In October last year, Spain experienced one of the most dramatic infrastructure failures in modern European history. A sudden collapse in grid frequency left more than 50 million people without power, grounded flights, halted trains, and shut down businesses across the Iberian Peninsula. Fortunately, it was down to a technical issue known as an overvoltage event, not a hostile act by threat actors. 

But the incident still delivers an important lesson: when critical infrastructure fails, the consequences will quickly cascade.

Geopolitical tensions are running high and state-sponsored actors increasingly target operational technology environments directly. The conditions for a similarly disruptive incident – this time deliberate – are building. 

Withstanding these disruptive incidents requires building resilience into critical infrastructure at a foundational level. Not bolting it on as an afterthought. But with so many facilities designed and built for a different age, where do operators start? 

The infrastructure threat is no longer theoretical

State-sponsored threat actors are no longer simply probing IT networks for data – they are targeting the operational technology that controls physical processes, including energy generation, water treatment, transport systems, and manufacturing. 

The list of targets is expanding too, as critical infrastructure now encompasses airports, telecoms networks, hospitals, and commercial data centres. All of these areas are under increased cyber threat, and that makes it even more important that operators get on top of it now.

Data centres in particular will be a growing concern. Modern hyperscale facilities consume enormous amounts of power, making them uniquely dangerous nodes on the grid. If you bring a data centre down in one go, the impact on the grid will be immense. 

Taking a centre offline creates a spike in one direction, while bringing it back up creates another. A coordinated cyberattack targeting multiple facilities simultaneously wouldn’t just take those sites offline, but could also destabilise the wider grid they draw from.

The problem with bolting security on

Most infrastructure operators are well aware of the increasing cyber threat, but it competes with many other challenges for resources.

A core difficulty facing most operators is that they are not starting from a blank page. The systems that control physical operations were built for reliability and longevity, not security. Many have been running for decades, and some predate the internet entirely. 

Replacing them wholesale is not a realistic option, and even widespread retrofitting may not be possible where taking a system offline could interrupt critical services.

But that doesn’t mean that nothing can be done. The real opportunity in retrofit scenarios lies not in the operational technology (OT) assets themselves but in the infrastructure that surrounds them. Replacing a complete factory won’t happen – some of those components will remain old. But the switches, the firewalls, the IT-type infrastructure that underpins OT operations: that is what needs replacement. 

Without modernising that network layer, even strong security tooling cannot do its job. If you know you need to do segmentation but haven’t got the switches to enforce it, what are you going to do with the information?

This is where resilience-by-design comes in. Organisations that treat cybersecurity as something to be addressed after the operational priorities are settled will find themselves permanently catching up – technically constrained, financially stretched, and exposed. 

Resilience by design in practice

For organisations building new infrastructure, the opportunity to get this right exists – but only if security is treated as a design requirement from the earliest stages. The architectural choices, the network topology, the equipment specifications: these need to account for cybersecurity years before the first brick is laid, not at commissioning when the options have already narrowed.

But inbuilt resilience is still achievable for existing operators. The starting point is understanding what you actually have. An up-to-date asset inventory is the foundation of everything else, because you cannot protect what you cannot see. 

From there, the question that should drive every security investment decision is simple: which systems would cause the greatest disruption if they stopped working? Security programmes built around that question will always outperform those built around compliance checklists.

Organisational structure matters too. Bringing IT and OT under a single point of security responsibility is essential – one person accountable across both domains, with the authority and tenure to make decisions that outlast their own role. Security decisions made by people who know they are moving on in two years tend to reflect that horizon.

Simplify, don’t accumulate

Most critical infrastructure domains tend to operate at a slow pace, where changes are big but take time to build momentum. This is a poor fit for the fast-paced and increasingly hostile nature of the cyber threat landscape.

However, there are immediate steps that operators can take now, without a major investment programme. Launching a programme to reduce redundancy and overlap is a quick win, especially for remote access systems. 

Over time, most operational environments accumulate technology in layers. Each new vendor relationship, each maintenance contract, each operational requirement brings its own tools and its own access pathways. In one customer environment, we found 80 different remote access solutions in active use. 

Reducing that to say, five or 10, is already a major security improvement – the complexity cost of those 80 solutions, in monitoring burden, policy management, and sheer number of potential entry points, far outweighs any operational convenience they provide.

The principle is straightforward: stop adding more and start strengthening what you already have. Vendors naturally tend to push their own tools and access requirements, but organisations need to push back. Prioritise resilience, simplify the ecosystem, and eliminate the fragility that attackers are counting on. 

Preparing for the next wave of digital risk

The Iberian Blackout may not have been a hostile act, but it demonstrated what happens when critical infrastructure proves more fragile than anyone anticipated. The threat environment is not getting easier, and the interconnected systems that underpin daily life – energy, transport, communications – leave little margin for complacency.

Those that have built security in from the foundation will be better placed to withstand incidents, recover faster, and continue serving the people and industries that depend on them. Those who haven’t will find that bolting it on after the fact is slower, more expensive, and less effective than doing it right from the start. In the year ahead, resilience won’t just protect systems – it will define which organisations stay operational when the next wave of disruptive attacks hits.

Learn more at claroty.com