CSPM EDP Sciences logo
Submit your paper
Sciengine logo
Search
Menu
All issues Volume 5 (2026) Security and Safety, 5 (2026) 2026002 Full HTML
Open Access
Issue
Security and Safety
Volume 5, 2026
Article Number 2026002
Number of page(s) 19
Section Industrial Control
DOI https://doi.org/10.1051/sands/2026002
Published online 27 January 2026

© The Author(s) 2026. Published by EDP Sciences and China Science Publishing & Media Ltd.

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Introduction

To effectively counter cyberattacks on critical cyber-physical systems (CPS) and governmental infrastructures, it is essential to understand their vulnerabilities and threat landscapes. These systems form the foundation of modern society, supporting sectors such as energy, healthcare, transportation, and communication. However, their rapid digitalization has introduced new security gaps, often exploited by both state-sponsored and financially motivated threat actors. With increasing reliance on digital infrastructure, these critical systems face heightened exposure to sophisticated attacks. Such incidents can disrupt essential services, compromise national security, and cause significant economic damage. In severe cases, they may even threaten public safety through physical harm. Traditional cybersecurity measures are insufficient against evolving threats such as phishing, zero-day exploits, and social engineering. The convergence of digital and physical systems, alongside the rise of Advanced Persistent Threat (APT) groups, further amplifies the urgency to strengthen security postures.

Studies highlight the variety of methods employed by attackers to target critical infrastructures, such as Advanced Persistent Threats (APTs), ransomware, and phishing campaigns. Adamov [1] analyzed the use of Russian wiper malware in cyberwarfare against Ukraine, demonstrating its devastating impact on government infrastructures. Similarly, the ENISA Threat Landscape report outlines the escalation of ransomware attacks targeting energy and transportation systems, emphasizing the financial and operational disruptions they cause [2].

Cyber-physical systems (CPS), integral to critical infrastructure, are especially vulnerable to cyberattacks due to their interconnectivity and reliance on legacy technologies. Maynard et al. [3] conducted an in-depth analysis of known cyberattacks on CPS, identifying recurring vulnerabilities in industrial control systems. This aligns with findings by Palleti et al. [4], who documented how cascading failures can propagate through interconnected infrastructures, causing widespread societal disruption. Furthermore, Aljohani [5] highlighted the specific vulnerabilities of energy infrastructure, including power grids and oil facilities, in light of increasing geopolitical tensions. The global nature of cyber threats necessitates international cooperation. Haataja [6] examined the role of norms and international law in governing state-sponsored cyber operations, advocating for stronger global frameworks to deter malicious activities. This perspective is supported by Alqudhaibi et al. [7], who analyzed the geopolitical implications of cyberattacks on national infrastructures and called for enhanced cross-border collaboration.

Several high-profile incidents illustrate the devastating consequences of cyberattacks on critical infrastructure. The NotPetya malware attack, which crippled global shipping logistics, has been extensively studied to understand the vulnerabilities it exploited and the systemic risks it revealed [8]. Aljohani [5] added insights into the use of cyberattacks as modern warfare tactics against energy infrastructures, highlighting the strategic motivations behind such incidents. Despite significant advancements, several research gaps remain. Orleans-Bosomtwe [9] highlighted the need for more comprehensive penetration testing methodologies to identify vulnerabilities proactively. Furthermore, T.M. Aljohani stressed the importance of strengthening cybersecurity in energy infrastructures, particularly in the face of rising geopolitical tensions. These gaps emphasize the importance of continued research into both technical and human factors influencing cybersecurity. The reviewed studies collectively underline the critical need for a multi-faceted approach to securing critical infrastructures.

The objective of this study was to develop a comprehensive approach for protecting critical infrastructure against cyberattacks by analyzing contemporary threats, vulnerabilities, and effective cybersecurity strategies, with specific tasks including: examining the evolution, methods, and impacts of cyberattacks on critical infrastructure (2015–2025), particularly in energy, transportation, and government sectors; assessing the cybersecurity level of digital platforms (using Diia as a case study) and identifying key vulnerabilities through the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege (STRIDE) framework; and proposing enhanced protection mechanisms such as Cybersecurity Mesh Architecture (CSMA), AI-based systems, and international coordination, along with practical recommendations for governments and businesses.

2. Material and methods

The methodology was structured to enable a comprehensive and multidimensional analysis that captures both the technical and societal dimensions of cybersecurity challenges. The study focused on examining historical data, assessing patterns of attack behavior, analyzing system vulnerabilities, and evaluating current and future protection mechanisms across essential sectors, including energy, transport, communication, healthcare, and governance. The research was based on a wide-ranging collection of primary and secondary data sources, including databases of recorded cyber incidents, national and international cybersecurity guidelines. One of the core materials utilized was the database of cyberattacks reported between 2015 and 2025, obtained from publicly available records maintained by Tovkun [10], Pollard [11], Presekal et al. [12], Olteanu [13], Brooks et al. [14], and Sam [15]. The article analyzed 22 cyberattacks on critical infrastructure facilities. The selection criteria for the cyberattacks included in the table were based on their strategic, technological, and systemic relevance to critical infrastructure threats from 2015 to 2025. Priority was given to incidents that directly affected key sectors such as energy, telecommunications, transportation, government, and defense.

Attacks with tangible physical consequences, large-scale service disruptions, or significant economic impact were emphasized. Additional selection factors included the use of novel or advanced techniques – such as Industrial Control System (ICS) protocol exploitation, wiper malware, “living off the land” tactics, or supply chain compromise. Events with unverified details or primarily local/criminal motives without strategic implications were excluded. Geographically, the list reflects both high-conflict zones (e.g., Ukraine, Iran) and digitally advanced nations (e.g., the U.S., EU states) to illustrate both state-driven operations and global cascade effects. Only well-documented cases were included, based on technical analyses from open reports (CERT-UA [16], European Union Agency for Network and Information Security (ENISA) [17], Cybersecurity & Infrastructure Security Agency (CISA) [18], Center for Threat Informed Defense MITRE [19]) and peer-reviewed publications.

Furthermore, cybersecurity readiness assessments from intergovernmental organizations, including the Global Cybersecurity Index (GCI), were incorporated to contextualize the status of national resilience and highlight disparities between developed and developing regions. The methodological design employed a mixed-methods approach, combining qualitative and quantitative techniques to analyze the evolution of cyberattacks, their systemic consequences, and the future trajectories of protection strategies. The analysis was conducted across three core domains: characterization of cyberattacks on CPS and government infrastructures, assessment of impact across economic, social, and political sectors, and evaluation of resilience and prospective protective technologies.

The characterization of cyberattacks began with a structured classification of incidents based on their technical features, affected sectors, and the sophistication of the attack mechanisms. A typology was developed to categorize attacks by method (e.g., DDoS, ransomware, logic bombs, zero-day exploits), by actor type (e.g., state-sponsored, cybercriminal, hacktivist), and by target infrastructure (e.g., energy grid, water supply, transport systems, public administration networks). Attack timelines were constructed to observe patterns of escalation, frequency, and seasonal or geopolitical correlations. This temporal analysis facilitated a clearer understanding of when and how critical infrastructure becomes most vulnerable.

To analyze the systemic impacts of cyberattacks, a sectoral impact assessment method was used. These indicators were synthesized into comparative matrices to evaluate the short- and long-term consequences of cyberattacks across sectors. This approach allowed for an evidence-based examination of interdependencies between infrastructures, such as how the failure of a communication network could paralyze emergency response and public safety systems. Strand of prospective analysis focused on governance and policy. Comparative analysis was conducted on national cybersecurity strategies from selected countries (Ukraine, USA, European Union countries (in particular Denmark, Norway, France) to identify common elements of success, such as mandatory infrastructure audits, investment in AI-driven detection, and public-private partnerships. The countries selected for analysis were determined by their geopolitical importance, the presence of documented attacks on energy, logistics and government facilities, and the high degree of interdependence between national infrastructures, which created potential for cascading effects of cyberattacks. These strategies were then examined against a framework of resilience indicators, including institutional readiness, public awareness, legal harmonization, and emergency response capability.

3. Results

3.1. Analysis of key cyber threats to critical infrastructure in 2015–2025

Cyberattacks targeting energy and transportation infrastructure pose a serious threat to national security, as these systems are critically important for the functioning of modern society and the economy. The increasing frequency and sophistication of such attacks highlight the need for in-depth analysis of their methodologies, objectives, and consequences to develop effective countermeasures. Examples of cyberattacks are given in Table 1.

Table 1.

Cyberattack case study

To improve the statistical accuracy of the dataset, the analysed cyberattacks were further classified by targets, attack types, and consequences. Classification by target showed that most incidents affected energy systems, followed by telecommunications, government institutions, transport, and the financial sector, confirming the strategic vulnerability of energy infrastructure. Classification by attack type revealed frequent use of ICS/OT manipulation, data-wiping malware, ransomware, supply chain compromise, DDoS operations, and covert credential-based intrusions, illustrating the growing sophistication of APT techniques, especially those focused on industrial systems. Classification of attacks by impact further demonstrated that the most common impact was service disruption, accompanied by data theft, physical security risks, significant economic losses, and cross-border cascading effects. This expanded classification provides a clearer picture of how attackers choose their targets, what techniques they use, and the scale of the breaches they cause [21].

The data for cyberattacks targeting critical infrastructure from 2015 to 2025 was derived from open-source records, including cybersecurity incident databases and peer-reviewed publications. The data reveals a marked escalation in cyberattacks over the past decade, particularly during periods of geopolitical instability. The total number of cyberattack incidents analyzed amounts to 22, with the majority of attacks taking place from 2022 to 2023, coinciding with the escalation of armed conflicts such as the Russia-Ukraine war. The primary attack vectors used by cybercriminals and state-backed groups were phishing (identified in 7 cases), ransomware (5 incidents), DDoS attacks (3 cases), and supply chain attacks (4 cases). The energy sector emerged as the most frequently targeted, suffering from 7 incidents, followed by telecommunications (5 attacks), and government infrastructure (4 attacks). These sectors were strategically targeted due to their critical importance in national security and the economy.

The predominant threat actors identified in the analysis were Russian-backed hacker groups, such as Sandworm and Fancy Bear, responsible for the majority of the incidents, alongside Chinese cyber actor Volt Typhoon, which employed advanced “living-off-the-land” techniques. Ransomware-as-a-Service (RaaS) groups, including BlackCat, also played a significant role in the attacks. The evolving sophistication of cyberattacks is evident in the increasing use of novel techniques, such as manipulating industrial control systems (ICS) and deploying wiper malware, which are particularly damaging to the functioning of critical infrastructures. Figure 1 illustrates the increase in cyberattack frequency over the past decade, with significant spikes during periods of geopolitical tensions (e.g., Ukraine conflict in 2022–2023).

Thumbnail: Figure 1. Refer to the following caption and surrounding text. Figure 1.

Frequency of cyberattacks on critical infrastructure (2015–2025). Note: * – data for the incomplete year 2025.

Figure 2 categorizes cyberattacks by sector, showing the energy sector as the most targeted due to its national security significance.

Thumbnail: Figure 2. Refer to the following caption and surrounding text. Figure 2.

Cyberattack types by target sector (2015–2025).

Statistical analysis of cyberattacks presented in the table reveals key trends in the evolution of cyber threats targeting critical infrastructure, particularly in energy, industrial, and telecommunications sectors. Temporally, the most intensive period of cyber activity occurred during 2022–2023, directly correlating with the escalation of armed conflict in Ukraine. This demonstrates the growing role of cyber warfare as a tool of geopolitical confrontation. Over the past decade, cyberattacks on critical infrastructure have increased non-linearly, with sharp spikes during geopolitical crises. For instance, while the annual average of major incidents was 1–2 attacks per year in 2015–2017 (e.g., BlackEnergy, Industroyer), this surged to 4–5 attacks annually by 2022–2023 (e.g., Viasat, Kyivstar, Danish energy grid attacks). The year 2022 marked a turning point, with Ukraine alone experiencing three major attacks (WhisperGate, AcidRain, Industroyer2) linked to Russia’s full-scale invasion.

According to the ENISA Threat Landscape 2024 report, attacks on ICS/OT systems rose by 87% since 2020, with 60% specifically targeting energy infrastructure, highlighting the escalating threat landscape driven by both geopolitical tensions and systemic vulnerabilities [2]. Analysis of attack origin countries reveals predominant activity by Russian hacking groups, particularly Sandworm, Fancy Bear, and Ember Bear. Nine of the analyzed incidents were directly linked to Russia, confirming the systematic and targeted nature of its cyber aggression. Documented research reveals, Chinese group Volt Typhoon, demonstrating advanced stealth techniques and “living-off-the-land” methodologies that avoid traditional malware. Some attacks remain unattributed, highlighting attribution challenges in modern information warfare [22].

The most common initial access vector remains phishing and spear-phishing, employed in seven of eighteen cases as the primary attack stage. Exploitation of software vulnerabilities, virtual private network (VPN) services, and access devices is also widespread, underscoring the need for timely system updates and multi-layered security. Less frequent but extremely dangerous are supply chain compromises, exemplified by NotPetya’s breach of legitimate software update mechanisms. Over the past decade, cyberattack methodologies have evolved significantly, shifting from traditional system breaches to more advanced techniques. Supply chain attacks, such as NotPetya and the exploitation of Ivanti vulnerabilities, illustrate the growing risks associated with third-party software suppliers. The emergence of Ransomware-as-a-Service (RaaS) has facilitated the rise of cybercrime groups like BlackCat (ALPHV), which distribute ransomware on a massive scale, demanding payment for data decryption. Additionally, politically motivated DDoS attacks have become a powerful tool for disrupting government agencies and financial institutions, further intensifying the threat landscape.

Regarding target infrastructure, the energy sector suffered the most attacks (seven incidents). The high concentration of attacks on power grids stems from their importance for national security and civilian infrastructure. Other targets include government institutions, manufacturing facilities, telecom operators, seaports, and satellite networks, indicating expanding target spectra and growing cross-sector risks that complicate universal defense mechanisms. The analysis necessitates special consideration of malware variants identified in the examined attacks. Six cases involved manipulation of industrial protocols (ICS/OT), demonstrating attackers’ deep knowledge of critical infrastructure specifics. Four attacks employed destructive wiper malware designed not just for data theft/blocking but for targeted resource destruction. Ransomware appears with signs of transitioning from financial motivation to strategic infrastructure disruption. Several cases featured weaponization of legitimate administrative tools for attack obfuscation, significantly complicating threat detection and neutralization.

In the first half of 2025, several significant cyber incidents were recorded that are worth further examination [23]. First, in Ukraine during April, there were at least three new attacks on government structures and critical infrastructure, documented by CERT-UA. The attackers used a sophisticated set of methods: the new malware Wrecksteel via phishing PowerShell scripts, the spyware infostealer GIFTEDCROOK through infected Excel files, as well as an updated version of GammaSteel, which spread via USB drives and targeted military facilities and law enforcement agencies. Additionally, in Europe, numerous campaigns by APT groups were recorded, particularly APT29, which regularly attacked diplomatic institutions through phishing emails with malicious attachments. Beyond the attacks from Russia, new global threats emerged. For instance, the hacker group Predatory Sparrow, linked to Israel, targeted financial institutions in Iran, including the cryptocurrency exchange Nobitex and Sepah Bank, destroying over USD 90 million in cryptocurrency. Moreover, in the U.S. and critical infrastructure sectors, ISAC issued warnings about a possible escalation of cyberattacks from Iran due to heightened conflict with Israel. Among emerging trends, it is worth noting the EU’s intention to strengthen cybersecurity and create its own “European vulnerability database” – an important step toward reducing dependence on American services.

Digital government services have become key components of modern cybersecurity environments, rendering them primary targets for cyberattacks, particularly amid geopolitical conflicts. Ukraine’s national digital platform, Diia, which provides access to government services and digital identity tools, has been repeatedly targeted by cyber threats seeking to compromise both the system’s integrity and the personal data of citizens. To assess these risks, the study “Personal Data Protection in the Context of Cyberwarfare” by Tovkun [10] conducted a comprehensive threat modeling experiment using the STRIDE framework. This methodology enabled systematic identification and categorization of potential threats, evaluation of their severity, and formulation of mitigation strategies. A key focus of the study was the analysis of real-world incidents involving Diia, including the 2022 data leak and the WhisperGate malware attack, which affected multiple governmental systems.

Using the STRIDE framework, researchers conducted a structured threat modelling process consisting of three stages: (i) a functional breakdown of the Diia platform into authentication, data exchange, service interaction and API modules; (ii) listing attack surfaces using Microsoft STRIDE threat trees; and (iii) systematically reviewing publicly available incident reports, penetration testing records, and platform documentation. This procedure resulted in the identification of 111 unique vulnerabilities after removing duplicates and checking each of them against specific STRIDE categories. Risk scores (e.g., spoofing = 75.91, privilege escalation = 65.86) were calculated using a composite metric combining probability, exploitability, impact on confidentiality/integrity/availability, and detectability, with each component normalised on a 0–1 scale and aggregated into a 0-100 risk score. These vulnerabilities expose the system to unauthorized access, data manipulation, and service disruptions, emphasizing the platform’s susceptibility to sophisticated cyber threats.

Risk mitigation strategies were evaluated through a reassessment of risks following the implementation of technical security enhancements. These measures included: (i) implementation of multi-factor authentication and secure session verification mechanisms to reduce spoofing; (ii) implementation of role-based access control (RBAC) and privilege separation policies to limit privilege escalation risks; (iii) mandatory encryption of all inter-service communications; and (iv) enhanced logging, anomaly detection, and rate limiting to counter spoofing and denial-of-service threats. Following these interventions, the STRIDE scores were recalculated using the same quantitative model, resulting in a reduction in the number of forgery incidents to 27.00 and other threat categories to 25.00–26.15, indicating a significant reduction in risk due to these technical and procedural controls.

The findings stress the need for continuous threat modeling and a holistic security approach combining technical and organizational safeguards to protect critical digital infrastructure amid persistent state-sponsored cyber warfare. After removing duplicates and prioritizing based on severity, the study revealed significant issues such as weak authentication mechanisms, risks of unauthorized data modification, inadequate logging, poor encryption and access controls, system susceptibility to denial-of-service attacks, and insecure privilege management. These vulnerabilities were assessed as ranging from medium to critical severity. The results underscore the urgent need to enhance the cybersecurity posture of digital public services, especially in the context of ongoing cyberwarfare.

3.2. Socio-economic and political consequences of cyberattacks on critical infrastructure

Cyberattacks on critical infrastructure represent one of the most serious threats to the modern economy, as their consequences not only directly impact the functioning of key industries but also trigger long-term macroeconomic disruptions. Systems ensuring energy supply, transportation, telecommunications, and healthcare form the foundation of national and international economic stability. Their disruption, even temporarily, can lead to halted production, supply chain delays, productivity declines, and widespread breakdowns in logistical and technological processes, creating cascading effects that span vast geographical and sectoral boundaries. One of the most evident economic consequences is operational downtime for businesses reliant on compromised infrastructure. For instance, a breach in the energy grid can halt industrial production, disrupt transportation, increase manufacturing costs, and ultimately raise consumer prices. Such repercussions are felt both locally and globally, destabilizing international trade, particularly in highly interdependent markets.

Recovery from such incidents requires substantial financial investments. This process encompasses not only technical aspects – repairing damaged equipment, restoring disrupted services, and updating software – but also organizational measures, including cybersecurity team mobilization, new protection policies, and communication with users and partners. In ransomware cases, additional costs arise from paying ransom demands or fully restoring systems from backups. The time required for complete recovery often spans weeks or even months, during which businesses continue to suffer losses. Beyond direct financial losses, organizations may face legal liabilities for failing to protect personal or sensitive data.

Regulatory fines, lawsuits, and reputational damage add further strain to businesses already impacted by cyber incidents. This is particularly relevant amid tightening international cybersecurity standards and data protection regulations. Moreover, attacks on infrastructure supporting critical social services – such as healthcare, emergency response, and disaster management – pose a distinct threat. In such cases, consequences extend beyond economics into humanitarian crises: disruptions in medical facilities or delays in emergency services can endanger lives. These incidents highlight the state’s vulnerability to cyber threats and demand a reevaluation of national security priorities.

Cyberattacks targeting critical infrastructure can produce profound and multifaceted social consequences, significantly disrupting daily life and undermining public confidence in essential services. When systems such as electricity, water supply, transportation, or healthcare are compromised, the resulting impact extends far beyond technical or operational setbacks – it touches the core of societal functioning and individual well-being. Interruptions to electricity can have cascading effects on multiple levels. Without power, households lose access to lighting, heating, cooling, and the refrigeration necessary for food preservation.

Hospitals and clinics may face challenges in operating life-support machines and diagnostic tools, despite having backup generators. Vulnerable populations, including the elderly, children, and those with chronic health conditions, are particularly at risk when electric-dependent medical devices become inoperable. Additionally, transportation systems reliant on electronic signaling and fuel distribution networks may grind to a halt, stranding commuters and obstructing the delivery of critical goods and services.

Water infrastructure, often controlled through digital systems, is another frequent target. A successful cyberattack on water treatment facilities can halt purification processes, disrupt the flow of potable water, or even result in the release of contaminated water into the supply system. The absence of clean water affects hygiene, cooking, and sanitation, potentially triggering public health crises. Schools, businesses, and government offices may be forced to close, compounding economic challenges with educational and administrative disruptions. Beyond the immediate practical implications, these attacks can inflict deep psychological and emotional distress. The abrupt disruption of essential services generates profound societal anxiety and perceived vulnerability, while inadequate or delayed restoration efforts exacerbate public distrust in institutional competence and crisis management capabilities. If such events recur, the psychological toll increases, potentially resulting in chronic anxiety, stress-related illnesses, and widespread social unrest.

In communities already facing hardship, these disruptions can magnify existing inequalities, disproportionately affecting those with limited access to resources or support networks. Furthermore, social cohesion may weaken in the face of prolonged infrastructure failures. Panic buying, misinformation, and the breakdown of routine can erode trust between citizens and institutions, and even among community members themselves. Disinformation campaigns launched in parallel with cyberattacks may further exploit public fear, manipulating perceptions and deepening societal division.

Cyberattacks on critical infrastructure generate immediate and far-reaching political consequences, challenging the authority and credibility of governments while reshaping domestic and international security priorities. When essential public services such as energy grids, transportation systems, or communication networks are compromised, the affected government often faces intense scrutiny from its citizens, opposition parties, and global partners [24]. The inability to prevent or effectively respond to such incidents may be perceived as a failure of governance, undermining the public’s confidence in national leadership and institutional competence. Domestically, political fallout may include heightened public pressure for accountability, legislative reforms, and increased investment in national cybersecurity capabilities.

Opposition parties frequently seize on such crises to question the ruling government’s preparedness and demand structural changes in security strategy. Public protests and civil unrest are not uncommon, particularly when service disruptions are prolonged or result in loss of life, economic damage, or privacy violations. Governments may respond by introducing new cybersecurity legislation, creating centralized national cybersecurity agencies, or granting broader powers to intelligence and law enforcement agencies. These actions, while intended to reassure the public, can also spark debates around civil liberties, surveillance, and data privacy.

Internationally, cyberattacks on infrastructure often provoke diplomatic tensions, especially when there is evidence – or even suspicion – of state-sponsored involvement. Accusations of foreign interference can lead to a breakdown in diplomatic relations, the imposition of sanctions, or retaliatory cyber operations. In severe cases, these incidents may escalate into geopolitical crises, as nations interpret cyberattacks as acts of aggression equivalent to physical attacks on sovereign territory. The ambiguity surrounding attribution complicates political responses, as governments must weigh the risks of escalation against the imperative to defend their digital sovereignty.

3.3. Critical infrastructure protection strategies and unresolved cybersecurity issues

In an increasingly digitized world, critical infrastructures – such as energy systems, transportation networks, water supplies, and communication platforms – form the essential backbone of modern economies and societal stability. As these systems grow more complex and interconnected through the integration of digital technologies, they become increasingly vulnerable to cyber threats. The protection of critical infrastructures from such threats is not merely a technical requirement, but a strategic necessity that demands a comprehensive, multi-layered approach. This approach must combine advanced technological solutions with proactive risk management strategies, international cooperation, and cross-sector collaboration to ensure both immediate defense and long-term resilience.

Technological innovation plays a central role in reinforcing the cybersecurity of critical infrastructure. Among the most promising advancements is the implementation of Cybersecurity Mesh Architecture – CSMA, which marks a departure from traditional perimeter-based defense models [25]. CSMA introduces a distributed and modular security framework, creating protective perimeters around individual digital assets. This structure allows for greater flexibility and responsiveness, as each component within the infrastructure can operate with its own security protocol while maintaining network-wide cohesion. The significance of CSMA lies in its ability to detect and respond to threats in real time while limiting the lateral movement of attackers through segmented defense layers. This is particularly important for cyber-physical systems (CPS), which are widely used in industrial and operational technologies and are particularly vulnerable to disruptions that can have physical, safety-critical consequences.

Another vital technological solution for defending critical infrastructures is the deployment of digital immune systems [26]. These systems emulate the adaptive nature of biological immune responses, leveraging artificial intelligence and machine learning to monitor system behavior, identify anomalies, and execute automated defense measures. By continuously analyzing vast amounts of data and learning from new attack vectors, digital immune systems provide a dynamic, self-improving security mechanism capable of mitigating both known and unknown threats. This level of automation and adaptability is crucial in contexts where time-sensitive operations cannot afford prolonged system outages or human delay in responding to attacks. Particularly in sectors such as energy distribution or healthcare, where operational continuity is paramount, digital immune systems offer a scalable and resilient layer of defense.

Despite notable progress, persistent unresolved vulnerabilities remain susceptible to exploitation, necessitating continued strategic development and sustained investment in cybersecurity innovation and governance frameworks. One key protection strategy lies in the adoption of a risk-based approach to infrastructure defense [27]. This involves identifying and prioritizing the most critical assets based on their function, interdependence, and potential impact if disrupted. Risk assessment frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or ISO/IEC 27001:2022 [28], provide structured methodologies to evaluate vulnerabilities, threat likelihood, and potential consequences. However, many organizations still lack the resources or institutional commitment to perform comprehensive, continuous assessments. Inadequate risk visibility leaves systems exposed to blind spots and limits proactive incident prevention.

Cyber hygiene and security culture also remain foundational yet frequently overlooked aspects of critical infrastructure protection [29]. Despite increasing awareness, many cyber incidents still originate from basic oversights such as poor password management, delayed patching, and insecure remote access configurations. Embedding cybersecurity awareness into every layer of infrastructure management – from executive leadership to frontline operators – is essential. This includes routine training, phishing simulations, and mandatory compliance with best practices. Yet, persistent skills shortages in cybersecurity professions hamper the widespread implementation of such cultural reforms. Bridging this skills gap requires both public education initiatives and incentives for workforce development in cyber defense disciplines.

Legacy systems pose another significant unresolved challenge. Many critical infrastructures – particularly in energy, water, and transportation sectors – still rely on outdated hardware and software that were never designed with cybersecurity in mind. These systems often lack basic encryption, authentication, and logging mechanisms, making them easy targets for modern attackers. Upgrading or replacing such systems is costly and operationally complex, especially in sectors where downtime is not an option. Consequently, many infrastructure operators continue to rely on “security through obscurity”, which offers little actual protection in the face of increasingly sophisticated threats. Another major issue is interdependency and systemic risk. Modern infrastructure is deeply interconnected; disruptions in one sector can cascade into others. For instance, a cyberattack on an electric utility can cripple telecommunications, disrupt financial services, and paralyze transportation. Current protection strategies often treat infrastructures as discrete systems, underestimating the compounding effects of multi-sector failures. This calls for the integration of systemic risk modeling into national cybersecurity strategies, alongside coordinated incident response exercises that simulate large-scale cross-sector disruptions.

A critical and still underdeveloped dimension of infrastructure protection concerns the capacity for anticipatory governance. Rather than focusing solely on threat mitigation and incident response, contemporary strategies must evolve toward predictive analytics, strategic foresight, and early warning systems. These tools allow for scenario planning that incorporates geopolitical shifts, supply chain vulnerabilities, and the emergence of novel threat actors. Without such forward-looking frameworks, even technologically advanced defenses risk obsolescence.

In addition, the fragmentation of regulatory environments across jurisdictions complicates the establishment of unified protection standards. While some countries have advanced legal frameworks for critical infrastructure cybersecurity, others lack enforceable policies or suffer from inconsistent implementation. At the international level, competing legal norms and geopolitical tensions limit the effectiveness of multilateral agreements and incident attribution efforts. The absence of binding international cyber norms leaves a legal vacuum, particularly in deterring state-sponsored attacks and establishing accountability for cross-border threats. Finally, cyber resilience metrics remain underdeveloped [30]. While traditional security metrics focus on prevention and detection, resilience requires the ability to absorb attacks, maintain essential functions, and recover quickly. Quantifying resilience – especially across hybrid IT-OT environments – is still an evolving discipline. Without standardized resilience benchmarks, infrastructure operators struggle to evaluate the effectiveness of their defensive strategies or to justify investments to stakeholders.

Taken together, these challenges underscore that protecting critical infrastructure in the digital age is no longer purely a technological problem, but a deeply political and organisational issue. The novelty of this study lies not only in its empirical reflection of cyberattacks in 2023–2025, but also in its theoretical formulation of critical infrastructure protection as a form of hybrid resilience – a multi-layered construct that integrates technical, institutional, regulatory, and behavioural aspects. To develop this concept, the study introduces the notion of “cybersecurity convergence pressure”, defined as a structurally growing demand for the coordination and integration of IT, OT, and political spheres within a single adaptive management system.

Unlike existing literature on IT and OT integration, which typically addresses interaction, technical dependence, or organisational coordination, cybersecurity convergence pressure encompasses systemic factors that drive this integration: the growth of hybrid threat vectors that simultaneously target IT and OT levels; regulatory expectations for cross-sector coordination; and the strategic use of infrastructure disruption in geopolitical conflicts. Thus, this concept extends existing governance and integration models by shifting the focus from voluntary organisational coordination to externally induced, threat-driven convergence of governance. Evidence from recent incidents, such as multi-vector attacks on energy networks, supply chain disruptions such as NotPetya, and cross-domain attacks on satellite and telecommunications systems, demonstrates how hybrid threats create operational, regulatory, and political imperatives for integrated decision-making. Accordingly, the pressure of cybersecurity convergence functions as both an analytical lens and a practical basis for understanding why critical infrastructure protection now requires synchronised IT-OT security architectures, shared situational awareness, and policy-level coordination amid accelerating geopolitical tensions.

While technology forms the foundation of modern cyber defense strategies, it must be reinforced through robust international collaboration. Cyber threats are transnational by nature, and no single nation or organization can effectively counter them in isolation. Collaborative efforts led by institutions such as the CISA and the North Atlantic Treaty Organization (NATO) [31] are critical in fostering global cyber resilience [32]. CISA plays a key role in the United States by guiding infrastructure protection policies, coordinating rapid response mechanisms, and promoting public-private partnerships. NATO, through its Cooperative Cyber Defence Centre of Excellence (CCDCOE), enhances the cyber defense capacities of member states by facilitating joint training exercises, research, and strategic dialogue. These initiatives emphasize the importance of interoperability, standardization, and shared intelligence in building a unified defense against cross-border cyber threats.

Furthermore, collaboration must extend beyond governmental agencies to include the private sector, which owns and operates the majority of critical infrastructure assets. Effective public-private partnerships (PPP) ensure that cybersecurity solutions are grounded in operational realities and benefit from both technical innovation and regulatory oversight. By aligning the capabilities of infrastructure operators with the strategic frameworks established by governments and international bodies, PPPs enable more resilient and coordinated defense architectures.

As the frequency, complexity, and sophistication of cyberattacks on critical cyber-physical systems (CPS) and government infrastructures continue to escalate, research must evolve to address both current vulnerabilities and emerging threats. The need for adaptive, intelligent, and internationally coordinated cybersecurity solutions has never been more urgent. Future research must extend beyond traditional security tools and adopt interdisciplinary approaches, integrating artificial intelligence, quantum technologies, behavioral science, and international policy. Rather than merely enumerating technological tools, future cybersecurity must be understood as a multi-vector system of resilience – a paradigm that encompasses not only detection and defense, but also anticipation, adaptability, and post-incident learning. This approach positions cybersecurity not as a static shield but as a dynamic capability embedded within socio-technical systems. The novelty of the current research lies in its theoretical articulation of cybersecurity as a convergence zone – where disciplines such as data science, policy studies, human-computer interaction, and international law intersect to generate durable strategies for infrastructure protection.

Table 2 outlines the most promising directions for research and development in cybersecurity for critical infrastructures. These directions reflect both technological and strategic dimensions aimed at enhancing resilience, prediction capabilities, and coordinated defense mechanisms.

Table 2.

Directions for research and development in cybersecurity for critical infrastructures.

Following the overview of key research areas, several analytical observations emerge. The prioritization of intelligent detection systems signifies a paradigm shift from reactive to proactive cybersecurity. These systems are not limited to identifying known malware or anomalies but are trained to anticipate novel attack vectors by analyzing large-scale behavioral data. This proactive posture is essential for protecting time-sensitive systems such as energy grids or government communications. The inclusion of quantum cryptography represents the forward-looking nature of current research. With the advent of quantum computing, conventional encryption standards are becoming increasingly vulnerable. Post-quantum cryptography and QKD offer potential solutions for preserving the integrity and confidentiality of classified government data and control signals within CPS networks. Quantum cryptography and post-quantum security stand as cornerstones of next-generation protection architectures. As quantum computing capabilities become operational, classical encryption protocols may become obsolete. Integrating quantum-safe algorithms and testing their performance in real-world CPS contexts (e.g., smart grids or military command systems) will be central to ensuring future-proof confidentiality.

Modeling resilience and recovery after cascading cyber failures points to the necessity of integrating systems engineering with cybersecurity [33]. Instead of aiming for impenetrability, resilient infrastructure accepts the inevitability of compromise and focuses on minimizing consequences. Simulations, digital twins, and real-time stress testing are increasingly used to map out disruption chains and evaluate organizational readiness. This line of research signals the redefinition of cybersecurity as a question of operational continuity, not just data protection. Equally important is the human dimension. Insider threats, negligent behavior, and low cyber literacy remain among the most common attack vectors. Research in behavioral security and human-centered design offers ways to build adaptive training systems and cultivate security cultures within critical sectors. Cyber defense must thus be reconceptualized as both a technological system and a social contract between institutions, employees, and digital interfaces.

Global governance and legal harmonization remain underdeveloped yet urgently needed dimensions. Cyberattacks rarely stop at national borders; however, legal responses and attribution mechanisms remain fragmented. Future research must investigate enforceable treaty frameworks, standardized definitions of cyber aggression, and interoperable certification regimes. Without them, state and non-state actors will continue exploiting regulatory asymmetries. These directions collectively mark a departure from ad hoc cybersecurity patchworks toward a comprehensive security ecosystem. Such an ecosystem requires not only technical innovation, but also epistemological openness – the ability to combine disciplines, operationalize theory, and incorporate lived infrastructural realities. The study contributes to this shift by integrating recent empirical cases into a broader theoretical scaffold that treats critical infrastructure not simply as targets but as dynamic systems embedded in complex human, technical, and geopolitical environments.

It also introduces the concept of “cyber anticipatory governance” – a research direction that foregrounds scenario modeling, strategic foresight, and preemptive policy adaptation as core elements of national and international cybersecurity. In conclusion, the transformation of cybersecurity for critical infrastructures will not be achieved through isolated breakthroughs, but through coordinated advancement across research, governance, and operational practice. Only by uniting predictive technologies, robust institutional frameworks, and global collaboration can critical infrastructures be effectively defended in the face of evolving hybrid threats.

4. Discussion

Given the evolving threat landscape and persistent research gaps, the future of cybersecurity for critical infrastructure must focus on developing comprehensive, scalable, and adaptive solutions. The growing complexity of cyber threats – especially those targeting energy, water, transport, and healthcare systems – demands a proactive, interdisciplinary approach to ensure the resilience of cyber-physical systems (CPS). The conducted study provided a comprehensive assessment of cyberattacks on critical infrastructure, emphasizing the intensification of threats over the last decade, particularly during periods of geopolitical instability such as the war in Ukraine (2022–2023). When compared with existing research, the findings reinforced and, in some cases, expanded the understanding of attack patterns, responsible threat actors, and the resulting implications across economic, political, and technical domains [37].

One of the central observations in this research was the dominance of Russian-backed hacking groups – Sandworm, Fancy Bear, and Ember Bear – in targeted attacks on critical infrastructure, accounting for 9 out of the 22 analyzed cases. This finding aligns with the conclusions presented by Riggs et al. [38], who emphasized the cascading effects of cyberattacks on highly interdependent infrastructures, such as power grids and water distribution systems. While Riggs et al. focused more on systemic disruption, the current research further contextualized these findings within a geopolitical framework, highlighting the strategic use of cyber tools during military conflict as a component of hybrid warfare.

The identification of Volt Typhoon, a Chinese state-sponsored group, as a significant actor employing “living-off-the-land” (LotL) techniques complemented the broader threat landscape identified in studies such as George et al. [39]. George et al. concentrated on sectors like healthcare, finance, manufacturing, and trade, employing a risk-assessment model that accounted for legacy systems, technological modernization, and the economic valuation of data assets. The present study validated those concerns by showing that critical infrastructure with outdated industrial control systems was disproportionately targeted and exploited, especially in the energy sector, which experienced seven of the examined attacks. Phishing remained the dominant attack vector, occurring in seven incidents, reaffirming a trend identified across multiple studies.

However, the detailed breakdown in the present research, including the analysis of ICS/OT protocol manipulation in six cases and the deployment of destructive wiper malware in four, allowed for a more granular understanding of the tactics used by threat actors. This went beyond the generalized threat taxonomy provided in earlier literature and offered empirical evidence of evolving attacker sophistication and their preference for high-impact operational disruptions.

The study’s emphasis on the NotPetya incident, with losses exceeding USD 10 billion and widespread operational shutdowns, demonstrated the disproportionate economic toll that cyberattacks can exert. George et al. [39] similarly noted financial damage as a core element of cyber risk, but the current work advanced this insight by providing concrete recovery timelines and outlining the prolonged consequences for supply chains and consumer pricing. This empirical data offered a practical context to the theoretical models of financial loss proposed in other works. The vulnerability analysis of the Diia digital platform using the STRIDE framework identified spoofing and privilege escalation as critical concerns. Unlike studies that merely categorize threat types, this research incorporated real vulnerability scores and demonstrated the effect of preventive measures – such as reducing spoofing scores from 75.91 to 27.00. This applied dimension significantly enriched the academic discourse by linking theoretical frameworks with practical outcomes and measurable improvements.

From a technical defense perspective, this study echoed and built upon the contributions of Thakur et al. [40] who advocated for Cybersecurity Mesh Architecture (CSMA) as a resilient security paradigm. Both works acknowledged the importance of decentralized and layered defense structures. However, the present analysis expanded this discussion by illustrating the complementary role of digital immune systems in real-time anomaly detection and response. This synergy of technologies was modeled in hypothetical attack scenarios to assess performance metrics such as latency and system containment capacity, an aspect often overlooked in foundational discussions of CSMA. The research incorporated a forward-looking perspective, identifying unresolved challenges that include legacy system vulnerabilities, workforce shortages in cybersecurity, sectoral interdependencies, and inconsistent international regulatory frameworks.

These conclusions were consistent with gaps noted by Maglaras et al. [41], who underscored the growing need for AI-driven analytics to proactively detect threats. The current study validated that assertion by suggesting that AI, combined with system resilience modeling and quantum cryptography, represents a strategic frontier in cyber defense development. The present work contributed a political dimension to the conversation, showing how cyber incidents undermine public trust, exacerbate geopolitical tensions, and prompt policy shifts. While Riggs et al. [38] and George et al. [39] concentrated on infrastructure damage and economic impacts, this research drew attention to the broader societal and governmental consequences, particularly in relation to public confidence and international diplomacy.

The study highlighted several methodological limitations that mirror those mentioned across the literature, including incomplete incident data, difficulties in attribution, and regional disparities in cyber capabilities. However, by supplementing incident analysis with system vulnerability evaluation and sector-specific impact assessment, the study addressed some of these challenges through triangulation and cross-sector modeling. The study identified a high concentration of state-sponsored cyber operations, particularly those associated with Russian hacking groups such as Sandworm, Fancy Bear, and Ember Bear.

This level of attribution aligned with findings in Lehto [42], who highlighted the professionalization of cyberattacks on cyber-physical systems and the strategic exploitation of interconnected industrial control systems to induce cascading infrastructure failures. However, the present work extended this observation by providing quantified evidence of incident concentration during geopolitical crises, such as the Russia-Ukraine conflict, and documenting the role of Chinese actors like Volt Typhoon employing advanced “living-off-the-land” methods. While Lehto addressed broad threat evolution, the current study offered granular detail on group-specific tactics and their operational environments.

A significant point of convergence with Haridas et al. [43] was the focus on the vulnerability of the energy sector. While R. Haridas emphasized the exposure of smart grids in developing nations, particularly India, due to rapid digitalization and resource constraints, the current study provided a more globalized perspective, indicating that energy infrastructure globally remained the most targeted sector. The analysis of seven incidents affecting energy systems confirmed its strategic value and mirrored Haridas’s conclusions about the dual nature of digital transformation – offering efficiency while introducing severe vulnerabilities. Moreover, Haridas’s emphasis on the implementation of AI and digital twins for network resilience found resonance in this study’s proposal for integrating cybersecurity mesh architecture (CSMA) and digital immune systems, albeit with a broader application beyond smart grids.

Stoddart [44] offered a historical and technical examination of attacks on industrial control systems (ICS), with a strong focus on high-profile incidents such as Stuxnet and Aurora. The current research expanded upon this foundation by identifying six modern incidents involving ICS/OT protocol manipulation and four using destructive wiper malware. This contemporary focus added depth to K. Stoddart’s primarily retrospective analysis. While K. Stoddart emphasized the catastrophic potential of ICS disruption across sectors – energy, water, transport, chemical industries – the present study substantiated those risks with up-to-date data and linked them to actor attribution, attack vectors, and socio-political consequences. Unlike K. Stoddart’s more qualitative review, the current work incorporated quantitative security assessment via STRIDE, identifying spoofing and privilege escalation as dominant vulnerabilities in a real-world digital platform. The reduction of spoofing risk from 75.91 to 27.00 after implementing preventive measures illustrated the tangible benefits of proactive security practices.

The research by Djenna et al. [45] on IoT security within critical infrastructure underscored the increasing appeal of IoT environments to cybercriminals due to their complexity and widespread deployment. Djenna et al. presented a taxonomy of IoT threats and recommended a holistic threat-identification framework. The present study differed in its primary focus but addressed similar concerns indirectly, particularly in sectors heavily reliant on IoT and ICS integration, such as energy and transportation. The analysis of phishing as a predominant attack vector (7 incidents) and the role of supply chain attacks (e.g., NotPetya) further supported the idea that threat surfaces are expanding due to the proliferation of networked devices.

Although Djenna et al. [45] offered a strategic approach to IoT protection, the current research expanded that discussion by examining cross-sectoral vulnerabilities, suggesting that the convergence of IoT and legacy systems exacerbates exposure to persistent and sophisticated threats. In comparing thematic priorities, the current research placed greater emphasis on geopolitical factors, cyber warfare, and the political ramifications of attacks on critical infrastructure. The NotPetya case study, with damages exceeding USD 10 billion and prolonged operational downtime, illustrated the economic and political scale of cyber warfare, which was less developed in the works of Haridas et al. [43], Stoddart [44], or Djenna et al. This broader framing allowed for a more integrative view of the cascading socio-political and economic costs, including erosion of public trust, disruption of global supply chains, and diplomatic fallout.

The study’s exploration of limitations – such as incomplete data, attribution challenges, rapid threat evolution, and regional specificity – mirrored concerns raised across the literature. Lehto [42], for example, also highlighted the difficulty of defending against attacks exploiting systemic interconnectivity without physical intrusion. However, the present research added further nuance by demonstrating how these limitations affect both vulnerability modeling and practical response design. Moreover, it addressed the gap between theoretical frameworks and field-tested solutions by employing real-world case studies to validate strategic defense proposals. All compared works acknowledged the need for global collaboration.

Haridas et al. [43] and Lehto particularly stressed the importance of international cooperation to counteract complex, transnational cyber threats. The present study reinforced this need by recommending improved international cyber-legal regulation and advocating for unified action to address the global nature of cyber conflict. While other studies suggested general frameworks for cooperation, the current research connected this recommendation directly to observed attack patterns and threat actor strategies, making the call for coordinated policy and operational responses both urgent and evidence-based.

A key observation is that certain elements of the system, particularly outdated ICS/OT components, identity management subsystems, and third-party software integration points, function not only as targets for attacks, but also as necessary means for intrusions with serious consequences [46]. Our analysis of cases such as Industroyer, TRITON, and Volt Typhoon shows that attackers often rely on predictable operational processes, insufficiently protected legacy modules, and overly permissive cross-domain interfaces to carry out multi-stage attacks. Therefore, in addition to implementing modern detection systems, it is necessary to consciously strengthen or isolate these ‘attack vectors,’ as their compromise is a prerequisite for lateral movement, privilege escalation, and ICS protocol manipulation. This perspective highlights the critical shift from general vulnerability reduction to protecting system components whose functional irreplaceability makes them extremely valuable to adversaries. Recognising, prioritising, and protecting these elements is a necessary evolution in critical infrastructure defence strategies.

5. Conclusions

Analysis of cyberattacks on critical infrastructure over the past decade revealed a significant escalation threat, especially during the armed conflict in Ukraine in 2022–2023. The study showed that Russian hackers (Sandworm, Fancy Bear, Ember Bear) were responsible for 9 out of 22 analyzed incidents, demonstrating the systematic and targeted nature of cyber aggression. The Chinese Volt Typhoon group proved to be no less dangerous due to the use of advanced “living-off-the-land” methods. Phishing remained the main attack vector (7 cases), but sophisticated attacks on supply chains, such as NotPetya, attracted particular attention. The energy sector was hit the hardest (7 incidents), confirming its strategic importance. Six attacks involved manipulation of industrial protocols (ICS/OT), and four involved the use of destructive wiper software. The STRIDE analysis of the Diia platform ultimately confirmed 111 validated vulnerabilities identified through a structured threat list, cross-referencing incident data, and modelling analysis of system components. Numerical scores such as 75.91 (spoofing) and 65.86 (privilege escalation) were obtained using a weighted risk formula that considers probability, exploitability, and projected operational impact. After implementing risk mitigation measures, including MFA implementation, RBAC enhancements, encryption of sensitive data flows, and updates to logging and auditing systems, the risk levels were recalculated, with the risk of spoofing reduced to 27.00 and the risk of privilege escalation reduced to 25.50, indicating a significant improvement in overall security.

The socio-economic costs of cyberattacks are significant: business downtime, supply chain disruptions, and increased product costs. Recovery from incidents often took weeks or months, and the total damage from NotPetya exceeded USD 10 billion. Political consequences included undermining trust in governments and international tensions. Innovative approaches are being proposed to protect critical infrastructure, including Cybersecurity Mesh Architecture (CSMA) and digital immune systems. However, serious challenges remain: legacy systems, a lack of skilled professionals, cross-sector risks, and fragmented regulatory environments.

Research limitations due to incomplete data, persistence of attack attribution, regional specificity, rapid threat evolution, and demonstration of practical testing of solutions. Promising areas for further research include the development of threat detection based on artificial intelligence, quantum cryptography, system resilience modeling, and improving international cyber-legal regulation. Particular attention should be paid to the need for global coordination to effectively counter transnational cyber threats.

For policymakers and practitioners, this means an urgent need to:

  • Strengthen the protection of energy and other high-value sectors;

  • Institutionalise continuous threat modelling for digital public services;

  • Invest in upgrading outdated operational technologies and workforce capabilities;

  • Integrate cross-sectoral risk assessment into national cybersecurity planning;

  • Promote international harmonisation of legislation and information sharing mechanisms.

Funding

No fundings are related to this article.

Conflicts of interest

The authors declare no conflicts of interest.

Data availability statement

No data are associated with this article.

Author contribution statement

Yuliia Tovkun and Viktoriia Semerenska: conceptualization, methodology, data curation, writing-original draft preparation. Yuliia Tovkun: visualization, investigation, and supervision. Alexander Adamov and Viktoriia Semerenska: software, validation, writing-reviewing, and editing. All authors read and approved the final manuscript.

Acknowledgments

No acknowledgments.

References

  1. Adamov A. Russian wipers in the cyberwar against Ukraine. In: Virus Bulletin Conference. Pague: Virus Bulletin, 2022, https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Russian-wipers-in-the-cyberwar-against-Ukraine.pdf [Google Scholar]
  2. Lella I, Theocharidou M and Magonara E et al. ENISA threat landscape 2024. Attiki: European Union Agency for Cybersecurity 2024, https://www.enisa.europa.eu/sites/default/files/2024-11/ENISA%20Threat%20Landscape%202024_0.pdf [Google Scholar]
  3. Maynard P, McLaughlin K and Sezer S. Decomposition and sequential-AND analysis of known cyber-attacks on critical infrastructure control systems. J Cybers 2020; 6: tyaa020, https://doi.org/10.1093/cybsec/tyaa020 [Google Scholar]
  4. Palleti VR, Adepu S and Mishra VK, et al. Cascading effects of cyber-attacks on interconnected critical infrastructure. Cybersecurity 2021; 4: 8, https://doi.org/10.1186/s42400-021-00071-z [Google Scholar]
  5. Aljohani TM. Cyberattacks on energy infrastructures as modern war weapons – part I: Analysis and motives. IEEE Techn Soc Magaz 2024; 43: 59–69, https://doi.org/10.1109/mts.2024.3395688 [Google Scholar]
  6. Haataja S. Cyber operations against critical infrastructure under norms of responsible state behaviour and international law. Inter J Law Inform Techn 2023; 30: 423–443, https://doi.org/10.1093/ijlit/eaad006 [Google Scholar]
  7. Alqudhaibi A, Albarrak M and Aloseel A, et al. Predicting cybersecurity threats in critical infrastructure for industry 4.0: A proactive approach based on attacker motivations. Sensors 2023; 23: 4539, https://doi.org/10.3390/s23094539 [Google Scholar]
  8. Kasabji D. Deep dive into the May 2023 cyber attack on Danish energy infrastructure, 2023, https://conscia.com/blog/deep-dive-into-the-may-2023-cyber-attack-on-danish-energy-infrastructure/ [Google Scholar]
  9. Orleans-Bosomtwe PK. Critical infrastructure security: Penetration testing and exploit development perspectives, 2024, https://doi.org/10.48550/arXiv.2407.17256 [Google Scholar]
  10. Tovkun, Y. Personal data protection in context of cyberwarfare. Karlskrona: Blekinge Inst Techn, 2023. https://www.diva-portal.org/smash/get/diva2:1773044/FULLTEXT02 [Google Scholar]
  11. Pollard M. A case study of Russian cyber-attacks on the Ukrainian power grid: Implications and best practices for the United States. Pepper Policy Rev 2024; 16: 1, https://digitalcommons.pepperdine.edu/ppr/vol16/iss1/1 [Google Scholar]
  12. Presekal A, Rajkumar VS and Ştefanov A et al. Cyberattacks on power systems. In: Parizad A, Baghaee HR, Rahman S (Eds.). Smart Cyber-Physical Power Systems: Fundamental Concepts, Challenges, and Solutions. Hoboken: Institute of Electrical and Electronics Engineers, 2025, https://doi.org/10.1002/9781394191529.ch15 [Google Scholar]
  13. Olteanu M. SSSCIP’s perspective on the cyber-attacks in the context of the military conflict between Russia and Ukraine (January 2022-January 2024). Bul of “Carol I” Nat Defen Univ 2024; 13: 63–79, https://doi.org/10.53477/2284-9378-24-04 [Google Scholar]
  14. Brooks RR, Yu L and Ozcelik I et al. Distributed denial of service (DDoS): a history. IEEE Annals of the Hist Comp 2022; 44: 44–54, https://doi.org/10.1109/MAHC.2021.3072582 [Google Scholar]
  15. Sam J. A research report on advanced persistent threat Fancy Bear (APT28) threat actor, 2024, https://www.researchgate.net/publication/383606556 [Google Scholar]
  16. CERT-UA. The first annual report on the results of the vulnerability detection and response system for cyber incidents and cyber attacks, 2022, https://cert.gov.ua/article/17696 [Google Scholar]
  17. European Union Agency for Network and Information Security. 2024 Report on the state of the cybersecurity in the Union, 2024, https://www.enisa.europa.eu/publications/2024-report-on-the-state-of-the-cybersecurity-in-the-union [Google Scholar]
  18. Cybersecurity & Infrastructure Security Agency. Cybersecurity Advisory Committee (CSAC) Reports and Recommendations, 2025, http://cisa.gov/resources-tools/resources/cybersecurity-advisory-committee-csac-reports-and-recommendations [Google Scholar]
  19. Center for Threat Informed Defense MITRE. 2024 Impact Report, 2025, https://ctid.mitre.org/resources/2024-impact-report/2024%20Impact%20Report%20Center%20for%20Threat-Informed%20Defense.pdf [Google Scholar]
  20. Georgescu A, Gurău M-M and Bucovetchi O, et al. The European cybersecurity framework for critical energy infrastructures. In: Barichella A, Yada J (Eds.). The Palgrave Handbook of Cybersecurity, Technologies and Energy Transitions. Cham: Palgrave Macmillan 2025, https://doi.org/10.1007/978-3-031-04196-9_9-1 [Google Scholar]
  21. Li X. Cybercrime prevention on the agenda of modern international relations. For Affairs 2025; 35: 115–127, https://doi.org/10.59214/2663-2675.35(3).2025.115 [Google Scholar]
  22. Li Q, Zhang B and Tian D et al. MDGraph: A novel malware detection method based on memory dump and graph neural network. Expert Syst Appl 2024; 255: 124776, https://doi.org/10.1016/j.eswa.2024.124776 [Google Scholar]
  23. Dzera S. Digital human rights and their impact on intellectual property. Law Human Envir 2024; 15: 31–47, https://doi.org/10.31548/law/3.2024.31 [Google Scholar]
  24. Zhao M, Yu Z and Li Q et al. Trident: A secure framework for flexible artificial intelligence model lifecycle management in public clouds. IEEE Trans Depen Secure Comp 2025, https://doi.org/10.1109/TDSC.2025.3621865 [Google Scholar]
  25. Mampilly AJ and Midhunchakkaravarthy D. Cybersecurity mesh architecture: A framework for enhanced compatibility and security. In: Selvan CP, Sehgal N, Ruhela S, Rizvi NU (Eds.), International Conference on Innovation, Sustainability, and Applied Sciences. Cham: Springer, 2025, https://doi.org/10.1007/978-3-031-68952-9_58 [Google Scholar]
  26. Mylrea M, Nielsen M and John J, et al. Digital twin industrial immune system: AI-driven cybersecurity for critical infrastructures. In: Lawless WF, Mittu R, Sofge DA, Shortell T, McDermott TA (eds.), Systems Engineering and Artificial Intelligence. Cham: Springer, 2021, https://doi.org/10.1007/978-3-030-77283-3_10 [Google Scholar]
  27. Alshawish A. Risk-based security management in critical infrastructure organizations. Passau: University of Passau, 2021. https://opus4.kobv.de/opus4-uni-passau/frontdoor/index/index/docId/1002 [Google Scholar]
  28. ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection – Information security management systems – Requirements 2022, https://www.iso.org/standard/27001 [Google Scholar]
  29. Michalec O, Milyaeva S and Rashid A. When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures? Big Data & Soc 2022; 9, https://doi.org/10.1177/20539517221108369 [Google Scholar]
  30. Kott A and Linkov I. To improve cyber resilience, measure it. Computer 2021; 54: 80–85, https://doi.org/10.1109/MC.2020.3038411 [Google Scholar]
  31. North Atlantic Treaty Organization. 2024 Cyber security, 2024, https://www.nato.int/cps/uk/natohq/topics_78170.htm?selectedLocale=en [Google Scholar]
  32. CISA Cybersecurity Awareness Program 2025, https://www.cisa.gov/resources-tools/programs/cisa-cybersecurity-awareness-program [Google Scholar]
  33. Li Q, Wang Y and Tian D et al. Component-based modeling of cascading failure propagation in directed dual-weight software networks. Comp Netw 2024; 255: 110861, https://doi.org/10.1016/j.comnet.2024.110861 [Google Scholar]
  34. Sontan AD and Samuel SV. Emerging trends in cybersecurity for critical infrastructure protection: A comprehensive review. Open MenuComput Sci IT Res J 2024; 5: 576–593, https://doi.org/10.51594/csitrj.v5i3.872 [Google Scholar]
  35. Khaustova V, Tirlea MR and Dandara L, et al. Development of critical infrastructure from the point of view of information security. Strategic Univ – J Interdisciplinary Strat Secur Stud 2023; 53: 170–188, https://ibn.idsi.md/sites/default/files/imag_file/p-170-188.pdf [Google Scholar]
  36. Aminu M, Akinsanya A and Oyedokun O et al. A review of advanced cyber threat detection techniques in critical infrastructure: Evolution, current state, and future directions. Icon Res Engin J 2024; 8: 74–87, https://www.irejournals.com/paper-details/1706103 [Google Scholar]
  37. Liu S, Li K and Zhao M et al. M3-Med: A benchmark for multi-lingual, multi-modal, and multi-hop reasoning in medical instructional video understanding. ArXiv preprint [arXiv: arXiv.2507.04289], 2025, https://doi.org/10.48550/arXiv.2507.04289 [Google Scholar]
  38. Riggs H, Tufail S and Parvez I et al. Impact, vulnerabilities, and mitigation strategies for cyber-secure critical infrastructure. Sensors 2023; 23: 4060, https://doi.org/10.3390/s23084060 [Google Scholar]
  39. George AS, Baskar T and Srikaanth PB. Cyber threats to critical infrastructure: assessing vulnerabilities across key sectors. Part Univ Inter Innov J 2024; 2: 51–75, https://doi.org/10.5281/zenodo.10639463 [Google Scholar]
  40. Thakur K, Ali ML and Jiang N et al. Impact of cyber-attacks on critical infrastructure. In: Qiu M (ed.), IEEE International Conference on High Performance and Smart Computing. New York: IEEE 2016, https://doi.org/10.1109/bigdatasecurity-hpsc-ids.2016.22 [Google Scholar]
  41. Maglaras L, Janicke H and Ferrag MA. Cybersecurity of critical infrastructures: Challenges and solutions. Sensors 2022; 22: 5105, https://doi.org/10.3390/s22145105 [Google Scholar]
  42. Lehto M. Cyber-attacks against critical infrastructure. In: Lehto M, Neittaanmäki P (eds.), Cyber security: Critical Infrastructure Protection. Cham: Springer, 2022, https://doi.org/10.1007/978-3-030-91293-2_1 [Google Scholar]
  43. Haridas R, Sharma S and Bhakar R et al. Cybersecurity threats to critical energy infrastructure in India: challenges, opportunities and insights for developing nations. Common Cyber J 2025; 3: 53–78, https://production-new-commonwealth-files.s3.eu-west-2.amazonaws.com/s3fs-public/2025-04/d20104 _v9-cybercrime-journal_vol3_v1_lr.pdf [Google Scholar]
  44. Stoddart K. Cyberwar: Attacking critical infrastructure. In: Stoddart K (ed.), Cyberwarfare: Threats to Critical Infrastructure. Cham: Palgrave Macmillan, 2022, https://doi.org/10.1007/978-3-030-97299-8_3 [Google Scholar]
  45. Djenna A, Harous S and Saidouni DE. Internet of things meet internet of threats: New concern cyber security issues of critical cyber infrastructure. Applied Scien 2021; 11: 4580, https://doi.org/10.3390/app11104580 [Google Scholar]
  46. Pidpalyi O and Romanov O. SDN and blockchain integration: Overview of the current state and prospects for ensuring network security. Inform Techn Comp Engin 2025; 22: 20–34, https://doi.org/10.31649/vitce/2.2025.20 [Google Scholar]
Yuliia Tovkun

Yuliia Tovkun is a Postgraduate Student at the Department of Computer-Aided Design of Computing Systems of the Kharkiv National University of Radio Electronics, Ukraine. She specializes in cybersecurity governance, with a focus on critical infrastructure protection and digital threat intelligence.

Viktoriia Semerenska

Viktoriia Semerenska is a Postgraduate Student at the Department of Computer-Aided Design of Computing Systems of the Kharkiv National University of Radio Electronics, Ukraine. She investigates cyber-physical system vulnerabilities and the evolving tactics of state-sponsored threat actors.

Alexander Adamov

Alexander Adamov is a Ph.D., Senior Lecturer, Associate Professor at the Department of Computer-Aided Design of Computing Systems of the Kharkiv National University of Radio Electronics (Kharkiv, Ukraine); Department of Software Engineering of the Blekinge Institute of Technology (Karlskrona, Sweden); NioGuard Security Lab (Kharkiv, Ukraine). He researches the application of artificial intelligence in cyber defense, particularly in industrial and national security contexts.

All Tables

Table 1.

Cyberattack case study

In the text
Table 2.

Directions for research and development in cybersecurity for critical infrastructures.

In the text

All Figures

Thumbnail: Figure 1. Refer to the following caption and surrounding text. Figure 1.

Frequency of cyberattacks on critical infrastructure (2015–2025). Note: * – data for the incomplete year 2025.
In the text
Thumbnail: Figure 2. Refer to the following caption and surrounding text. Figure 2.

Cyberattack types by target sector (2015–2025).
In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.