The threat to critical infrastructure has changed. Has your readiness?

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Security Blog.

Critical infrastructure (CI) organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure environments right now is not a forecast. It is already happening. Threat actors are no longer focused solely on data theft or opportunistic disruption. They are establishing persistent access, footholds they can sit in quietly, undetected, and activate at the moment of maximum disruption. That is the threat CI leaders need to be preparing for today. Not someday. Now.

Given these rising threats, governments worldwide are advancing policies and regulations to require critical infrastructure organizations to prioritize continuous readiness and proactive defense. The regulatory trajectory is clear. The U.S. National Cybersecurity Strategy published in March 2023 explicitly frames cybersecurity of critical infrastructure as a national security imperative. Japan issued a basic policy to implement the Active Cyber Defense legislation in 2025. Europe continues to implement the NIS2 Directive across the essential sectors. And Canada is advancing a more prescriptive approach to critical infrastructure security through Bill C8.

What Microsoft Threat Intelligence hears from law enforcement agencies reinforces what we observe in our own telemetry. For example, Operation Winter SHIELD is a joint initiative led by the FBI Cyber Division focused on helping CI organizations move from awareness to verified readiness. Implementation not just awareness, not just policy. It is what closes the gap between knowing you are a target and being ready when it matters.

The water sector offers a clear illustration of what that implementation gap looks like in practice and what it takes to close it. The findings from Microsoft, released on March 19, 2026, in collaboration with the Cyber Readiness Institute and the Center on Cyber Technology and Innovation show that hands-on coaching paired with practical training materially improves cyber readiness in water and wastewater utilities in ways that guidance alone does not. When attacks succeed, communities face safety concerns, loss of trust, and service disruptions. That is not an abstraction. That is what is at stake across every CI sector.

To say that environments CI organizations are defending today were not designed for the threat they are facing is an understatement. Legacy systems now operate within hybrid IT–OT environments connected by cloud-based identity, remote access, and complex vendor ecosystems that did not exist when those systems were built. Identity has become the central control layer across all of it. Microsoft Threat Intelligence and Incident Response investigations show a convergence of identity-driven intrusion, living-off-the-land (LOTL) persistence, and nation-state prepositioning across CI. Against this backdrop, five facts define the resilience priorities CI leaders must address in 2026.

Explore CI readiness resources

Five critical threat realities

Five facts CI leaders can’t ignore

Today’s threat landscape reflects five structural realities: identity as the primary entry point, hybrid IT–OT architecture expanding attacker reach, nation-state pre-positioning as an ongoing concern, preventable exposure continuing to drive intrusions, and a shift from data compromise to operational disruption. Together, these dynamics are reshaping critical infrastructure resilience in 2026.

1. Identity is the dominant attack pathway into CI environments

Identity is where we see attackers start, almost every time. In CI environments, identity bridges enterprise IT and operational technology, making it the primary attack path. More than 97% of identity-based attacks target password-based authentication, most commonly through password spray or brute force techniques. As identity systems centralize access to cloud and operational assets, adversaries rely on LOTL techniques and legitimate credentials to evade detection. Because identity now governs access across these connected domains, a single compromised account can provide privileged reach into operationally relevant systems.
 

97% of identity-based attacks target password-based authentication.

2. Cloud and hybrid environments expand operational risk

The cloud did not just change how CI organizations operate. It changed how attackers get in and how far they can go. Cloud and hybrid incidents increased 26% in early 2025 as identity, automation, and remote management converged within cloud control planes. Microsoft research shows 18% of intrusions originate from web-facing assets, 12% from exposed remote services, and 3% from supply chain pathways. As long-lived OT systems depend on cloud-based identity and centralized remote access, identity compromise can extend beyond IT into operational environments. Incidents that once remained contained within IT environments can now extend directly into operational systems. For CI operators, this means cloud and hybrid architecture now directly influence operational resilience—not just IT security.

18% of cyber intrusions originate from web-facing assets

3. Nation-state prepositioning is a strategic reality

This is the one that keeps me up at night. Nation-state operators are actively maintaining long-term, low-visibility access inside U.S. critical infrastructure environments. Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have documented campaigns attributed to Volt Typhoon, a PRC state-sponsored actor, in which intruders relied on valid credentials and built-in administrative tools rather than custom malware to evade detection across sectors. Using LOTL techniques and legitimate accounts, these actors embed within routine operations and persist where IT and OT visibility gaps exist. CISA Advisory AA24-038A warns that PRC state-sponsored actors are maintaining persistent access to U.S. critical infrastructure that could be activated during a future crisis. For security leaders, this represents sustained, deliberate positioning inside operational environments and underscores how adversaries shape conditions for future leverage.

PRC-sponsored cyber actors targeting U.S. critical infrastructure.

4. Exposure and misconfiguration enable initial access

Most of what Microsoft sees in our investigations is not sophisticated. It is preventable. Most intrusions into critical infrastructure begin with preventable exposure rather than advanced exploits. Internet-facing VPNs left enabled too long, contractor identities that outlive project timelines, misconfigured cloud tenants, and dormant privileged accounts create quiet, low-effort entry points. Microsoft research shows that 12% of intrusions originate from exposed remote services. Over time, configuration drift and unmanaged access expand the attack surface, allowing adversaries to gain initial access before persistence or lateral movement is required. Reducing unnecessary exposure remains one of the highest-leverage risk-reduction actions available to CI operators.

12% of cyber intrusions originate from exposed remote services

5. Operational impact is increasing

The goal has shifted. Attackers are no longer just trying to steal data. They are trying to take things offline. Operational disruption is becoming a primary objective, not a secondary outcome. Attack campaigns surged 87% in early 2025, alongside increased destructive cloud activity and hands-on-keyboard operations targeting critical infrastructure. Identity systems, cloud control planes, and remote management layers are targeted because they provide direct operational leverage. For CI operators, the impact extends beyond data loss to service availability and physical processes. Organizations must ensure operational pathways are resilient against disruptive activity, not only monitored for signs of compromise.

Destructive cyber campaigns increased by 87% in early 2025.

Common attack patterns

Scenario patterns observed in CI environments

These are not hypothetical. They are patterns we see repeatedly in incident response engagements across sectors. The actors may vary. The access pathways do not.

Continuous Readiness approach

Four reinforcing pillars of continuous readiness

Point-in-time hardening does not work against attackers who are playing a long game. In hybrid IT–OT environments, resilience requires sustained practices, not one-time fixes. CI leaders need a continuous approach that strengthens identity, reduces exposure, increases cross-domain visibility, and ensures effective response. Microsoft’s work across critical infrastructure environments consistently highlights four reinforcing pillars:

Readiness validation

Why continuous readiness works

Continuous readiness is most effective when it is grounded in integrated visibility across identity, endpoint, and cloud environments, particularly in hybrid IT–OT architectures common to critical infrastructure. Microsoft’s telemetry enables investigators to correlate activity across these domains, surfacing patterns that isolated tools may miss. CI-informed playbooks, shaped by incident response engagements across sectors, help organizations prioritize the pathways most likely to affect operations. In practice, readiness engagements frequently uncover active or dormant compromise, reinforcing the importance of validating resilience before disruption occurs. For CI leaders, this visibility and correlation are especially critical given the operational consequences of undetected identity misuse or cross‑domain movement.
 

Because adversaries prioritize quiet, long-term access rather than immediate disruption, many organizations only discover exposure after operations are impacted—unless readiness is actively validated.

Next steps

Take action: Validate resilience before it’s tested

Here is what every CI leader reading this should ask themselves: have threat actors already established the access they need and how would I know?

Operational resilience depends on verified assurance, not assumptions. Security leaders must confirm that identity pathways are hardened, exposure is reduced, and adversaries have not established durable footholds. A proactive compromise assessment delivered by Microsoft Incident Response can determine whether adversaries are already present—active or dormant—and help close high-risk gaps before disruption occurs.


For more information, read our blog post, Explore the latest Microsoft Incident Response proactive services for enhanced resilience, or access the CI readiness resources.


Contact your Microsoft representative to schedule a proactive compromise assessment and validate your resilience posture.

Explore resources for CI readiness

The post The threat to critical infrastructure has changed. Has your readiness? appeared first on Microsoft Security Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.