Adversaries Could Really Harm U.S. Infrastructure, Experts Warn

Nation-states or other adversaries are able to cause significant harm to the United States through further cyber attacks on critical infrastructure—whether that be to U.S. electric grid, water management, fuel supply systems, hospitals transportation, etc., according to cyber experts.

Cyber attacks have already disrupted oil transportation on the East Coast through the 2021 ransomware attack on Colonial Pipeline. The medical field is seeing increased network breaches affecting healthcare, such as from the 2025 Yale New Haven Health network attack.

“The homeland has become the frontline battlespace when we talk about operations below the threshold of war, cyber attacks targeting essential services, critical infrastructure and military readiness, and our adversaries are out there pursuing those paths as they're increasingly targeting critical infrastructure, and need I mention Volt Typhoon, Salt Typhoon, as wake-up calls,” said Brig. Gen. Paul H. Fredenburgh, USA (Ret.), executive vice president, National Security and Defense, AFCEA International.

Fredenburgh led the discussion with military, civilian and private sector officials on June 3 during AFCEA’s TechNet Cyber conference.

“Cybersecurity has become absolutely inseparable from national security—from industrial control systems, operational technology networks, supply chain dependencies, cloud-enabled ecosystems, the convergence of operational technology (OT) and information technology (IT),” he said.

The cyber experts only see this escalating to the point where the United States is greatly impacted by cyber attacks at a level not seen before.

“I actually think we are close to critical here and that it is only a matter of time before we have, in my opinion, an attack that is going to really do harm to our quality of life,” warned Christopher Thomas, former director, Cybersecurity Integration and Synchronization, Office of the Deputy Chief of Staff, U.S. Army G-6.

“I have been really concerned about this for a while, and I think this is urgent and dire,” confirmed John Sahlin, vice president, Cyber Solutions, GDIT.

Sahlin acknowledged that digital attacks on critical infrastructure are nothing novel. Russia employed non-kinetic action before invading Ukraine, as has the United States, and it makes sense that U.S. adversaries could do the same.

“This is not new,” Sahlin said. “Russia invades Ukraine over a dozen years ago, and first thing they did was a prelude to kinetic action. It turns out the lights. And even we are using these techniques today. President Trump was very clear that during Operation Absolute Resolve, the first thing we did prior to going kinetic in Venezuela was we shut off the lights, we blinded them. This is not new technology; these are not new techniques necessarily. And we need to get serious about what cyber resilience for critical infrastructure really looks like for the United States.”

At particular risk are the OT supervisory control and data acquisition (SCADA) systems and data center infrastructure (DCI) used to control utility processes and machines, added Col. Adolph "Rocko" Rodriguez, USAF.

Rodriguez is the director of critical infrastructure at the Department of War Cyber Defense Command (DCDC), the new organization in charge of protecting the military’s Department of Defense Information Network (DODIN)—an evolution of the Joint Forces Headquarters-DODIN.

“I have been doing this since 2018,” he said. “Back in 2022, I did an F-35 vulnerability assessment and led a task force that went from Eielson Air Force Base all the way to Guam and back. We did a lot of discovery of OT systems and DCI components that had not been touched, were not secure and were definitely vulnerable."

Moreover, today’s adversaries do not even have to possess the ability to mount consequential digital attacks, with the advent of artificial intelligence, warned Louis Eichenbaum, federal chief technology officer (CTO), ColorTokens.

“The reality is you do not even have to be a genius anymore,” Eichenbaum stated. “You can use Claude to help you craft a very, very effective attack against a device that’s connected to the internet for maybe two minutes.”

Through his experience as the chief information security officer (CISO) at the U.S. Department of the Interior, Eichenbaum saw firsthand the possible risks of legacy OT systems.

“The Bureau of Reclamation manages all the dam infrastructure across the United States, the Hoover Dam, the Coulee Dam, they are wonderful dams,” the CTO stated. “As you can imagine, if there were some sort of cyber compromise and someone was able to open a valve or do something, it could be quite a crisis.”

Eichenbaum advised cyber leaders to help change the culture around such systems and the incorrect belief that they do not present risks because they are air-gapped, meaning the systems are not connected to a network.

“For years, we had this idea that, ‘Well it's air gapped, it doesn't connect to the internet, it doesn't connect to our internal systems, so we're safe. We don't have to worry about it, we don't have to patch these systems, we don't have to modernize them,’” he emphasized. “But the systems, they are very old. We have 50-year-old applications running in there, and for multiple reasons, it is just very difficult to modernize an application in an OT system. But we cannot just assume that these things are safe, even if they are 100% air-gapped.”

As such, the nation’s leaders must identify and rank the highest priority assets within critical infrastructure.

“We have to put in priority order those things that are going to be affected that will either impact our quality of life or impact our operations” when cyber attacks on critical infrastructure occur, Thomas continued.

Casie Antalis, director of the Joint Cyber Coordination Group, Cybersecurity and Infrastructure Security Agency (CISA), oversees ensuring the synchronization of department-wide operational planning, risk assessment, technical deployments, investigations and stakeholder engagement to counter threats to U.S. cyber critical infrastructure.

“We are really interested in partnering with the Department of War and owner operators to think through how we have essential services, not just for the public, but also in a time of battle,” Antalis shared.

The director highlighted the importance of resilience and the ability for a critical infrastructure organization that has experienced cyber incidents to be able to recover quickly, especially in the face of a greater scale of attack.

“When I think resilience, it is really important to recognize how that is centered on being able to withstand and rapidly recover in the aftermath of a significant disruption,” she noted. “One of the things when we think about building that national resilience is what that collaborative partnership looks like between business and government, and also the community where we need to be able to have indicators and warnings.”

CISA is pursuing CI Fortify, a program to increase the resiliency of U.S. critical infrastructure, especially military bases, Antalis said. That resilience piece is especially key, now, in today’s environment.

“When we start thinking about resilience, it is, ‘How do we keep the lights on, how do we turn them back off in a challenged environment?’” she ventured. “But how do we plan to do that without a ‘rip and replace’ model. Or is it, ‘We are so constrained, and we are in a poly crisis that we are not going to be able to get to fix that for a long time.’ That is what we need to plan for, and that is what resilience is, in my mind.”

Meanwhile, Rodriguez is helping to build a joint task force framework and command and control footprint, he said. The effort lays out the stakeholder control and execution of cyber protections, especially in regard to the commonalities amongst all the authorizations the military and U.S. Cyber Command has between CISA, the FBI, the U.S. Coast Guard and the greater Department of War.

The DCDC is also working on how to continue to operate before, during and after the attack, he said. This is crucial, given the scale of cyber attacks possible against the country.

“If everybody remembers, during our Afghanistan and Iraqi days, we created green zones,” Rodriguez explained. “So, what I am trying to build out is digital green zones by doing a few key things: one, looking at the true mission decomposition, figuring out what exactly I am trying to secure, and secondly, what is the data that I'm looking for ... how do I respond to execute a mission to secure it, defend it and then reconstitute, recover later."

The colonel recommended that the United States leverage homeland protection authorities from U.S. Northern Command with the National Guard—in the event of a catastrophic cyber attack.

“Why don't we execute the current authorities we currently have with NORTHCOM,” he stated. “They have homeland defense authorities with a hurricane or tornado or terrorist activity. We respond pretty quickly with the force from the state level up to the federal departments and executing a commonwealth C2 [command and control] plan so that we are saving lives. Why don't we build a cyber campaign plan that is enduring? We can utilize those NORTHCOM authorities with Cyber Command's authorities, build out the sectors very similar to FEMA.”

And because a cyber attack and a hurricane or other weather event would look the same to the average citizen, in terms of critical infrastructure shutdown, preparations need to address both, the cyber experts said.

“Threats can emerge for critical infrastructure from any direction, from Mother Nature to sophisticated nation-state actors and cyber criminals and other nefarious actors seeking to take advantage of our open society and our proliferation of technology to do us harm, and that's why it's so critical for us to kind of get together both with industry and the federal government and think through these problem sets,” Antalis noted.

Furthermore, just having a resiliency plan is not enough, Sahlin warned. Years ago, he had worked at a Silicon Valley data center that sat above the middle of a major fault line with earthquake propensities.

Even though the center was prepared with a backup generator, the employees had never actually powered it on since training six months before.

“I asked them, ‘How many of you actually still remember how to do this?’” Eichenbaum shared. “They scoffed, started it up, and it took them about three hours. They had no muscle memory with it. I think that is equally important when we talk about resiliency. We can not just have a plan, we have got to work the plan, and we have to practice the plan so that it becomes muscle memory for us. Now, I am absolutely not advocating that we go out and just turn off the lights on some random base and see what happens, but we have to be able to work together.”

TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.