Summary Bullets:

• Geopolitical conflicts are forcing providers of critical national infrastructure to revisit and double down on the securing of supply chain to reduce operational risks and improve auditability.

• This is forcing businesses to unify cyber security with enterprise-wide operational resiliency. This is both the highest priority and greatest challenge.

In times of war, a rise of nationalism, global tariffs, and market volatility, mixed in with unhealthy doses of geopolitical tensions, state-assisted cyber-attacks targeting critical national infrastructure (CNI) are on the rise. Unlike other sectors, CNI are the core systems that underpin the functioning or delivery of essential services. CNI is also vital for the running of the economy. Major sectors such as transportation, utilities (e.g., energy, water), banking, health care, government services, telecoms, etc. fall within this group. While these sectors have always been required to guarantee confidentiality, integrity, and availability of information crucial to their operations at a higher standard compared to other sectors, it is the supply chain which is the weakest link. This has the greatest number of threat vectors from brute-force attacks, exploitation of software vulnerabilities to various strains of malware and ransomware attacks happens here.

Uncertainty brings this complexity for supply chain. And other factors such as the vast distances to suppliers, a focus on just-in-time delivery models and limited or no visibility of critical nodes exacerbate the security issue. Island hopping, for example, where threat actors bypass a primary target’s defenses by first compromising a less secure partner, vendor, or affiliate is common in these environments. The Verizon Data Breach Investigations Report 2025 reports that 30% of all breaches involve a third party. Governments will continue to raise the standards and apply policies differently across industries. These sectors, in turn, will intensify auditing and reporting while embracing more risk-management models such as NIST down to evolving strategies such as zero trust.

Balancing Cyber with Operational Resilience

The CNI sector is also putting a high priority on the presumption of a breach. The focus here is to reduce dwell times when events occur. Organizations will also look for more effective use of AI and analytics for real-tine threat detection. They will have formalized incident response plans and playbooks in place to contain, isolate and recover from different types of attacks. This will include post-event activity from root cause analysis to external reporting. Increasingly cybersecurity, typically managed by a centralized department or team is starting to roll up into operational resiliency (ISO 22301) where an entire organization plans for how best to prepare, withstand, adapt to, respond and recover from any number of disruptive events (cyber, physical, supply-chain, natural, or operational) to deliver critical services.

This encompasses people, processes, physical assets, and technology. This convergence is also driven by regulations like the EU’s Digital Operational Resilience Act (DORA) in financial services, NIST frameworks, and others to reduce fragmentation. Despite all the efforts, there is much room for improvement. GlobalData research shows that this is the highest strategic priority in 2026, it is also the biggest challenge. And despite all the planning and preparation, approximately 60% of industries in CNI reported at least one SEV-1 or SEV-2 outage in the past 12-18 months. And nearly 70% report a significant network degradation event wither monthly or quarterly.

CNI sectors are more likely to take technology projects in-house building and managing own systems, they do rely on technology vendors for technical expertise, security, or compliance certifications, access to partner ecosystems and overall consulting and system integration. In current times, enterprises with CNI will continue to consolidate security vendors, but will deepen relationships with the fewer partners remaining.