Mark Overington, Head of Intelligence, Solace Global Risk – A Global Guardian Company takes a closer look at the hybrid threat to critical infrastructure.
The term critical infrastructure (CI) was institutionalised in 1998 under the US Presidential Decision Directive 63 (PDD-63) under President Bill Clinton, which defined CI as “those physical and cyber-based systems essential to the minimum operations of the economy and government.”
More broadly, CI refers to the systems, assets and networks essential to a nation’s security, economy, public health and safety, including sectors such as energy, water, transport, communications and healthcare.
Since the introduction of PDD-63, the remit of CI has expanded beyond traditional sectors to increasingly include digital infrastructure, such as data centres and cloud services, on which the traditional sectors are now heavily dependent.
The evolution of CI – and the threats facing it
The US Cybersecurity and Infrastructure Security Agency (CISA), established in 2018 under the Department of Homeland Security, is responsible for protecting CI.
CISA’s definition now includes 16 distinct CI sectors, illustrating the breadth of what is now considered CI. While CISA also covers physical threats such as sabotage, it was primarily established to defend CI from the growing threat of cyber-attacks.
A proliferation in cyber-attacks conducted by hostile states, state-aligned actors, organised criminal groups and hacktivists targeting CI has exposed systemic vulnerabilities within essential national systems, including energy, transport and healthcare, demonstrating how deeply these sectors depend on digital networks.
In November 2025, the US House Committee on Homeland Security published an updated ‘Cyber Threat Snapshot.’ The report warned of increasing cyber-attacks targeting US CI, indicating that 70% of all cyber-incidents in 2024 involved CI.
Most activity is linked to Russia, China, Iran and North Korea, which have increased cyber-attacks, with advancements in AI leveraged as a force multiplier.
The report also cited a spike in Iranian-sponsored cyber-attacks following Israeli and US strikes on Iran, indicating how geopolitical tensions can directly influence offensive cyber activity. Other Western governments have identified similar trends.
In October 2025, the UK’s National Cyber Security Centre (NCSC), a branch of the Government Communications Headquarters (GCHQ), reported that it had dealt with a record 204 “nationally significant” cyber-attacks in the year to September, up from 89 in the previous 12 months.
Cyber-attacks can cause significant financial loss and service disruption. As threat actors continue to adapt attack vectors and tactics, techniques and procedures (TTPs), the threat will demand dedicated resources, consistent training and increased coordination between government, industry and security partners.
This has resulted in a substantial increase in internal or outsourced SOCs, 24/7 centralised hubs tasked with detecting, analysing and responding to threats in real-time.
While the risk remains potentially severe, the widespread adoption of enhanced monitoring and defences has resulted in most attacks being detected or contained before causing major disruption.
Public and private investment in cyber-defences has increased the resilience of CI systems, but physical defence must also continue to evolve.
CI remains highly vulnerable to physical threats such as natural disasters, sabotage, terrorism and forms of direct action.
Physical threats are often also contextualised within the same strategic framework as cyber threats, with adversarial actors increasingly adopting a hybrid approach that fuses physical and digital attacks. This is best evidenced by Russia’s sabotage campaign across Europe.
Physical threats and sabotage
Russia had targeted European CI before the war in Ukraine as part of its hybrid warfare strategy. This doctrine combines military, cyber, informational and covert operations to achieve its objectives.
This approach has involved sabotage and cyber-attacks on CI to undermine support for Ukraine, while maintaining plausible deniability and operating below the threshold likely to trigger an escalation.
Moscow’s approach has viewed European CI as a strategic vulnerability and as a target that is often easily accessible. According to the International Institute for Strategic Studies (IISS), confirmed Russian sabotage of European CI increased 246% from 2023-2024, with well over 100 recorded events since the 2022 invasion.
Russia-linked attacks on CI have included acts of arson, rail sabotage, grid interference and underwater cable cutting.
European CI has been particularly vulnerable due to ageing systems, underinvestment and extensive interdependence across borders and sectors. Russian intelligence now runs a “gig economy”, recruiting foreign nationals, criminal groups and local sympathisers through encrypted messaging platforms to carry out low-tech acts of sabotage for relatively small sums of money.
This model has enabled the Kremlin to distance itself from attribution when orchestrating cost-effective operations at scale, with unprecedented reach within target states.
Physical attacks have demonstrated that any entity targeting CI can exploit many of the same structural weaknesses observed within the cyber-domain.
Poor perimeter security, insufficient threat monitoring, inadequate access controls and limited redundancy are shared vulnerabilities that can be exploited and potentially cause cascading system failures.
Physical attacks on CI may also avoid leaving the forensic traces and attribution pathways typical of cyber-operations.
While cyber infrastructure can be monitored and defended remotely from virtually anywhere, the physical protection of CI still requires on-site presence and on-the-ground responses.
The sabotage of Tesla’s Berlin Gigafactory in 2024 was attributed to a left-wing extremist group, not Russia. However, it underscores how physical attacks on CI can match the disruption of cyber-attacks.
The attack targeted a nearby power pylon, not the factory, causing a major outage resulting in almost US$1b in damages and production losses.
By targeting an external dependency outside the facility’s perimeter, saboteurs were able to exploit a single point of failure to achieve large-scale disruption. In cyber terms, this is perhaps analogous to compromising a third-party service provider or connected network, where a breach in one peripheral system can trigger an operational shutdown.
Since Russia intensified its sabotage campaign, there has been an increase in attacks targeting CI by a host of non-state and extremist groups, including far-left, far-right, anarchist and environmentalist movements.
Motivations may differ from the Kremlin’s; however, Russia’s campaign has likely provided a blueprint for the low-cost, deniable and effective disruption of CI, a model that is likely to be increasingly emulated by hostile states and a myriad of non-state actors.
It has also demonstrated that while many individual attacks may be of limited impact, cumulatively, these incidents can have a strategic effect.
Balancing defences for resilient CI
As public and private sectors continue to prioritise the cyber-defence of CI, there is a growing danger of overlooking the threat posed by physical attacks.
The more threat actors assess that CI is exposed in the physical domain, the more likely they are to exploit these vulnerabilities.
The lesson learned should be that the emergence of new technologies and attack vectors should not come at the expense of protection against traditional methods.
Failing to implement robust and comprehensive physical security measures in line with cyber-defences risks underestimating the effectiveness of conventional tactics.
This failure will almost certainly increase the exposure of CI operators to operational disruption, financial loss and reputational damage.
