Combatting Critical Infrastructure Threats Requires Unified Cyber Approach

Cybersecurity threats to U.S. critical infrastructure are reaching new levels of complexity, and networks remain vulnerable without a more unified and modern approach to modernizing legacy systems and bolstering zero-trust implementation, top federal cybersecurity officials warned Thursday at the 2025 CyberScape Summit in Bethesda, Maryland.

Examining IT and OT Systems

Paul Selby, Energy Department CISO, emphasized during the event that organizations must fully understand the scope of challenges posed by legacy systems and the complexities involved in integrating IT and OT systems.

OT systems, like emergency dispatch systems or building elevators, operate on legacy systems. With a better understanding of the systems’ operations, officials can be prepared to address the issue correctly and quickly. 

“A lot of the OT in our critical infrastructure is just not capable of supporting the basic cyber hygiene that we need to protect our networks,” said Selby. “A lot of [OT systems can’t] support sufficient logging, [they don’t have] anomaly detection or multi-factor authentication.” 

Navy Installations Command Enterprise Information Officer Shery Thomas compared OT systems to the styles of houses. OT systems come from different time periods, and each requires renovations over time. Thomas said a whole-of-government approach is needed to operate these systems together efficiently.

“If [an elevator] has a fault, is it a cyber fault, or is it just a mechanical problem? And that’s where we’re trying to figure out the totality of the cyber enterprise now,” said Thomas. “We need to figure out how to share trade craft, similar to industry. Individual organizations might be doing their specific areas, but then you need to group together.” 

Protecting Everything from the Grid to the Waterways

Protecting critical infrastructure also requires organizations to secure physical aspects. The Cybersecurity and Infrastructure Security Agency (CISA) Chief Meteorologist Sunny Wescott said more frequent extreme weather events have a direct impact on critical infrastructure and create the perfect opportunity for bad actors to capitalize on vulnerabilities. 

During a snowstorm in Baltimore earlier this year, a man stole $80,000 of copper pipes from a school. Wescott added that entire pipe systems in buildings are being poached following power outages during weather events. 

“Many of these buildings take weeks to months to repair on the back end, not because of the weather event, but because of the additive of the human nature,” Wescott said. “It’s not just one aspect. It’s not one storm event coming across. It’s the continuation of the worsening and being able to operate.” 

Cloud and hybrid data centers, or Fusion Centers, also pose a threat to federal agents within Customs and Border Patrol (CBP). Fusion Centers share and host threat-related information at the state, local, tribal and territorial levels and private sector partners. The data within the Fusion Centers analyze potential threats to critical infrastructure, but the centers are also considered critical infrastructure. 

Red Hat’s Chief Architect for Law Enforcement and Justice Mike Hardee added that more people, both in and outside of government, need a better understanding of the makeup of critical infrastructure to secure against growing threats. 

“[Critical infrastructure] goes beyond IT, the critical infrastructure of our country is not understood,” said Hardee. “It’s extremely important for everyone to understand the protect surface and understand the endpoints.” 

Fostering a Zero Trust Culture

Zero trust can better prepare agencies to respond and recover to an attack, but successful implementation requires a strong adoption plan and effective change management. Hardee added that zero trust implementation should not be viewed as all or nothing. 

“Organizations need an adoption plan because everyone’s in different places in their organization … We see our customers will procure every solution under the sun, and then it sits on the shelf because we don’t have the people to implement,” said Hardee. “It’s the same thing with zero trust policy and processes [and we need to be deliberate in] our approach and adoption of these things.” 

Selby said organizations shouldn’t abandon other cybersecurity aspects as they implement zero-trust pillars. 

“The change management becomes key because if you’re not working with your stakeholders, if you’re not working with your partners, you are going to be the cybersecurity group that is just, you know, screaming waving the flag,” said Selby. “What we’re doing, folks, is not working. We have to change our messaging to get the stakeholders and bring them into the tent with us. We need to make them champions for what we do.”