In the early hours of March 15, 2026, operators at a European country's power grid watched their control screens go black one by one. It was not a technical blackout: ransomware had encrypted the supervisory systems, leaving millions without electricity for hours. The incident, attributed to a state-linked group, was not isolated. Over the past twelve months, cyberattacks on critical infrastructure βpower grids, water treatment plants, hospitals, and transport hubsβ have become a daily threat redefining global security.
According to the World Economic Forum, cyberattacks on critical infrastructure increased by 40% in 2025, and the trend is accelerating in 2026.
The perfect target: systems that cannot stop
Unlike a corporate data breach, attacking critical infrastructure has immediate and visible consequences: blackouts, water contamination, hospital paralysis. These systems, designed decades ago to be reliable but not necessarily secure against digital intrusions, run on legacy technology that rarely receives security updates. An attacker does not need to bypass an ultramodern firewall; often it is enough to exploit a known vulnerability in industrial control software that has gone unpatched for years.
The most emblematic case in recent months occurred at a water treatment plant in a North American region. Attackers remotely altered chlorine and other chemical levels, forcing the evacuation of several towns. Although there were no fatalities, the incident showed that the line between cybercrime and sabotage with physical effects is increasingly thin.
State response: laws, sanctions, and shared defenses
Governments have reacted urgently. The European Union approved a directive in 2025 requiring critical infrastructure operators to report any incident within 24 hours, under threat of hefty fines. The United States has tightened sanctions against countries harboring ransomware groups and created a joint rapid response team between the Department of Homeland Security and the private sector.
What is ransomware?
It is a type of malicious software that encrypts a system's files and demands a ransom for their release. In critical infrastructure, the ransom can reach millions of dollars, and downtime puts human lives at risk.
Yet international cooperation remains the weak link. While some countries advocate for binding treaties prohibiting attacks on civilian infrastructure, others resist ceding sovereignty in cyberspace. The lack of a global framework allows attackers to operate from jurisdictions where extradition is nearly impossible.
Companies under pressure: insurance, audits, and resilience
The private sector is not standing still. Insurers now demand rigorous cybersecurity audits before issuing policies for critical infrastructure. Many companies are investing in backup systems disconnected from the main network and incident response teams that can isolate an attack within minutes. However, the cost is high, and small and medium enterprises βwhich often manage local substations or treatment plantsβ lag behind.
Artificial intelligence has entered the equation as a double-edged sword. On one hand, AI-based detection systems can identify anomalous traffic patterns and stop an attack before it spreads. On the other, attackers themselves use AI to generate adaptive malware that evades security filters. The digital arms race unfolds in real time, without respite.
What does this mean for the world?
The growing frequency of these attacks is redefining the very notion of national security. It is no longer enough to have armies and protected borders; a country can be destabilized from a remote terminal without a single shot. The resilience of critical infrastructure has become a measure of soft power, and those who fail to invest in cybersecurity risk turning their essential services into digital hostages. The question hanging in the air is whether the international community can reach an agreement before a large-scale attack triggers a humanitarian catastrophe.