Infrastructure cyber attacks

When attackers shut down Colonial Pipeline in May 2021 using a single compromised VPN password, 45% of the fuel supply for the U.S. East Coast stopped flowing. Within four days, 71% of gas stations in Charlotte had run out of fuel. This was not a personal cybercrime — it was an attack on physical infrastructure, and the people standing in fuel lines had no warning it was coming. That category of threat — cyberattacks aimed at the systems that keep cities functional — is distinct from phishing scams and identity theft, and it requires a different kind of preparation.

The critical distinction: infrastructure-targeting attacks hit power utilities, water treatment plants, natural gas pipelines, and hospital networks. Their effects land in the physical world — no heat, no water pressure, no medications, treatment delays in emergency rooms. Personal cybercrime (stolen credentials, ransomed files) is serious but manageable with standard digital hygiene. Infrastructure attacks can leave entire regions without essential services for days to weeks, and your individual security settings are irrelevant.

How infrastructure attacks unfold

The sequence is more predictable than it seems. Attackers — often state-sponsored groups — gain access through a weak point: a contractor's credentials, a default password on industrial control software, remote access tools left open to the internet. They move through the network, mapping systems, and often sit quietly for weeks or months. Then they detonate, typically at a moment calculated for maximum disruption.

Chinese state-sponsored groups known collectively as the "Typhoon" campaigns have systematically compromised hundreds of small and medium-sized U.S. water utilities, power distribution companies, and rural hospitals — not for immediate disruption, but for pre-positioned leverage. The FBI has described these as capabilities held in reserve.

U.S. utilities faced 1,162 cyberattacks in 2024, a 70% increase from 2023. By the third quarter of 2024, utilities experienced a 234% year-over-year rise in weekly attack volume. Healthcare networks have been repeatedly hit — when the Ascension hospital system was compromised, staff were forced to read medication charts on paper and manually track lab results.

Water systems are a particular concern. In 2024, the EPA found that nearly 70% of water utilities it inspected were in violation of basic cybersecurity standards. The Aliquippa, Pennsylvania water authority had to shut down operational technology systems after an Iran-linked group compromised a booster station. Even when attacks are caught early — as at Oldsmar, Florida, where a system control was adjusted to dangerous levels before an operator noticed — they reveal how thin the security margins are.

This is not the same as a comms blackout

A cyberattack on infrastructure is distinct from a communications outage caused by storms, equipment failure, or fiber cuts. Both leave you without services, but infrastructure attacks can cause physical damage (transformer burnout, chemical dosing errors, pipeline ruptures) that takes weeks to repair rather than hours. If the cause of a disruption is unknown, assume the longer recovery timeline until you have confirmation otherwise.

How attacks reach physical systems

Understanding the attack path clarifies why individual digital hygiene barely matters for infrastructure threats — and why physical preparation is the only lever individuals have.

Spear-phishing as initial access. Most successful infrastructure intrusions begin with a targeted email, not a technical exploit. A spear-phishing message is not the generic "click here to claim your prize" of consumer scams. It is a carefully crafted message to a specific person, often referencing their role, their organization, recent events, or colleagues by name — information assembled from LinkedIn, company websites, and prior breaches. The 2015 Ukraine power grid attacks that left 225,000 customers without electricity in December began with spear-phishing emails sent to utility employees. The emails contained Microsoft Word documents with embedded macros that installed BlackEnergy malware. From that initial foothold on the corporate IT network, attackers spent months moving laterally toward the operational technology systems.

Lateral movement into ICS/SCADA. The critical vulnerability in modern utilities is the convergence of information technology (IT) and operational technology (OT) networks. Historically, industrial control systems ran on isolated networks with no internet exposure — air-gapped by design. Efficiency pressures over the past two decades drove integration: remote monitoring, centralized management, vendor access for diagnostics. Each connection is a potential path. Once inside the corporate network, attackers use credential-harvesting tools and exploit the fact that SCADA systems often run legacy operating systems without modern security patches, because taking them offline for updates interrupts critical physical processes.

Ransomware deployment sequence. In the Colonial Pipeline attack, the sequence took less than two hours from initial access to encryption. The attackers used a compromised VPN credential (obtained from a leaked password database) to authenticate, then moved through the network locating backup systems and management consoles before triggering the DarkSide ransomware payload across both the corporate IT network and operational systems. The pipeline was shut down not because the attackers had direct control of the pipeline — they did not — but because the company could not safely operate pipeline systems while its billing and monitoring infrastructure was encrypted.

Recovery timelines at physical scale. Software systems can be restored from backups in hours to days. Physical infrastructure damage creates fundamentally different timelines. A large power transformer — the type that steps voltage down from transmission levels to distribution — weighs up to 400 tons (360 metric tons), requires custom engineering for each installation, and has a manufacturing lead time of 18 to 24 months under normal conditions. A coordinated attack targeting a small number of high-voltage transformers across multiple substations could produce regional outages measured in months to years, not days. This is why the FBI categorizes the Typhoon pre-positioning campaigns as strategic leverage, not near-term attacks — the capability is held in reserve.

The IT/OT gap is not your protection

Consumer-level cybersecurity — strong passwords, VPN use, two-factor authentication — does not protect you from infrastructure attacks. Those attacks enter through industrial systems you have no control over. Your protection is physical: water, food, fuel, and backup power held at home, in quantities proportional to a weeks-long outage rather than a weekend storm.

What you lose first

Understanding what services fail — and in what order — helps you sequence your response.

Electricity: Grid attacks are the highest-consequence scenario. A successful attack on high-voltage transformers could cause outages lasting weeks or months across large regions. Short of that, attacks on regional distribution operators can cut power to cities for days.

Water pressure and treatment: Municipal water relies on electric pumps and computer-controlled chemical dosing. Grid failure takes water systems with it. A direct attack on a water utility's control systems can compromise treatment quality even before pressure drops. After an extended outage, assume contamination and treat all tap water before use.

Fuel supply: Pipeline disruptions trigger cascading shortages. During the Colonial Pipeline outage, stations that appeared functional were drawing down reserves; the shortage hit retail in waves, not all at once.

Hospital capacity: When hospital networks go offline, non-emergency surgeries are canceled, electronic health records become inaccessible, and medication dispensing systems revert to manual processes. For anyone dependent on prescription medications or scheduled procedures, this matters immediately.

Banking and payment systems: Attacks on financial infrastructure can disable point-of-sale terminals and ATMs even when physical bank branches remain open. Cash in hand becomes functional; cards may not.

Recognizing an infrastructure event

The early signal is usually unexplained, widespread failure of something that should be reliable. A boil-water advisory following an extended power outage may indicate water treatment was compromised, not just interrupted. Fuel shortages appearing simultaneously at unrelated stations, combined with news of a "systems issue" at a pipeline company, follow the infrastructure attack pattern.

At the individual level, the useful question is not "was this a cyberattack?" but "how long should I plan for this to last?" Infrastructure attacks — especially those involving physical damage to industrial equipment — recover on the timescale of weeks, not the hours typical of weather-related outages.

Field note

Keep at least three days of cash in small bills accessible at home. When payment infrastructure fails, the problem isn't that your bank is insolvent — it's that the terminals don't work. A $20 bill at a cash-only gas station is worth more than a full bank account you can't access.

Personal OPSEC hardening

While individual actions cannot prevent infrastructure attacks, they reduce your personal exposure during the periods of financial and communications disruption that follow. These are specific, measurable steps — not generic advice:

Reduce your digital single points of failure. Keep printed copies of the ten most important documents you cannot replace: passport, birth certificate, insurance policies, medical records, prescription list (with generic drug names and dosages, not just brand names), bank account numbers, vehicle titles, property records, and emergency contact list. Store them in a fireproof box or waterproof container that you can carry. When hospital systems are offline, medical staff work from paper; your printed prescription list determines whether they can help you.

Diversify communication paths. A single smartphone connected to a single carrier is a single point of failure. A battery-powered AM/FM/NOAA weather radio covers emergency broadcast. A GMRS or FRS two-way radio covers short-range household-to-neighbor communication when cell networks are overloaded. A wired landline — increasingly rare but still available from major carriers — works during power outages because the copper loop carries its own current. At least two of these should be available in your household before an event.

Know your medication exposure. The healthcare system's digital dependence is one of the least visible risks in an infrastructure attack. When electronic health record systems go offline, medication dispensing systems revert to manual lookups, and prescriptions that exist only in digital pharmacy records may be unverifiable. Maintain at minimum a 30-day supply of critical prescription medications, know the generic name of every medication you take (not just the brand name), and keep a printed copy of your prescription history. A 90-day supply is a realistic target for medications taken indefinitely.

Before an event

Water: Store at minimum one gallon (3.8 liters) per person per day for a two-week supply. The water storage foundation covers containers, treatment, and rotation. Know how to boil and filter if your municipal supply is compromised.

Fuel: Keep your vehicle's tank above half at all times. Regional infrastructure attacks can exhaust retail fuel inventories within 72 hours of a disruption.

Cash: Maintain a working supply of small bills. During the Colonial Pipeline disruption, ATMs ran dry in affected cities within 48 hours.

Offline records: Keep physical copies of critical documents — prescriptions, medical history, insurance cards, identification, financial account numbers. When hospital systems go offline, paper records become the medium of care.

Power: A power station (500–1,000 Wh) with a solar input panel keeps phones, radios, and medical devices operational during short grid interruptions. The energy foundation covers backup power systems from portable units to whole-home solar.

Food: A two-week supply of shelf-stable food eliminates one pressure point when supply chains are stressed. Refrigerated food becomes a liability in the first four hours of a grid failure.

Community: Your neighbors are both an intelligence resource and a mutual-aid network. In the Colonial Pipeline disruption, informal information sharing about which stations still had fuel spread faster than any official source.

During an extended outage

Treat the first 24 hours as status-gathering time. The gap between an announced "system issue" and a realistic recovery timeline is usually wide; official statements default to optimism. Track regional news across multiple channels.

If water service is interrupted or a boil advisory is issued, implement water purification procedures immediately. Do not wait for a second advisory to confirm the first.

Preserve refrigerator cold by keeping doors closed. A full refrigerator stays safe for four hours with the door sealed; a full freezer holds 48 hours. An empty freezer fails faster — fill gaps with frozen water bottles to extend hold time.

Recovery

After infrastructure attacks, the sequence of service restoration typically follows: power first, then water treatment, then retail fuel, then banking systems. Hospitals may operate in degraded mode for weeks while network systems are rebuilt.

Before returning to full tap water use after a water-system attack, wait for an explicit all-clear from the utility — not just restoration of pressure. Chemical dosing errors may not be announced immediately, and pressure restoration does not guarantee treatment quality.

Preparation checklist

Infrastructure cyber attacks don't require a technical response from you — they require a physical one. The grid-down page covers the full spectrum of extended power outage scenarios and what the first 72 hours look like across different outage durations.