Critical Infrastructure Under Attack: Energy, Water and Health as New Fronts in Cyber Warfare
In 2025, 50% of all global ransomware attacks targeted critical sectors. The energy and utilities sector saw an 80% increase in attacks compared to the previous year. In March 2026, a state-sponsored attack compromised 200,000 systems of medical device manufacturer Stryker. CISA issued a formal alert urging critical organisations to prepare for cyber disruptions.
The figures from 2025 remove any ambiguity regarding the direction of the threat: 2,332 of the 4,701 registered ransomware incidents that year, or 50% of the total, targeted critical sectors such as manufacturing, healthcare, energy, transport, and financial services. The energy and utilities sector recorded an 80% increase in attacks compared to 2024. American utilities suffered 1,162 cyberattacks in 2024, nearly a 70% jump from the 689 in 2023.
The incidents of 2026 confirm this trajectory. In March, state-sponsored actors compromised Stryker, a manufacturer of medical devices, destroying or disrupting over 200,000 systems, servers, and mobile devices. In February, a ransomware attack on the University of Mississippi Medical Center forced the closure of all 35 clinic locations across the state and led to the cancellation of elective surgeries. In December 2025, a coordinated attack targeted approximately 30 facilities connected to Poland's power grid.
The Shift in Attack Vector
The most alarming pattern is not the volume, but the sophistication. The FBI identified the Russian FSB using customised tools against Cisco infrastructure in August 2025. CISA documented Chinese groups like Volt Typhoon and Salt Typhoon employing "living-off-the-land" tactics, using legitimate operating system tools to move laterally without triggering traditional security alerts.
In the water infrastructure sector, the report from the UK’s Drinking Water Inspectorate revealed 15 notifications of attacks on water suppliers between January 2024 and October 2025. In April 2025, pro-Russian hackers took control of a small dam's system in Norway, opening a valve for four hours, exploiting weak credentials on an internet-connected control panel.
The Attack Surface Has Expanded
In April 2026, every serious incident tracked by researchers was attributed to a compromised third party: a supplier, BPO provider, or application connected via OAuth. The attack surface has shifted from the organisation's perimeter to the digital supply chain. Critical infrastructure organisations frequently operate with operational technology (OT) networks that were designed decades ago without consideration for internet connectivity.
What CISA is Calling For
In May 2026, CISA formalised guidance urging critical infrastructure organisations to prepare explicit plans to operate under cyber disruption, including manual fallback procedures for control systems, alternative communications when primary networks are compromised, and regular large-scale attack simulation exercises.
For boards of directors, the question is no longer if an attack will occur. It is whether the organisation can operate when it does.