Research documented 1,162 cyberattacks on U.S. utilities, a 75 percent year-over-year increase, while the North American Electric Reliability Corporation warned that points of susceptibility on the grid were growing by approximately 60 per day as digitization accelerated. 

These indicators across just one critical infrastructure sector reveal a pattern now playing out in energy, water, manufacturing, and beyond. The threat landscape encompasses sophisticated state actors conducting reconnaissance and pre-positioning operations, state-aligned hacktivists pursuing geopolitical objectives, and ransomware groups causing billions in economic losses. Yet the nation's cybersecurity remains lackluster. Today, increasingly targeted sectors must urgently move beyond voluntary frameworks and inconsistent cybersecurity standards and toward a strategy that combines enforceable minimum cybersecurity requirements against common cyberattacks with proactive measures to deter nation-state adversaries. 

The Growing Structural Challenge 

Critical infrastructure (CI), according to the Cybersecurity and Infrastructure Security Agency (CISA), encompasses 16 vital sectors whose assets, systems, and networks span both public and private domains. For some of the most targeted, such as manufacturing, water, and energy, the cyber threat challenge is structural. Approximately 50 to 85 percent of critical infrastructure is privately owned, depending on the sector, from large corporations to small and medium-sized businesses (SMBs). This fragmented ownership creates a patchwork of varying levels of cybersecurity readiness, with many running legacy systems no longer supported by vendors and unable to be patched or updated to protect against modern cyber threats. 

Historically, many legacy systems had "air gaps," the physical isolation of OT devices from networks, as a primary security measure. As industrial systems integrated the internet for efficiency and remote management, these air gaps decreased, exposing previously isolated infrastructure to cyber threats. Despite this, OT systems lack updated defenses and security against all levels of cyberattacks.  

Spectrum of Threat Actors and Their Tactics 

For many threat actors, attacks on critical infrastructure serve to create disruption, not financial gain. China has been suspected of targeting U.S. critical infrastructure since 2013. Russia has consistently targeted U.S. infrastructure since at least 2016. This continues to the present. In August 2025, the Federal Bureau of Investigation (FBI) identified the Russian Federal Security Service (FSB) targeting Cisco infrastructure using custom tools, while CISA documented Chinese groups like Volt Typhoon and Salt Typhoon employing sophisticated living-off-the-land tactics that use legitimate system tools to evade detection.  

While the state actors deploy advanced, persistent campaigns driven by political and strategic objectives, state-aligned actors such as hacktivists present a different challenge. They may lack state-level resources, but ideologically motivated actors still cause significant disruption in conducting less sophisticated, lower-impact attacks. CISA issued advisories in 2024 and 2025 concerning Russian hacktivist attacks against the United States support for Ukraine, while Iranian hacktivists caused water overflow and system outages U.S. water systems using Israeli components in December 2024 as part of a wider cyber campaign against Israel. Increasingly, the United States has seen critical infrastructure targeted as a result of larger geopolitical conflicts, even when not in direct conflict with our adversaries. 

Cybercriminals pursuing financial gain continue to weaponize ransomware paired with unsophisticated phishing and vishing attacks with devastating effect. Ransomware attacks have jumped 9 percent in 2024 with a record $16.6 billion in losses, with healthcare, financial services, and IT emerging as top CI sectors targeted by extortionists.  

It is due to this diversity of threat actors with distinct motivations and capabilities that defending the breadth of critical infrastructure is particularly challenging. However, what is most concerning is that even low-sophistication attacks like distributed denial-of-service (DDoS) continue to achieve success, revealing fundamental gaps in baseline security. Moreover, the growing integration of artificial intelligence (AI) into cyber operations threatens to accelerate both the pace and scale of attacks and, in the very near future, will allow adversaries to conduct operations that would previously have required significantly more resources and expertise.  

Current U.S. Regulations and Guidance 

The United States has taken steps to address critical infrastructure cybersecurity, but the measures are fragmented and being rapidly outpaced by the evolving threat environment.  

On a federal level, regulations are lacking. In March 2026, the Trump administration released "President Trump's Cyber Strategy for America," which now organizes federal cyber policy around six pillars, including securing critical infrastructure and shaping adversary behavior. However, the strategy emphasizes streamlining regulation and reducing compliance burdens rather than establishing federal standards. The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that CI entities report cyber incidents to CISA within 72 hours of detection, an important step toward visibility and coordination. However, CIRCIA focuses on reporting rather than prevention and, crucially, establishes no minimum-security requirements for operators. The National Security Memorandum 22 (NSM-22), which could have established stronger security requirements, is under reconsideration by the Trump administration, with updates expected in May 2026.  

Many federal cybersecurity standards are sector specific. The Federal Energy Regulatory Commission (FERC) under the Federal Power Act works with an industry partner, the North American Electric Reliability Corporation, to develop and maintain critical infrastructure protection (CIP) standards. The framework for water systems is primarily based on the America’s Water Infrastructure Act (AWIA), wherein community water systems serving more than 3,300 people must conduct a risk and resilience assessment and review it every five years. However, these frameworks are not without flaws. FERC requirements only apply to the bulk electric systems and fail to account for the local distribution systems. The AWIA only checks the certification of the assessment without mandating substantive or effectiveness standards under the Environmental Protection Agency (EPA), and does not require submission of the assessments, limiting EPA oversight.  

Sectors can also choose not to have regulations. In the manufacturing sector, unless the company is part of the defense supply chain, cybersecurity remains voluntary, only requiring a notification when there has been a breach. And the Federal Communications Commission (FCC) has left cybersecurity as a voluntary component under Brendan Carr, choosing to roll back cybersecurity requirements for the communications sector introduced by the Biden Administration. This deregulatory direction is reinforced by the President Trump's Cyber Strategy’s second pillar, "Promote Common Sense Regulation," which explicitly frames cybersecurity compliance as a "costly checklist" and prioritizes reducing regulatory burdens over baseline protections. 

Voluntary guidance to mitigate cyber risks to critical infrastructure exists to fill in the gaps. CISA and the National Institute of Standards and Technology (NIST) offer comprehensive, internationally aligned frameworks covering areas from securing industrial control systems and OT in water and wastewater sectors to Zero Trust Architecture and AI considerations for OT systems. Concurrently, the Cross-Sector Cybersecurity Performance Goals (CPGs) theoretically outline minimum security measures and malware analysis services that offer malware analysis support. The problem is not a lack of knowledge about what should be done; it is the absence of mechanisms and resources to require its consistent implementation. As it stands, U.S. critical infrastructure primarily operates under a framework of voluntary cybersecurity standards, sector-specific regulations, and mandatory reporting that varies significantly by sector and location. 

Raising the Bar for Industry 

While awaiting policy decisions in 2026, including the CIRCIA review, the Alliance of National Councils for Homeland Operational Resilience (ANCHOR) as a replacement for the previous Critical Infrastructure Partnership Advisory Council (CIPAC), and anticipated implementation of the President Trump's Cyber Strategy for America, it is crucial that industry be held to higher standards through both regulatory and market mechanisms. 

Legal and civil accountability frameworks offer one path forward. The California Consumer Privacy Act (CCPA) demonstrates how consumer protection laws can create consequences for inadequate security practices regarding personal information, although consumers must be able to demonstrate harm. At a federal level, expanding the CCPA framework of risk assessments and cybersecurity audits to CI operators would provide enforcement mechanisms for improved cybersecurity. 

Market forces are also beginning to shift the equation. Cyber insurance premiums increasingly reflect the massive costs of responding to cyberattacks, and some insurers now require organizations to implement baseline security practices such as Multi-Factor Authentication (MFA) and Identity and Access Management (IAM) as a condition of coverage. This market-driven approach may prove effective where regulation faces political resistance and will help to establish a minimum level of security against less sophisticated cyber actors, though it risks creating a two-tiered system where only larger companies that can afford robust insurance receive security. 

In this, SMBs present a particular challenge. While large corporations may have the resources to implement comprehensive security programs and insurance requirements, SMBs lack dedicated cybersecurity staff or budgets. For threat actors, no company is too small to be targeted. Just because the system is small does not mean they are immune to cyberattacks at any level, and despite their small size, attacks against SMBs can have outsized impacts on critical infrastructure. Despite their size, 60 percent of SMBs experience cyberattacks and nearly 1 in 5 businesses that experienced an attack ended up closing or declaring bankruptcy. Any regulatory framework must account for this reality and lack of monetary and technical resources, potentially through tiered requirements, government-subsidized technical assistance, or industry-specific security service providers that can deliver affordable solutions at scale. 

The Case for Operational and Political Tools 

Strengthening baseline cybersecurity through enforceable minimum-security requirements, market accountability, and support for under-resourced operators are essential to raising the floor of cyber security across critical infrastructure sectors. But hardening defenses alone is not sufficient to deter sophisticated nation-state adversaries. Addressing the full spectrum of threats requires pairing stronger cybersecurity mandates with proactive political tools. 

Even the most robust, mandatory cybersecurity requirements at operator levels cannot alone deter nation-state adversaries whose campaigns against U.S. critical infrastructure are driven by political and strategic objectives. Political activities require political solutions. State-sponsored intrusions require political responses Attribution, indictments, sanctions, and arrests must complement technical defenses to impose meaningful costs on adversaries and shift their calculus about targeting U.S. infrastructure. The first pillar of President Trump's Cyber Strategy, "Shape Adversary Behavior," aligns with this approach, committing to deploy offensive and defensive operations and to "erode adversary capacity" using all instruments of national power. This represents a welcome policy signal, though its effectiveness will depend on implementation through anticipated Executive Orders and coordination with allies. 

However, it is important to note that offensive cyber operations and public attribution are not without complications. Attribution decisions must be made carefully, considering diplomatic contexts and ongoing negotiations. However, as international allies such as Poland, Singapore, and France move to identifying and attributing state actors in 2025 and 2026, a coordinated front and communication networks to provide this with allies will lower the associated risks. The challenge for policymakers will be determining when the deterrent value of attribution outweighs these concerns, a calculation that becomes easier when attacks target critical infrastructure and endanger public safety. 

The Path Forward 

As cyberattacks increase year-by-year, key CI sectors such as manufacturing, water, and energy face an unprecedented convergence of threats. State adversaries conduct reconnaissance and pre-positioning operations, and ransomware gangs extort billions from essential services. Yet our cyber defenses remain rooted in voluntary compliance and fragmented standards. The current approach, characterized by voluntary frameworks, fragmented implementation, and an over-reliance on individual operators to defend against a range of cyber actors, has failed to match the scope and sophistication of modern cyber threats 

A comprehensive security strategy must consider two simultaneous tracks. First, enforceable minimum cybersecurity standards, backed by regulatory mandates, market incentives, and scaled support for small operators must raise the baseline of cyber defense across critical infrastructure sectors, closing the gaps that even unsophisticated actors continue to exploit. Second, the government must pair these strengthened defenses with proactive political measures, attribution, indictments, and sanctions, to impose costs on nation-state adversaries. Companies, whether large or small, should not be left alone to counter state-sponsored campaigns that demand governmental responses. 

As the United States enters a critical cyber policy window in 2026, the question is no longer whether to mandate minimum security standards and authorize cyber operations, but how quickly we can implement them. The cost of continued inaction will be measured not just in economic losses, but in compromised public safety and national security.