Here Be Dragons: The Growing Cyber Threats to Critical Infrastructure

In certain medieval maps, unexplored regions had a warning: hic sunt dracones. It meant “Here be dragons.” These words and images of fire-breathing beasts marked dangerous and unknown realms.  

In 2025, we’re facing a new kind of uncharted territory. Cyber risks are growing. Global tensions are rising. Institutions are under strain. And this time, it’s our critical infrastructure that’s under attack.

Just like the unexplored regions of medieval maps, today’s digital infrastructure has blind spots — and the threats lurking there are just as real. The dragons are still here; they've just gone digital.

According to The Economist’s Global Risk Outlook 2025, rising conflict is pushing nation-states to weaponize cyber capabilities — with critical infrastructure as a prime target.

What’s at stake for critical infrastructure?  ‍

Critical infrastructure includes everything society depends on — utilities, finance, healthcare, telecom, and emergency services. These aren’t just technical systems. They’re lifelines. And threats to these essential services are growing.

As our own Trevor Dearing, director of critical infrastructure solutions, puts it: “If you hit power, water, or transportation systems, the impact is immediate and visible.”

And the concern isn’t just anecdotal. It’s shared across the cybersecurity landscape. According to World Economic Forum’s 2025 Global Cybersecurity Outlook, more than 60% of cybersecurity leaders say that geopolitical instability has increased the risk to critical systems.‍

The American Water breach

Among the growing list of critical infrastructure breaches, one stands out.

In October 2024, American Water — the largest U.S. water utility — shut down billing and customer systems after detecting unauthorized activity in its networks. Water service wasn’t affected, but the breach made headlines.

Why? Because American Water serves over 14 million people (roughly the population of Los Angeles) — and 18 military bases.

Critical infrastructure is now a top target for foreign-linked cybercriminals.

“All drinking water and wastewater systems are at risk — large and small, urban and rural,” warns the EPA.

The breach at American Water wasn’t an isolated case. It’s part of a pattern — a growing wave of cyberattacks targeting the systems we all rely on. Over the last two years, attacks have hit energy, water, transportation, and more. Here’s how it has unfolded.

Recent critical infrastructure attacks

• May 2023 – Volt Typhoon in U.S. Critical Infrastructure
  Volt Typhoon, a Chinese state-backed group, targeted U.S. critical infrastructure — including maritime, energy, and transport. It used native Windows tools and stolen credentials to stay hidden — avoiding malware entirely to evade detection.
  
• ‍August 2023 – Polish Railway Hijack
  In Poland, hackers used radio signals to trigger emergency stops. They disrupted rail traffic with just $30 worth of equipment. ‍
• ‍February 2024 – UnitedHealth ransomware attack
  ‍A ransomware attack on UnitedHealth’s Change Healthcare disrupted insurance payments across the U.S., affecting hospitals, pharmacies, and 100 million Americans. The outage lasted weeks, delaying billions in reimbursements.
• June 2024 – Texas Water System Hacked
  ‍The CyberArmyofRussia_Reborn (CARR), a Russian hacktivist group, hit water systems in rural Texas. In Muleshoe and Hale Center, they used exposed remote ports to overflow tanks and disrupt operations.
• August 2024 (discovered)– Salt Typhoon: Telecom Espionage Campaign‍
  Salt Typhoon, a China-backed threat actor, used stolen credentials and malware-free techniques to infiltrate U.S. telecommunications providers, including Verizon, AT&T, and T-Mobile. The group accessed sensitive subscriber metadata, raising serious concerns about espionage and U.S. national security.‍
• October 2024 – American Water Breach
  American Water shut down billing and customer systems to stop a cyberattack. Water service continued, but the breach exposed how fragile legacy infrastructure can be. ‍
• November 2024 – Unitronics PLCs Targeted ‍
  CyberAv3ngers exploited flaws in Unitronics’ PLCs — devices used in water plants. Their attacks hit dozens of systems in the U.S. and Israel. ‍
• March 2025 – Ukrainian Railway Attacks
  A cyberattack halted Ukraine’s national railway. It shut down ticketing and logistics. Officials blamed Russian actors. ‍
• April 2025 – Moroccan Social Security Fund Breached
  Hackers breached Morocco’s national social security system. They leaked sensitive data on Telegram. Reports linked the attack to Algerian groups.
• ‍May 2025 – UK Retail Infrastructure Hit ‍
  Scattered Spider hit UK retailers — including Co-op and Harrods — with ransomware. It brought grocery logistics to a halt.

Critical infrastructure risks keep growing

So why are these systems so vulnerable?

CISA sounded the alarm in its 2024 review.

‍“Nation-state actors are increasingly targeting critical infrastructure to prepare for future disruption,” it wrote. “Sectors like water, energy, and healthcare are already under stress — from aging systems and weak cyber defenses.”

The fact is, modern threats move faster than old defenses, warns Illumio's Dearing.

“A lot of these systems run on unsupported software and unpatched code,” he said. “It’s a huge attack surface — and it’s often hard to monitor.”

At the dragon's gate

The medieval map is no longer mythical. Threats to critical infrastructure are here and now.

For a closer look at how Zero Trust strategies can help safeguard critical infrastructure from today’s evolving threats, explore the Department of Defense’s Zero Trust Reference Architecture. It offers practical guidance for reducing risk and building greater resilience.

And learn how to defend against the next inevitable critical infrastructure breach with a Zero Trust architecture.