Climate Disruption and Digitalization Force Evolution in Industrial Cybersecurity for Critical Infrastructure
The industrial threat landscape is increasingly shaped by extreme weather events, which are revealing new vulnerabilities and broadening the cyberattack surface across critical infrastructure. The convergence of Information Technology (IT) and Operational Technology (OT), alongside the rise of cloud technology, has prompted organizations to enhance their security measures. However, the pace of extreme weather occurrences has outstripped security advancements, as existing systems were not originally designed to withstand such challenges.
OT environments remain inadequately protected. Utility and infrastructure operators are enhancing remote monitoring, cloud connectivity, and sensor networks to adapt to climate-driven disruptions. However, these digital solutions also expand the attack surface, creating new risks for ransomware, supply-chain compromises, and politically motivated cyberattacks. Cloud services and internet access have emerged as primary avenues for attacks, with 35% of critical national infrastructure organizations expressing concerns over insufficient security monitoring.
The complexity of the challenge is further compounded by the integration of renewables and microgrids into industrial systems, driven by decarbonization efforts. Distributed energy resources introduce distributed vulnerabilities. Edge-connected devices and smart grid architectures present cyber-physical risks that conventional perimeter defenses cannot adequately address, as both nation-states and criminal actors continuously evolve to exploit these new attack surfaces.
Faced with compounded stressors such as extreme weather and cyberattacks, organizations are increasingly exposing core weaknesses. Despite a shortage of cyber talent and funding, advancements in security tools and cyber maturity have been made. Critical infrastructure organizations are struggling to respond swiftly to these cybersecurity threats and incidents.
Building climate-resilient cybersecurity is no longer a distant goal; it is an immediate necessity. Organizations can no longer afford to treat cyber risk and climate planning as separate entities. There is a pressing need to integrate these considerations from the outset. This requires stronger OT-focused security frameworks, consistent investment in robust detection tools, and, crucially, teams prepared to respond effectively when crises arise. Floods can disrupt power, while grid failures create vulnerabilities. Cyberattacks often coincide with these moments of weakness, making it imperative for organizations to plan for these scenarios collectively.
Climate Change is Rewriting the Industrial Cyber Risk Map
Experts have noted that climate change is fundamentally altering the risk calculus for industrial cybersecurity across critical infrastructure sectors, including energy, water, and transportation. Vytautas Butrimas, a retired industrial cybersecurity consultant and member of the International Society of Automation (ISA), highlighted that the transition from fossil fuel thermal power plants to decentralized inverter-generated power from sources like solar and wind has complicated grid management. He pointed out that the Iberian blackout in April was not due to a cyber incident but rather management issues related to grid instability.
In terms of malicious cyberattacks, Butrimas referenced the December 29, 2025, attack on the Polish power grid, which targeted the management of inverter-generated power. The attack severed communications between substations and the Distribution System Operator (DSO), resulting in a loss of visibility and control over approximately 30 substations. While power was not lost, this incident exposed vulnerabilities in managing the transition from thermal to inverter-based power sources.
Andrew (Andy) Bochman, resilience strategic lead at West Yost, stated that climate poses a more significant physical threat than cyber risks, lacking malicious intent. He emphasized that natural disasters such as floods and fires far outweigh the damages caused by cyber actors.
Tim Gale, director for industrial cybersecurity at 1898 & Co., noted that extreme weather forces systems to operate closer to their limits, leaving little room for error. He warned that if a cyberattack occurs while systems are already strained, failures can cascade rapidly. Adversaries are likely to exploit these vulnerabilities when organizations are preoccupied with other crises.
Gale asserted the necessity of treating cyber and climate risks as interconnected rather than separate events. He advocated for a comprehensive strategy, such as that outlined in the ISA/IEC 62443 standard.
Aligning Climate Resilience with OT Security
The integration of climate resilience planning and industrial cybersecurity strategies is crucial for organizations. Butrimas indicated that he was unaware of any existing integration between these two areas. While grid operators do engage in planning for power production and availability, this planning often lacks cybersecurity measures. Bochman emphasized that engineers and operators, who are impacted by both climate and cyber risks, should be managed and monitored by the risk committee to enhance prioritization and risk management.
Gale pointed out that many organizations still operate climate resilience and OT cybersecurity in silos, which obscures the understanding of compounded threats. He called for integrated governance, where engineering, safety, and security teams collaborate to develop unified security and resilience strategies.
Gennady Kreukniet, team lead at DNV Cyber, noted that most organizations treat climate resilience and cybersecurity as parallel workstreams rather than unified architecture. He argued that truly integrated governance remains rare and that aligning these domains requires a shift from compliance-driven reporting to a consolidated risk-based strategy.
When Clean Energy Meets Cyber Risk
As decarbonization accelerates, the proliferation of distributed energy resources, including renewables and microgrids, introduces new cyber-physical vulnerabilities that traditional security frameworks are ill-equipped to address. Butrimas acknowledged that the inclusion of inverter-produced power complicates system management, particularly in maintaining synchronization. Protection devices are essential for responding to system failures, as they disconnect bulk power equipment from the grid during cascading blackouts.
He highlighted that protection devices were targeted during the 2016 blackout in Ukraine, as well as in the recent attacks on the Polish grid. If these protections are compromised, the risk of damage to bulk power equipment increases during grid restarts, potentially leading to prolonged blackouts.
Bochman emphasized that climate acts as a driver for new digitally-enabled energy technologies, which introduce vast new attack surfaces. The industry is still in the early stages of understanding how best to defend against these emerging risks.
Gale pointed out that decentralized energy systems expand the attack surface, as traditional security models assume a protected perimeter. Distributed Energy Resources (DERs) challenge this model, with many edge devices operating on public networks and often lacking robust security measures. Kreukniet noted that smaller asset owners may operate under tighter budgets, leading to security gaps, especially when physical assets are exposed.
Cyberattacks and Climate Shocks Strain Response Plans
As critical infrastructure faces the dual threats of extreme weather and potential cyberattacks, significant gaps in incident response and recovery capabilities become apparent. Butrimas noted that while operators have contingency plans for natural events, these plans can be undermined by cyberattacks that sabotage recovery efforts. Bochman highlighted that communication and coordination gaps pose significant challenges, as different groups with varying skill sets are responsible for building resilience and responding to incidents.
Gale pointed out that existing response plans are often inadequate for compound disasters. Tabletop exercises rarely simulate scenarios involving cyberattacks during floods or power outages, and backup and recovery programs may be inconsistent. Kreukniet emphasized that the industry lacks sufficient skilled engineers and resources for rapid restoration during compounded crises.
Building Climate-Resilient Cybersecurity for Critical Infrastructure
Experts are assessing what a climate-resilient cybersecurity posture will require over the next decade and whether organizations are investing at the necessary scale. Butrimas stressed the importance of contingency planning, which should involve public and private collaboration and regular exercises to test the effectiveness of these plans.
Bochman noted that closer coordination among digital defenders could enhance resilience. Gale emphasized that a climate-resilient cybersecurity posture must adopt a unified, all-risk approach, integrating cyber, physical, and environmental risks into a cohesive framework.
Kreukniet concluded that achieving true climate-resilient security necessitates sustained investment in grid flexibility, renewables integration, and digital resilience, alongside integrated governance and secure-by-design operations.
As reported by industrialcyber.co.
