Digital4Security Taster Workshops - Workshop 6: Critical Infrastructure Cybersecurity and Resilience: A Socio-technical Perspective

Rising Stakes in Infrastructure Security

Critical infrastructure—power grids, water utilities, transport networks, and telecommunications—underpins modern economies and daily life. Cyberattacks on these systems have evolved from data theft to operational disruption, with the potential to cause widespread blackouts, supply shortages, or safety hazards.

In 2025, ransomware incidents impacting industrial organizations surged, affecting thousands of entities and causing real operational halts. Reports tracked 26 active OT threat groups, with adversaries scaling operations globally and exploiting vulnerabilities faster than patches can deploy. State-linked actors, including those from China and Russia, maintained persistent access to energy, water, and communications systems, pre-positioning for potential crisis activation amid geopolitical strains.

The EU's NIS2 Directive (Directive 2022/2555) expanded obligations beyond traditional operators to include more sectors as 'essential' or 'important' entities, mandating risk management, incident reporting, and supply-chain oversight. Member states were required to transpose it by October 2024, but many—including major economies—delayed, prompting infringement actions and uneven readiness. By early 2026, the European Commission proposed amendments to clarify rules and ease burdens on smaller firms while tightening controls on high-risk suppliers.

This regulatory push coincides with heightened threats: hacktivists exploited industrial control systems, and espionage groups targeted infrastructure in Europe and beyond. Costs run into billions annually, with projections of cybercrime damages exceeding $10 trillion globally. Inaction risks cascading failures— a single breach can halt manufacturing, disrupt emergency services, or undermine public trust.

A socio-technical perspective reveals deeper tensions. Infrastructure is not just hardware and software but intertwined with human decisions, organizational cultures, and inter-system dependencies. Rapid adoption of connected technologies boosts efficiency but expands attack surfaces, while workforce shortages in cybersecurity skills hinder effective response. Trade-offs emerge between short-term operational priorities and long-term resilience investments, with over-reliance on technical solutions ignoring how people and processes either mitigate or exacerbate risks.