In recent years, the cyberthreat landscape targeting critical infrastructure has shifted dramatically. Attacks that were once rare are now a daily concern for industrial operators, energy providers, transportation networks, and other essential services. Today, most attacks on critical infrastructure fall into three broad categories.
- The first and most common are financially motivated. Criminal groups penetrate networks to launch ransomware campaigns, encrypting systems and demanding payment to restore access. Increasingly, these actors use “double extortion” tactics, stealing sensitive information before encrypting it, then threatening to leak or sell the data if a ransom is not paid.
- The second category consists of state-linked cyber espionage. These attackers aim for persistence rather than quick profit, quietly monitoring networks and collecting intelligence over extended periods.
- The third, less common but potentially most dangerous, are cyberterrorist attacks designed purely to cause damage. These may target industrial control systems with the intent of triggering a physical effect; for example, shutting down production or, in extreme cases, causing unsafe operating conditions.
Attacks are on the rise: what were the reasons for this?
Two forces have significantly influenced the recent rise in attacks: the pandemic and escalating geopolitical tensions.
The pandemic triggered a massive shift to remote work, expanding the attack surface almost overnight. Internal telemetry from Kaspersky indicated a 242% rise in Remote Desktop Protocol brute-force attacks in 2020, reaching 3.3 billion attempts between January and November that year. The number of malicious files masquerading as video conferencing or corporate messenger applications hit 1.66 million in the same period.
The second driver of increased activity is geopolitical turbulence. The profile of hacktivists has evolved: Where once they sought publicity through website defacements or public statements, many now combine political objectives with ransomware for financial gain. Alongside organised cybercrime groups, this politically motivated activity is adding pressure to an already challenging security environment.
What is the current state of industrial cybersecurity?
Cyber defence is a constant contest between attacker ingenuity and defensive innovation. While it may seem that criminals are always one step ahead, the reality is that the vast majority of attacks fail. Each failure results from effective preventive measures, but no system is entirely impenetrable.
Data from the latest Kaspersky Managed Detection and Response analyst report pointed to a continued rise in high-severity incidents with direct human involvement in the industrial sector in 2024, showing that this field remains attractive to threat actors. However, since the pandemic era, the market has matured in response to cyberthreats, and most attacks are now prevented before they can penetrate networks and cause serious damage.
The most effective strategy remains a defence-in-depth approach that combines several layers of protection, including secure network architecture, reliable endpoint defences, continuous monitoring, and user awareness. This layered design reduces risk by ensuring that if one control fails, others remain effective. Regular assessments and collaboration between IT and operational teams further reinforce overall security resilience.
Today’s advanced security tools aim to “shift left” on the attack timeline, identifying threats at the earliest possible stage, often before an attacker establishes a foothold. Automation and technology can achieve a lot, but human expertise remains vital. AI can flag suspicious files or behaviours, but skilled analysts must decide how to respond. This combination of automation and human judgment is critical to keeping pace with evolving threats.
Lessons learned and the road ahead
Post-incident investigations frequently reveal that relatively small oversights, such as a missed patch, a misconfigured firewall, or a neglected update to security policy, can open the door to a major breach. The pandemic’s surge in attacks was a stark reminder of how quickly circumstances can change and how fast attackers can adapt. The good news is that many organisations used this period as a catalyst to strengthen their security posture, closing gaps that had existed for years.
As technologies evolve, so too will the tactics of cyberattackers. With a layered defence, ongoing vigilance, and continuous learning, organisations can keep the probability of a successful attack as close to zero as possible.
