How can we provide adequate cybersecurity for our critical infrastructure? Numbers in cybersecurity risk losing their ability to shock. Billions of dollars, millions of patient records, hundreds of thousands of affected individuals….. the figures pile up until they feel abstract. But behind every statistic are real disruptions to real lives: a cancer patient whose surgery is postponed, a city commuter whose train network goes dark, a hospital that must turn away ambulances.
The scale of ransomware targeting critical infrastructure alone is staggering. Half of all ransomware attacks in 2025 struck sectors essential to daily life, including healthcare, energy, and transport, representing a 34% increase in attacks against critical industries in a single year. The average cost of recovering from such an attack, excluding any ransom paid, stood at $1.53 million, according to Sophos. For energy and water utilities specifically, recovery costs have quadrupled in a single year, reaching $3 million per incident on average.
The human consequences can be even more arresting than the financial ones. The June 2024 ransomware attack on Synnovis, a pathology services provider for the UK’s National Health Service, illustrates the stakes with painful precision. Attackers from the Qilin ransomware group encrypted files across Synnovis’s network and exfiltrated patient data. The knock-on effects paralyzed hospitals across South London, which is where I live, for months. Within days, hospitals were forced to cancel thousands of planned operations and outpatient appointments. Blood testing capacity fell to just 10% of normal levels, triggering a nationwide emergency appeal for O-negative blood donors. Systems were only fully restored six months later.
In the United States, the 2024 Change Healthcare ransomware attack ultimately compromised the records of nearly 193 million individuals and cost its parent company between $2.3 billion and $2.45 billion in response and recovery. Transport has not been spared either. A ransomware attack on Pittsburgh Regional Transit in December 2024 shut down rail services, disrupted customer systems, and exposed the personal data of employees. The average downtime following a ransomware attack across all sectors now stands at 24 days — nearly a month during which critical systems may be running at degraded capacity or not at all.
With ransomware projected to cost the global economy $265 billion annually by 2031, the urgency of addressing vulnerabilities in critical infrastructure cybersecurity are not questions of if, but of when, and indeed whether, we will be prepared.
Energy Infrastructure: The Grid Under Threat
Power grids, water utilities, and fuel pipelines represent some of the most consequential targets in the modern threat landscape. Disrupt these systems and the ripple effects touch every other form of infrastructure: hospitals lose power, transport signals fail, and water treatment plants go offline.
The energy sector’s core vulnerability stems from a collision between old and new. Industrial control systems that manage physical infrastructure (turbines, valves, substations) were engineered for reliability, not cybersecurity. They were built to last decades, and many are still operating on software that predates the internet as we know it. These legacy systems are now connected to corporate IT networks, cloud platforms, and remote monitoring tools, and what once insulated them from external attack has largely disappeared. Energy professionals report 71% greater vulnerability to operational technology cyber events due to this sprawling legacy infrastructure, and 57% acknowledge that operational technology defenses lag well behind their IT security.
The green energy transition has compounded the problem in ways that are only now becoming apparent. Solar panels, wind turbines, battery storage units, and EV charging networks are all connected, digital, and frequently poorly protected. These devices expand the attack surface of the national grid in ways that traditional perimeter defenses are ill-equipped to address. It is entirely plausible for solar inverters to be hacked en masse and weaponized in a distributed denial-of-service attack against a national grid. These concerns are not theoretical: in April 2025, pro-Russian hackers gained access to the control system of a small dam in western Norway by exploiting weak credentials on an internet-connected control panel, opening a valve for four hours.
Beyond physical disruption, energy systems face a sophisticated threat known as false data injection, in which attackers manipulate sensor readings to deceive grid operators into making incorrect decisions about load distribution or generation levels. These attacks leave no obvious footprint but can cause overloads, instability, or rolling blackouts. The energy sector now ranks fourth among all industries for ransomware targeting, with over 100 gas, electrical, and utility companies attacked in 2024. Critically, 49% of those attacks began not with a novel exploit but astonishingly with a known, unpatched vulnerability.
Healthcare: When Cyber Risk Becomes Patient Risk
Nowhere is the human cost of cybersecurity failure more direct than in healthcare. Hospitals are attractive targets for ransomware groups because they cannot afford extended downtime: when electronic health records go dark, surgeries are delayed, diagnostic labs go offline, and ambulances must be diverted. That pressure to restore operations quickly makes healthcare organizations more likely to pay ransoms, and attackers know it.
The data confirms the sector’s exposure. The FBI identified healthcare as the sector with the highest number of ransomware incidents in 2024, with 238 reported attacks — and that figure almost certainly understates the true volume, as an estimated 85% of ransomware attacks go unreported. Healthcare data breaches remain the most expensive of any industry, averaging $7.42 million per breach in 2025. In 2024, more than 276 million patient records were compromised globally, an average of over 750,000 records every single day.
In June 2025, both Sant Parmanand Hospital and NKS Super Speciality Hospital in Delhi, India, reported server hacking that disrupted their IT systems. Patient records, financial data, and administrative files were reportedly accessed. NKS stated that outpatient and inpatient digital workflows were disrupted, forcing a reversion to manual processes.
A less visible but rapidly growing vulnerability is the proliferation of connected medical devices. The average hospital now houses between 10 and 15 internet-connected devices per bed, totaling hundreds of thousands of endpoints per large facility. These range from infusion pumps and cardiac monitors to imaging equipment and laboratory analyzers. Yet 99% of hospitals manage at least some connected medical devices with known exploited vulnerabilities; one in five connected devices runs on an operating system no longer receiving security updates; and just 13% of medical devices support the endpoint protection agents that would allow security teams to monitor them for threats.
The danger goes beyond data theft. Altering dosages on networked insulin pumps and depleting the batteries of connected pacemakers can be done remotely. Medical devices often remain in service for 10 to 15 years, far outlasting the support lifecycle of the software they run. Retrofitting security into hardware never designed for it is expensive and complex, leaving a vast installed base of clinical equipment that cannot be easily protected.
A newer threat is gaining ground in hospitals: shadow AI. Nearly a quarter of clinicians now use unofficial AI tools to help complete basic tasks, creating systems that operate entirely outside IT oversight and governance. Each of these unsanctioned applications represents an unmonitored channel through which patient data can flow and attackers can potentially enter.
Transport Networks: Moving Targets
Transport infrastructure presents an expanding and complex cybersecurity challenge. Rail networks, airports, port systems, traffic management platforms, and increasingly the vehicles themselves are all becoming more connected and more dependent on software. Major cyberattacks on the transport sector have surged by 48% in five years, with ransomware accounting for the largest share of incidents at 38%, followed by distributed denial-of-service attacks and phishing campaigns.
Air transport is currently the most targeted segment, accounting for roughly a third of all transport sector attacks, with rail and maritime close behind. The disruption potential is significant: when operational systems go down, timetables collapse, passenger information systems fail, ticketing becomes impossible, and in serious cases, signaling and safety systems can be affected. The Pittsburgh Regional Transit ransomware attack of December 2024 is an example of the local impact: rail services were disrupted, senior and youth travel cards could not be processed, and employee personal data was exposed.
The convergence of IT and operational technology creates particular risk in transport. Trains, for instance, now run on increasingly networked signaling and management systems. Port logistics platforms coordinate vessel scheduling, customs clearance, and cargo tracking across interconnected digital infrastructure. An infrastructure cybersecurity breach in one area of this ecosystem can cascade rapidly across the others.
Modern connected and autonomous vehicles add a further dimension. Contemporary cars expose a large attack surface through cellular, Bluetooth, Wi-Fi, and onboard diagnostic connections that the vehicle bus systems of earlier generations were never designed to carry. As autonomous vehicle technology matures, AI decision-making systems and sensors will be joined to wider urban infrastructure, meaning that a successful cyberattack on a vehicle fleet could cascade into logistics and emergency service failures.
The electrification of transport introduces yet another intersection of risk: EV charging networks are now both transport infrastructure and grid-connected assets, sitting at the junction of two critical sectors and inheriting the vulnerabilities of both.
Across All Three Sectors: Actions That Work Now
Despite the distinct technical characteristics of energy, healthcare, and transport systems, infrastucture cybersecurity experts and regulators are converging on a set of foundational measures that reduce risk meaningfully across all of them. These are not theoretical proposals — they are practical steps that organizations in all three sectors can begin today.
Asset visibility first. Organizations cannot protect what they cannot see. In healthcare, 43% of CISOs identify complete device visibility as their most critical challenge. In energy, operational technology systems have historically been managed separately from IT, leaving significant blind spots. In transport, the rapid deployment of connected operational systems has frequently outpaced the ability to catalog them. The starting point in every case is a complete and continuously updated inventory of every device, system, and software component connected to the network.
Segmentation of IT and operational technology networks. The assumption that physical infrastructure systems are isolated from the internet is no longer valid in most organizations. Maintaining clear boundaries between IT networks that carry email and business data and operational technology networks that control physical systems limits the blast radius when either is compromised. Where full separation is not possible, tightly controlled and monitored connection points substantially reduce risk.
Zero Trust architecture. The traditional security model that trusts anything inside the network perimeter has failed. Zero Trust operates on the principle of never trust, always verify, requiring continuous authentication and authorization for every user, device, and application. The U.S. Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals 2.0, released in December 2025, explicitly incorporates Zero Trust principles as a cross-sector baseline requirement, recognizing that lateral movement within networks is one of the primary ways ransomware spreads from an initial point of entry to critical systems.
Supply chain scrutiny. Some of the most damaging attacks of recent years have not entered organizations through their own systems, but through trusted vendors and service providers. Third-party involvement in breaches doubled to 30% according to 2025 data. In healthcare, a single compromised vendor can simultaneously expose dozens of hospitals. In energy and transport, managed service providers often have deep access to operational systems. Robust vendor security assessments, contractual security requirements, and monitoring of third-party access are now essential components of any infrastructure security program.
Disruption of banking services impacts every connected business. An August 2024 ransomware attack on C-Edge Technologies, a joint venture between the State Bank of India and Tata Consultancy Services, disrupted UPI and IMPS payment services at nearly 300 cooperative and regional rural banks across India. The National Payments Corporation of India immediately isolated C-Edge from the broader retail payment network to contain the attack. The attack was attributed to the RansomEXX v2.0 group.
Rapid and tested recovery planning. Detection and prevention will never be perfect. The difference between a manageable incident and a catastrophic one often comes down to whether an organization can restore systems quickly and safely from offline backups. Recovery capability must be tested regularly — not assumed. Only 20% of energy and utility organizations hit by ransomware in 2024 were able to recover within a week, down from 41% in 2023, suggesting that recovery preparedness has not kept pace with the sophistication of attacks.
The Horizon: What the Future of Infrastructure Cybersecurity Holds
The cybersecurity challenges facing energy, healthcare, and transport infrastructure are set to intensify significantly over the next decade, driven by two converging technological shifts that will alter the risk landscape fundamentally: the rise of artificial intelligence on both sides of the attack-defense equation, and the arrival of quantum computing.
Artificial intelligence is already reshaping how attacks are conducted. An estimated 80% of ransomware attacks in 2025 leveraged AI tools in some form, from AI-generated phishing emails indistinguishable from legitimate communications to automated reconnaissance that identifies exploitable vulnerabilities across large networks faster than any human team could. Looking further ahead, security researchers project that by 2027, attackers will be capable of executing fully autonomous end-to-end cyberattacks, managing initial penetration, lateral movement, and data exfiltration without any direct human command. Human-in-the-loop incident response will no longer be fast enough.
The defensive application of AI is equally significant. Organizations that have deployed AI and automation in their security operations have cut breach response time by an average of 80 days and saved $1.9 million per incident compared to those relying on manual processes. AI-driven threat hunting, behavioral anomaly detection, and automated containment are becoming standard components of mature security programs in well-resourced sectors. The challenge for critical infrastructure is that many of its operators are not well-resourced and have lagged behind in adopting these capabilities.
Quantum computing presents a longer-horizon but potentially more severe threat. The encryption standards that protect virtually all digital communications, from patient health records to grid control commands to train scheduling systems, are based on mathematical problems that classical computers cannot solve in practical timeframes. Quantum computers, once they reach sufficient capability, will render those protections obsolete. Nation-state actors are already collecting encrypted data today in a harvest-now, decrypt-later strategy, banking on the assumption that quantum decryption will eventually make that data readable. Some experts believe we have less than five years before a nation-state achieves the quantum capability to begin exploiting this stockpile.
NIST has finalized its first post-quantum cryptography algorithms, and U.S. legislation now requires at least one high-impact federal system in each agency to be upgraded to quantum-safe cryptography by January 2027. For critical infrastructure operators in energy, healthcare, and transport, the message is urgent: cryptographic inventories — a complete catalog of every system that uses encryption — must be built now, before the migration window closes. Organizations that have not started planning for a post-quantum world are already behind.
Digital twins represent a more constructive near-future development. By creating real-time virtual replicas of physical infrastructure systems, operators can test security patches, simulate cyberattack scenarios, and validate defensive responses in a safe environment before deploying any changes to live systems. For energy grids, hospital networks, and rail signaling systems alike, this capability offers a way to dramatically reduce the risk that a security update itself causes disruption.
The scale of what is at stake should be the organizing principle of every decision about critical infrastructure cybersecurity. These are not IT problems with operational side effects. They are public safety problems that happen to live in digital systems. The communities that depend on the lights staying on, the hospitals staying open, and the trains running on time deserve security measures that treat those stakes with the seriousness they demand.
