Your community’s critical infrastructure is at risk. Here’s how to build resilience and ‘collective defense’
November is Critical Infrastructure Security and Resilience Month, an annual recognition of the interdependent roles that critical infrastructure sectors hold in day-to-day life and national security as well as a reminder of the need for collaboration to protect our most critical sectors. Threat Beat Executive Editor Bridget Johnson asked former DHS Assistant Secretary for Infrastructure Protection Brian Harrell, a McCrary Institute senior fellow who also served as the first assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency, to expand on current threats and building resilience through outreach and collaboration.
Bridget Johnson: What is the biggest cyber threat faced by critical infrastructure sectors right now?
Brian Harrell: Right now, the biggest cyber threat facing critical infrastructure sectors is the rise of highly sophisticated ransomware and state-sponsored attacks that target operational technology (OT) systems — the equipment that physically runs power grids, pipelines, water treatment plants and transportation networks. These attacks increasingly blend IT breaches with attempts to disrupt or manipulate industrial control systems, creating the potential for real-world harm rather than just data theft. Adversaries are also exploiting supply-chain vulnerabilities and zero-day flaws at a faster pace, making it harder for defenders to detect intrusions at the Endpoint Detection and Response levels.
Johnson: What is the biggest physical threat faced by critical infrastructure sectors right now?
Harrell: The biggest physical threat facing critical infrastructure sectors today is the growing risk of targeted sabotage and natural hazard–driven disruptions that can quickly cascade across interconnected systems. Aging infrastructure, combined with increasingly severe weather events such as floods, wildfires and heat waves, puts essential services like power, transportation and water systems under strain, making failures more likely. At the same time, intentional attacks on substations, pipelines and communication nodes have increased, often exploiting the fact that many facilities were not designed with modern security challenges in mind. This combination of environmental stress, outdated physical protection and deliberate malicious activity creates a complex and evolving threat landscape for critical infrastructure operators.
Johnson: From geostorms to floods, should sectors be taking more action on natural threats?
Harrell: Resilience is the key here. We should assume that security events will happen and that our worst day is right around the corner. So, whether we’re talking cyber or physical attacks, or catastrophic natural events, we must be prepared to depend on backup systems and the need to operate manually.
Johnson: On resilience, how do you reach small critical infrastructure entities that may believe nation-state actors won’t be interested in their neighborhoods?
Harrell: Reaching small critical infrastructure entities that believe nation-state actors “won’t target them” requires reframing the conversation around why they are valuable, even if they seem small. Many intrusions begin not with the ultimate target but with the weakest link in a broader ecosystem — meaning small utilities, local providers and rural facilities often serve as convenient entry points or testing grounds for adversaries. Engaging these entities effectively involves:
- Emphasizing practical, local consequences (service outages, equipment damage, recovery costs) rather than geopolitical motives.
- Highlighting real cases where small organizations were hit simply because they were accessible, not because they were high-profile.
- Making resilience achievable by offering simplified, low-cost and clearly prioritized guidance instead of overwhelming security frameworks.
- Leveraging trusted messengers such as state agencies, sector associations, insurers and peer utilities, who can deliver the message without triggering skepticism.
- Creating incentive-based programs — grants, free assessments, templates and exercises — that remove financial and staffing barriers.
The goal is to help them see that resilience isn’t about preparing for nation-states specifically — it’s about protecting their community, operations and bottom line from a wide spectrum of threats that don’t discriminate by size.
Johnson: From your perspectives having served In government and the private sector, what are the benefits of collaboration on infrastructure security and how can this be improved?
Harrell: Collaboration is crucial as we embrace “collective defense.” Government can access different information than we would typically see in the private sector. However, over these past few years, I’m starting to see a real shift in the value of government-originated information. Today, we see faster and better-analyzed information come from private-sector tools and technology partners. I am already hearing whispers asking, “If CISA goes away, would anyone miss it?” While large, well-funded companies may not feel the void, smaller companies would certainly struggle not having this interaction. This said, CISA needs to unleash an awareness campaign where they highlight the value of “America’s Cyber Defense Agency,” showcase partnership wins and all-around be more visible.
Johnson: Reaching beyond the security community, many people don’t realize that their local mall, for instance, is critical infrastructure. How can communities learn about the sectors and the part that everyone plays in critical infrastructure security?
Harrell: Communities can learn about the role everyone plays in critical infrastructure security by connecting the concept to daily life and making it relatable, practical and visible. Local governments, utilities and emergency management offices can host public workshops, town halls and preparedness fairs that explain how things like water, power, transportation and communications depend not only on technology and operators but also on community awareness and cooperation. Public education campaigns — through schools, local news, social media and community organizations — can highlight simple actions residents can take, such as reporting suspicious activity, practicing good cyber hygiene at home and preparing for disruptions. Exercises and drills that include community participation help people understand how their behavior affects response and recovery. Finally, sharing transparent, easy-to-understand information about threats, resilience efforts and interdependencies reinforces the idea that critical infrastructure is a shared responsibility, where individual vigilance contributes to collective security.