Infrastructure cyber attacks

When attackers shut down Colonial Pipeline in May 2021 using a single compromised VPN password, 45% of the fuel supply for the U.S. East Coast stopped flowing. Within four days, 71% of gas stations in Charlotte had run out of fuel. This was not a personal cybercrime — it was an attack on physical infrastructure, and the people standing in fuel lines had no warning it was coming. That category of threat — cyberattacks aimed at the systems that keep cities functional — is distinct from phishing scams and identity theft, and it requires a different kind of preparation.

The critical distinction: infrastructure-targeting attacks hit power utilities, water treatment plants, natural gas pipelines, and hospital networks. Their effects land in the physical world — no heat, no water pressure, no medications, treatment delays in emergency rooms. Personal cybercrime (stolen credentials, ransomed files) is serious but manageable with standard digital hygiene. Infrastructure attacks can leave entire regions without essential services for days to weeks, and your individual security settings are irrelevant.

How infrastructure attacks unfold

The sequence is more predictable than it seems. Attackers — often state-sponsored groups — gain access through a weak point: a contractor's credentials, a default password on industrial control software, remote access tools left open to the internet. They move through the network, mapping systems, and often sit quietly for weeks or months. Then they detonate, typically at a moment calculated for maximum disruption.

Chinese state-sponsored groups known collectively as the "Typhoon" campaigns have systematically compromised hundreds of small and medium-sized U.S. water utilities, power distribution companies, and rural hospitals — not for immediate disruption, but for pre-positioned leverage. The FBI has described these as capabilities held in reserve.

U.S. utilities faced 1,162 cyberattacks in 2024, a 70% increase from 2023. By the third quarter of 2024, utilities experienced a 234% year-over-year rise in weekly attack volume. Healthcare networks have been repeatedly hit — when the Ascension hospital system was compromised, staff were forced to read medication charts on paper and manually track lab results.

Water systems are a particular concern. In 2024, the EPA found that nearly 70% of water utilities it inspected were in violation of basic cybersecurity standards. The Aliquippa, Pennsylvania water authority had to shut down operational technology systems after an Iran-linked group compromised a booster station. Even when attacks are caught early — as at Oldsmar, Florida, where a system control was adjusted to dangerous levels before an operator noticed — they reveal how thin the security margins are.

This is not the same as a comms blackout

A cyberattack on infrastructure is distinct from a communications outage caused by storms, equipment failure, or fiber cuts. Both leave you without services, but infrastructure attacks can cause physical damage (transformer burnout, chemical dosing errors, pipeline ruptures) that takes weeks to repair rather than hours. If the cause of a disruption is unknown, assume the longer recovery timeline until you have confirmation otherwise.

What you lose first

Understanding what services fail — and in what order — helps you sequence your response.

Electricity: Grid attacks are the highest-consequence scenario. A successful attack on high-voltage transformers could cause outages lasting weeks or months across large regions. Short of that, attacks on regional distribution operators can cut power to cities for days.

Water pressure and treatment: Municipal water relies on electric pumps and computer-controlled chemical dosing. Grid failure takes water systems with it. A direct attack on a water utility's control systems can compromise treatment quality even before pressure drops. After an extended outage, assume contamination and treat all tap water before use.

Fuel supply: Pipeline disruptions trigger cascading shortages. During the Colonial Pipeline outage, stations that appeared functional were drawing down reserves; the shortage hit retail in waves, not all at once.

Hospital capacity: When hospital networks go offline, non-emergency surgeries are canceled, electronic health records become inaccessible, and medication dispensing systems revert to manual processes. For anyone dependent on prescription medications or scheduled procedures, this matters immediately.

Banking and payment systems: Attacks on financial infrastructure can disable point-of-sale terminals and ATMs even when physical bank branches remain open. Cash in hand becomes functional; cards may not.

Recognizing an infrastructure event

The early signal is usually unexplained, widespread failure of something that should be reliable. A boil-water advisory following an extended power outage may indicate water treatment was compromised, not just interrupted. Fuel shortages appearing simultaneously at unrelated stations, combined with news of a "systems issue" at a pipeline company, follow the infrastructure attack pattern.

At the individual level, the useful question is not "was this a cyberattack?" but "how long should I plan for this to last?" Infrastructure attacks — especially those involving physical damage to industrial equipment — recover on the timescale of weeks, not the hours typical of weather-related outages.

Field note

Keep at least three days of cash in small bills accessible at home. When payment infrastructure fails, the problem isn't that your bank is insolvent — it's that the terminals don't work. A $20 bill at a cash-only gas station is worth more than a full bank account you can't access.

Before an event

Water: Store at minimum one gallon (3.8 liters) per person per day for a two-week supply. The water storage foundation covers containers, treatment, and rotation. Know how to boil and filter if your municipal supply is compromised.

Fuel: Keep your vehicle's tank above half at all times. Regional infrastructure attacks can exhaust retail fuel inventories within 72 hours of a disruption.

Cash: Maintain a working supply of small bills. During the Colonial Pipeline disruption, ATMs ran dry in affected cities within 48 hours.

Offline records: Keep physical copies of critical documents — prescriptions, medical history, insurance cards, identification, financial account numbers. When hospital systems go offline, paper records become the medium of care.

Power: A power station (500–1,000 Wh) with a solar input panel keeps phones, radios, and medical devices operational during short grid interruptions. The energy foundation covers backup power systems from portable units to whole-home solar.

Food: A two-week supply of shelf-stable food eliminates one pressure point when supply chains are stressed. Refrigerated food becomes a liability in the first four hours of a grid failure.

Community: Your neighbors are both an intelligence resource and a mutual-aid network. In the Colonial Pipeline disruption, informal information sharing about which stations still had fuel spread faster than any official source.

During an extended outage

Treat the first 24 hours as status-gathering time. The gap between an announced "system issue" and a realistic recovery timeline is usually wide; official statements default to optimism. Track regional news across multiple channels.

If water service is interrupted or a boil advisory is issued, implement water purification procedures immediately. Do not wait for a second advisory to confirm the first.

Preserve refrigerator cold by keeping doors closed. A full refrigerator stays safe for four hours with the door sealed; a full freezer holds 48 hours. An empty freezer fails faster — fill gaps with frozen water bottles to extend hold time.

Recovery

After infrastructure attacks, the sequence of service restoration typically follows: power first, then water treatment, then retail fuel, then banking systems. Hospitals may operate in degraded mode for weeks while network systems are rebuilt.

Before returning to full tap water use after a water-system attack, wait for an explicit all-clear from the utility — not just restoration of pressure. Chemical dosing errors may not be announced immediately, and pressure restoration does not guarantee treatment quality.

Preparation checklist

  • Store two weeks of water: one gallon (3.8 liters) per person per day
  • Keep vehicle fuel above half-tank as a default habit
  • Maintain three to seven days of cash in small bills at home
  • Make physical copies of all critical medical records, prescriptions, and financial documents
  • Own a battery-powered or hand-crank radio for emergency broadcasts
  • Acquire a 500–1,000 Wh portable power station and a 100-watt solar panel
  • Store two weeks of shelf-stable food per household member
  • Know the boil-water procedure: rolling boil for one minute (three minutes above 6,500 feet / 2,000 meters)
  • Identify a neighbor with a well or alternate water source

Infrastructure cyber attacks don't require a technical response from you — they require a physical one. The grid-down page covers the full spectrum of extended power outage scenarios and what the first 72 hours look like across different outage durations.