One quiet morning in April 2025, officials at DaVita, one of the largest kidney dialysis providers in the United States, were jolted by a wireless alert that something was wrong. Cybercriminals had breached their network and were creeping around undetected for weeks, collecting the sensitive data of millions of patients. But there was an extraordinary, yet not inconceivable thing that happened: Not one of the dialyses was interrupted. Life-supporting patient care proceeded even as computer security teams fought to contain the ransomware. Crisis now becomes an opportunity and also reflects the exposure and durability of today’s critical infrastructures. Critical infrastructure is the front line in modern cyber warfare, with nation-state actors, ransomware crews and high-end criminals all taking aim at the systems that keep our society going. Now, vital services such as power grids and water treatment facilities, healthcare networks and transportation systems are seeing what experts describe as an unprecedented wave of cyber threats, one that wreaks havoc now and is likely to bring more trouble into the future unless something is done.
The latest remarks from the government present a very different threat profile. In this instance, according to an FBI announcement in August 2025, the Russia Federal Security Service (FSB) has targeted networking devices in American critical infrastructure. These attackers, who go by such names as “Berserk Bear” and “Dragonfly,” have been taking advantage of cisco smart install protocols simple network management protocol system weaknesses to enter without authorization thousands of others network devices.
What makes these attacks particularly dangerous is their methodical strategy. Russian actors never count on sophisticated zero-day exploits or intricate malware. Instead, they take advantage of fundamental weaknesses that have been around for years: default passwords, unencrypted protocols, and legacy systems that were never designed with cybersecurity in mind. By targeting networking equipment, these enemies put their own units in position to monitor, modify or halt traffic flowing through vital systems.
The FBI analysis indicates these actors have obtained configuration files from thousands of U.S. government and business entities in addition to critical infrastructure companies. On infected systems, they change config files to maintain unauthorized access, reconnaissance and taking particular interest in protocols often linked to industrial control systems. This systematic method indicates a preparation for what would be an offensive in the future and cause devastating results.
The scale of this campaign is enormous. Since 2015, the U.S. Government received information from multiple sources, including private and public sector cybersecurity research organizations and allies, that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. These activities permit espionage and theft of intellectual property in direct support of Russian national security and economic objectives.
The unique cybersecurity challenges afforded by critical infrastructure that sets it apart from traditional enterprise environments. Operating technology systems managing power plants, water treatment and manufacturing processes were designed decades ago in an era when cybersecurity was a low priority. These industrial control systems and supervisory control and data acquisition networks value reliability and mission optimization over security.
With the FBI, Environmental Protection Agency (EPA) and Department of Energy (DoE), CISA has identified numerous key vulnerabilities that render OT systems particularly enticing to malicious actors. Worrying is the fact that many such systems are publicly accessible over the internet with little or no security. CISA also released guidance in the past week that underscores that operational technology devices are “easily discoverable and easy targets when directly connected to the internet” because they “generally lack authentication and authorization schemes that tolerate rapid scanning and exploitation.”
IT and operational technology are coming together in a way that provides new ways for attackers to strike, often leaving organizations unable to effectively defend them. Old systems that were published to the outside world are now joined to corporate networks / remote access. Many of these systems are built on old software systems and don’t have encryption in place. There’s often no way to update them without causing a disruption in services.
Geographical distribution complicates the matter further still. Corporate facilities such as power substations, water treatment plants and transportation centers are spread over large areas, complicating the ability to secure a physical perimeter and offering many points of entry for attackers. Remote monitoring and control in the name of efficiency also open ways to bad actors to target critical systems from halfway across the world.
The takeaways from recent attacks underscore what a sea change in how we think about critical infrastructure security is needed. Legacy perimeter defenses and reactive cybersecurity are ineffective against sophisticated adversaries that can take months or years to patiently cultivate persistent access to target systems.
Effective cyber invasion resilience assumes that breaches will happen and that it designs systems and process to allow for this. This includes network segmentation that separates operational technology from corporate IT networks, and tight access control between network segments, as well the ability to keep critical operations running even under attack.
Least-privilege becomes key in such environments, so users (and systems) have access only to what they need to do the job. Scheduled vulnerability assessments and penetration tests can discover gaps before attackers find them, but they need to take into account both the traditional IT-related vulnerabilities and operational technology-specific risks.
The ability to monitor constantly for threats and threat detection also offers a warning signal of upcoming attacks, but it is essential for it to be properly calibrated and avoid false alarms which would jeopardize crucial operations. Artificial intelligence and machine learning are used in today’s security operations centers to learn about network activity patterns and detect abnormal behavior, but people are still crucial for understanding the operational context of a potential threat.
The nature and magnitude of today’s threats demand unprecedented collaboration between the government and operators in the private sector. Most critical infrastructure in the United States is privately owned, but securing it is a national security imperative that goes beyond private interests of individual organizations. CISA’s updated advisory on organizational technology security highlights a number of critical mitigations that all critical infrastructure operators should be applying without delay. These range from disconnecting operational technology links to the public Internet, ensuring default passwords are changed/robust security implemented, ensuring that remote access is used via virtual private networks (VPNs) using multi-factor authentication and segmenting IT and operational technology networks.
Knowledge-sharing programs enable infrastructure operators to benefit from the experiences of others; and they gain valuable, timely threat intelligence from government sources. The FBI warning on Russian targeting of networking devices provided operational details regarding the threats including specific Indicators of Compromise (IOCs) and YARA rules so that organizations can better detect these sorts of intrusions. Just as vital, international cooperation is required in an era where cyber threats are ubiquitous to all nations and global connectivity infrastructure. The joint technical alert from the Department of Homeland Security, FBI and United Kingdom’s National Cyber Security Centre shows how allies are joining forces to share threat intelligence and respond to complex adversaries.
The DaVita case and the continued Russian targeting of critical infrastructure show that cyber resilience is not just a matter of stopping attacks, but ensuring essential services continue to function under duress. In order to progress, organizations need to invest in the right technologies and people so they can build cybersecurity capabilities that are at least as advanced than today’s threats – but also make sure important functions can keep operating despite facing attacks. Such a challenging undertaking demands a culture of security awareness at any level from top management to factory workers. With regular training, standard policies and constant communication, those in your company understand all IT efforts to be an operational decision.
As we continue to rely more and more on digital infrastructure, the consequences of getting cybersecurity wrong have never been greater. Water treatment operators in Oldsmar were lucky to catch their attack early, and the DaVita’s success in delivering patient care during a huge breach offers a preview of what is achievable with that basic preparation. But these attacks are reminders that while cyber resilience is not just about defending computer networks, in the end it’s about protecting essential services that underpin our communities and way of life.
The nature of threats will change as enemies innovate and as they shift their focus from one exploitation to another. We can only defend the vital infrastructure on which modern society relies by investing over time in resilience, engaging in public–private partnerships and implementing adaptive strategies that are premised on the inevitability of compromise. It’s not a question of whether we will be hit by cyberattacks against our critical infrastructure, but of being prepared when they arrive.
