Industry Insights: Critical Infrastructure

From the systems that power electrical grids to the communications networks that connect the world, critical infrastructure is the foundation of economic growth and resiliency, national security, public safety, and life as we know it. It is a sprawling web of interdependent systems operating at extraordinary scale—divided by sector, but united by shared technologies, intertwined supply chains, and, increasingly, collective vulnerabilities.

While governments around the world maintain their own definitions of “critical infrastructure,” they largely converge around the same core systems that underpin modern society. Terminology may differ, but critical infrastructure sectors broadly include communications, information technology, and digital infrastructure systems; major energy sources (including electricity, renewables, oil, and gas); financial services and banking; government services and facilities; transportation systems (including air, rail, and maritime); water and wastewater; and defense. These are the sectors that societies rely on—making them uniquely attractive targets.

Adversarial nation-states like the People’s Republic of China (PRC), Russia, and Iran have spent the past decade mapping vulnerabilities in critical infrastructure—learning about them, figuring out how best to exploit them, and infiltrating them. The threat these countries now pose is more coordinated, more persistent, and more strategically targeted than at any prior point in history.

Critical infrastructure systems have become the new terrain through which power is projected and pressure is applied.

The Threat Landscape Has Changed

For organizations in critical infrastructure sectors, reliability has always been a top priority: keeping the power flowing, networks connected, goods moving, and daily life running. That hasn’t changed. But the threat landscape these organizations are operating in has. Today, resilience against adversarial nation-states has become as important as the reliability these systems have always prioritized.

That resilience is already being tested worldwide. Foreign-manufactured components with opaque capabilities have been discovered in Western power grids. Major telecommunications carriers have identified state-linked actors operating within their core networks. Energy and industrial companies in North America and Europe have taken systems offline following attacks that moved through third-party partners and global supply chains. The methods of intrusion are varied, but the scale and coordination point to something more deliberate than opportunistic attacks.

What distinguishes this new landscape is the strategy behind it. Intelligence and law enforcement agencies have assessed with high confidence that recent activity by groups like Volt Typhoon, a PRC state-sponsored hacking group known to target critical infrastructure, is inconsistent with traditional cyber espionage. Meanwhile, Russian-backed groups have targeted power grids, government networks, and financial institutions in Europe, aiming to destabilize and erode public trust. And Iran has gone after critical sectors in both the U.S. and Europe—including healthcare, transportation, and oil and gas—to test vulnerabilities.

These actors are not just trying to steal data. They are pre-positioning themselves deep inside critical systems with the goal of being able to cause disruption on demand. The objective is leverage, and critical infrastructure is how they intend to get it.

Policymakers have taken notice and are taking action. Japan’s Economic Security Promotion Act, enacted in 2022, designated approximately 200 entities across 15 sectors as critical infrastructure operators. The government is enabled to vet equipment suppliers or maintainers to ensure that vulnerabilities aren't introduced related to foreign entities of concern.

In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) confirmed that PRC state-sponsored actors had compromised networks across communications, energy, transportation, and water system sectors. Previously, the U.S. banned PRC technology provider Huawei from its 5G and telecommunications networks due to espionage risks.

In its National Security Strategy 2025, the UK government stated that “Hostile activity on British soil from countries like Russia and Iran is increasing, threatening our people, critical national infrastructure and prosperity.” The UK government also pledged to “roll out a series of new measures to…enhance the resilience of our critical national infrastructure.

The European Union, meanwhile, recently moved to restrict PRC suppliers from critical infrastructure, such as telecommunication networks, across member states entirely.

These actions make clear that critical infrastructure is a prime target for adversaries. For those responsible for keeping these systems safe and secure, understanding where and how deeply they have already been reached—and the strategies being employed by adversarial nation-states—has become essential for safeguarding economies and societies.

Where Critical Infrastructure Is Most Exposed

Understanding where adversaries are finding their way in starts with understanding how exposure accumulates—and it rarely happens the way most organizations expect. It comes through procurement decisions made without full visibility, hires that passed every background check, and partnerships that looked clean on paper. For organizations across critical infrastructure sectors, the risk concentrates in three places.

The first is the supply chain. The global supply chain for critical infrastructure components is vast, layered, and can often be difficult to trace. While that complexity is a byproduct of operating at global scale and within intertwined economies, it is also one of the most consequential vulnerabilities that organizations face. Adversaries have spent years learning to exploit it. The result has been solar inverters with undisclosed communication capabilities; telecommunications hardware sourced from entities with government ties; and transformers, fiber optic cables, and industrial control components whose origins cannot be verified.

Strider’s “In Broad Daylight” report captured exactly what that exploitation looks like in practice. In November 2024, PRC-linked company Deye remotely disabled inverters across the United States, United Kingdom, and Puerto Rico following a commercial dispute. The capability had been embedded in the hardware before it ever reached the grid. The leverage was already in place. The dispute simply revealed it. Strider research also shed light on the sustained PRC effort to identify vulnerabilities and develop methods to disrupt Western power grids—uncovering 2,723 publications on the subject authored by researchers affiliated with PRC defense institutions, including the People’s Liberation Army and national defense universities.

The second is the workforce. Privileged access to critical infrastructure systems is among the most valuable things an adversary can acquire—and state-sponsored actors are pursuing it methodically through recruitment, cultivation, and talent pipelines that look entirely legitimate from the outside. In 2023, that reality came into sharp focus when a telecom contractor in Florida was charged with acting as an agent of China’s Ministry of State Security while maintaining active system access at a major U.S. carrier. For every case like this that surfaces, the harder question is how many have not. Any organization that relies solely on conventional vetting methods is likely carrying risk that has not yet been illuminated.

The third is the extended partner ecosystem. Every joint venture, contractor relationship, and operational partnership is a potential entry point for adversaries to exploit. Partners bring their own supply chains, personnel, and geopolitical entanglements into shared operational environments, and there is rarely visibility into the full ecosystem. In the oil and gas sectors, where global operations and joint ventures are common, adversaries actively seek out partnerships as digital access points to disrupt operations and gain strategic advantage. Intellectual property from exploration breakthroughs, refining processes, and material-science research are frequent targets—compromised through the same trusted partnerships that companies depend on to operate. When any part of that ecosystem is compromised, the entire organization is compromised with it.

A Strider Use Case: A Major Energy Provider Prevented Exposure

A prominent U.S. power and energy company servicing some of the largest metropolitan areas in the country wanted to ensure its critical systems were safeguarded from nation-state threats. Company leaders wanted full visibility into the entities within its ecosystem as third-party partners or technology providers.

The company used Strider’s strategic intelligence platform to identify all entities with technology embedded in its infrastructure, then screened every third-party partner involved in day-to-day operations for connections to foreign entities of concern. What they found was alarming. A substantial portion of their critical infrastructure was being managed by a third-party company with direct connections to the PRC government, military, and defense organizations. The relationship posed a serious risk: this energy company could potentially lose operational control of their critical systems to a PRC government entity or actors working on its behalf. Company leaders severed ties with the management company.

For organizations involved in critical infrastructure sectors, this case illustrates something important: the exposure existed before anyone went looking for it. It only became visible when they had the right tools to see it.

How Strider Helps Critical Infrastructure Organizations

The organizations that manage risk posed by adversarial nation-states best are the ones that can see it clearly across their supply chains, their workforce, and their extended partner ecosystem. Most organizations have invested heavily in tools designed to detect threats after they've entered their critical systems. Strider’s strategic intelligence enables organizations to get ahead of these threats.

For supply chain and partner risk, Organizations Search maps the full ownership and affiliation picture behind every vendor, supplier, component, joint venture partner, and major contractor embedded in an operational environment—uncovering multi-tier relationships, hidden parent companies, and state-linked intermediaries.

For workforce risk, People Search screens employees, contractors, and candidates for nation-state ties, falsified credentials, and risky affiliations—revealing hidden connections that conventional background checks were never built to detect.

Across all three, Insights tracks the specific technologies and subject-matter experts most likely to be targeted by state actors and generates reporting for leadership on emerging geopolitical and partner risks.

And Shield flags and blocks malicious domains, emails, and communications tied to known adversary campaigns—feeding high-risk indicators into existing security systems to monitor risky inbound and outbound activity before it reaches operational environments.

Strider also provides expert analysis within its Intelligence Center on critical infrastructure security—offering additional context on state-sponsored recruitment initiatives and efforts to identify and exploit vulnerabilities.

The systems that make up critical infrastructure are only as resilient as the technologies, supply chains, and people that support them. Strider gives organizations the visibility to understand that full picture and to act on it before someone else does.

Conclusion

Critical infrastructure is the foundation that modern society cannot function without. And precisely because of that, it has become a primary target for those seeking leverage in this new geopolitical era. Keeping it secure, reliable, and free from foreign interference requires a level of vigilance that many organizations have not yet applied—but must.

Those who act now will find the exposure. Those who wait will feel it.