Industrial threat landscape is increasingly influenced by extreme weather events, which are exposing new vulnerabilities and expanding the cyberattack surface across critical infrastructure. There is a convergence of IT and OT, as well as the extensive use of cloud technology, which has become a significant factor in motivating organizations to improve security. However, extreme weather occurrences have outpaced security developments, as they were not originally designed to handle such occurrences.
OT environments remain persistently underguarded. Operators of utilities and infrastructure are scaling up remote monitoring, cloud connectivity, and sensor networks to adapt to climate-driven disruptions; though those digital enablers of resilience are also expanding the attack surface, introducing new avenues for ransomware, supply-chain compromise, and even politically motivated cyberattacks. Cloud services and internet access were the most popular among avenues of attack, and 35% of critical national infrastructure organizations consider lack of security monitoring as a major concern.
Complexity of the challenge is increased by integration of renewables and microgrids into industrial systems being driven by decarbonization. Distributed energy resources bring distributed vulnerabilities. Edge-connected devices and smart grid architecture and infrastructure introduce cyber-physical risks, and these are not addressable by conventional perimeter defense, as nation-states and criminals are continually evolving to take advantage of these new attack surfaces.
When faced with compound stressors, such as weather events and cyberattacks, something happens more now than ever, with core weaknesses getting exposed. While there is a shortage of cyber talent and funding to keep pace, security tools and cyber maturing have advanced. Clearly, critical infrastructure organizations face challenges in taking swift action in response to these cybersecurity threats and incidents.
Building climate-resilient cybersecurity isn’t some distant goal anymore , but something that organizations have to tackle right now. Organizations can no longer afford to keep cyber risk and climate planning in separate silos. They need to connect and grow together, right from the start. This calls for tougher OT-focused security setups, steady investment in solid detection tools, and, maybe most importantly, teams who know what to do when things go sideways. Floods knock out power, while grid failures create windows of vulnerability. Cyberattacks tend to arrive precisely when defenses are stretched thinnest. These are not isolated worst-case scenarios anymore. They are happening together, and organizations that still plan for them separately are already behind.
Climate change is rewriting industrial cyber risk map
Industrial Cyber reached out to experts to examine how climate change is fundamentally altering the risk calculus for industrial cybersecurity across critical infrastructure sectors, including energy, water, and transportation.
Vytautas Butrimas, an industrial cybersecurity subject matter expert
“The move away from fossil fuel thermal power plants and toward less centralised inverter-generated power (from solar panels, wind mills) has increased the difficulties in managing and balancing power on the grids,” Vytautas Butrimas, a now retired industrial cybersecurity consultant and member of the International Society of Automation (ISA), told Industrial Cyber. “The Iberian blackout last April was not caused by a malicious cyber incident, but by management issues. Apparently, with the grid instability occurring on the peninsula, it was rather a policy decision that did not allow the inverter-generated power to participate in regaining balance.”
Butrimas noted that, in terms of malicious cyberattacks, the Dec. 29, 2025, attack on part of the Polish power grid targeted the management of inverter-generated power. “The attack focused on severing communications between the substations receiving inverter-generated power and the DSO managing the grid. Disabling the RTUs at the substation cut the communication link with the DSO, resulting in a loss of visibility and control of the affected substations (about 30). Although power was not lost, it exposed a new vulnerability in managing the transition from thermal to inverter-based power sources.”
Andrew (Andy) Bochman, resilience strategic lead at West Yost
Andrew (Andy) Bochman, resilience strategic lead at West Yost, told Industrial Cyber that climate is much more of a physical than a cyber risk, and it also differs in that there’s no malicious intent. “Floods, fires, freezes, etc., are physical threats for which gates, guards, and guns provide no value, and so far, greatly eclipse the damages to infrastructure orgs and other industrial companies wrought by cyber actors.”
Tim Gale, director for industrial cybersecurity at 1898 & Co
Tim Gale, director for industrial cybersecurity at 1898 & Co., the consulting arm of Burns & McDonnell, told Industrial Cyber that extreme weather forces systems to run closer to their limits or in degraded mode, leaving minimal margin for error. “If a cyberattack hits while systems are already strained, failures cascade instantly. Adversaries exploit this window, targeting control systems while organizations focus attention elsewhere.”
Gale assessed that “We cannot treat cyber and climate risks as separate events. These risks should be assessed using a comprehensive strategy, such as the one outlined in the ISA/IEC 62443 standard.”
Climate change reshapes industrial cybersecurity because climate risk directly drives the massive deployment of renewables (solar, wind, BESS), with variable renewables surpassing 50% of electricity in 2024, Gennady Kreukniet, team lead, Netherlands I&OT, at DNV Cyber, told Industrial Cyber.
Gennady Kreukniet, team lead Netherlands I&OT at DNV Cyber
“This expansion brings new asset owners and extensive Distributed Energy Resources, increasing system fragmentation. Grid buildout is lagging, creating further operational exposure,” Kreukniet said. “That forces a shift in cybersecurity responsibilities across asset owners, DSOs, and TSOs. At the same time, environmental challenges such as flooding, droughts, fires, and extreme weather require new design principles and protective measures. Together, these dynamics fundamentally change the risk calculus: more assets, more interfaces, more volatility, and a much higher bar for secure, climate-resilient operations.”
Aligning climate resilience with OT security
The executives assess whether climate resilience planning and industrial cybersecurity strategies are genuinely integrated at the architectural and governance levels within most organizations, or whether the two still operate largely in separate silos.
Butrimas said he was not aware of any integration between industrial cybersecurity strategy and climate resilience planning. “However, the grid operators themselves do engage in planning power production and availability. If a hot day is forecasted, for example, they will plan accordingly, but to my knowledge, that does not include any cybersecurity measures. Unless the operator follows what is happening in the news, that is. If they are watching what is going on outside their windows, they should be aware of the incidents that are happening elsewhere, such as in the Iberian Peninsula and Poland last year, and earlier incidents, such as what happened to part of Ukraine‘s power grid in December 2015 and December 2016.”
“Certainly, in most organizations, they are dealt with by different groups, but the two tribes impacted by both are the engineers and operators,” Bochman said. “They should both be managed and monitored by the risk committee, of course, and when they are, better prioritization and risk management decisions are possible.”
Gale evaluates that most organizations keep climate resilience and OT cybersecurity in silos. “This separation blinds us to compound threats—extreme weather during a cyber incident amplifies disruption. We need integrated governance in which engineering, safety, and security teams develop unified security and resilience strategies. Until then, we lack situational awareness for combined stressors.”
“Most organisations still treat climate resilience and cybersecurity as parallel workstreams rather than unified architecture,” Kreukniet evaluated. “Even with mature ESG frameworks creating interaction through shared reporting and escalation, the processes remain siloed. Truly integrated governance is still the exception; aligning these domains requires shifting from compliance-driven reporting to a consolidated risk-based strategy that recognises their interdependence.”
When clean energy meets cyber risk
As decarbonization accelerates and distributed energy resources such as renewables, microgrids, and edge-connected systems proliferate, the executives evaluate new cyber-physical vulnerabilities emerging across industrial environments that traditional security frameworks were never designed to address.
Butrimas recognizes that the move toward including inverter-produced power adds complexity to system management. “Maintaining synchronization, always of importance, becomes even more important. Protection devices play a key role in responding to any system failure. They are designed to trip and disconnect bulk power equipment, such as large, expensive transformers, from the grid. This is part of what happens in a cascading blackout, but it is also the reason why power is restored relatively quickly.”
“In 2016, protection devices were targeted in Ukraine when they had their blackout, and protection devices were also included in the targeting of the communications and other equipment on the Polich grid last year,” according to Butrimas. “If protection is compromised, damage to bulk power equipment is at risk when restarting power on the grid after a blackout. The instability that may occur while restarting, without the protection devices doing their job, will result in longer-term damage and longer, debilitating blackouts.”
Identifying that here’s where climate plays a major role in cyber, Bochman added that “Not as a cyber threat, but as a driver of new digitally-enabled energy technologies which bring with them vast new attack surfaces. And we are still in the early days of understanding how to best cyber-defend them.”
“Decentralizing energy with renewables and microgrids expands our attack surface. Traditional security assumes a protected perimeter. DERs break that model,” Gale said. “Thousands of edge devices sit on public networks, often shipping with weak authentication, exposed interfaces, and unpatchable firmware. Utilities lack direct control over device lifecycle, patching, and monitoring, making asset visibility, vulnerability management, and incident response significantly more complex. The ISA/IEC 62443 standards include requirements for component security in this scenario.”
Kreukniet observed that as decarbonization drives rapid DER growth, new vulnerabilities emerge. “Smaller asset owners operate with tighter budgets and limited security requirements in procurement, leaving security gaps. Many assets are physically exposed, and Berlin’s recent winter blackout shows how easily reachable field equipment can become an entry point for sabotage.”
In Poland, he identified that simplified, remotely managed architectures create soft targets across dispersed grids. “Supply-chain fragility, such as single-source components and geopolitical tensions, adds further pressure. Traditional frameworks struggle because these risks stem from scale, dispersion, and diverse ownership, not centralized infrastructure.”
Cyberattacks and climate shocks strain response plans
When critical infrastructure faces compounding stressors, such as extreme weather events alongside potential cyberattacks, the executives identify the most significant gaps in current incident response and recovery capabilities.
Butrimas noted that the operators have crews and contingency planes for recovery from natural events. “However, as the Plum Island exercises proved, recovery can be nearly impossible if a hostile actor uses cyberattacks to sabotage recovery efforts, like throwing gasoline into a house while the firemen are trying to put the fire out.”
“These are the types of scenarios the folks at NERC and the E-ISAC like to throw at operators and cyber defenders every two years,” Bochman said. “Gaps in communications and coordination are among the most challenging, as different groups with vastly different skill sets are responsible for building digital and physical resilience left of boom, as well as for incident and emergency response.”
Gale identified that response plans aren’t ready for compound disasters. “Tabletop exercises rarely simulate cyberattacks during floods or power outages. Backup and recovery programs remain inconsistent; backups may be incomplete, inadequately tested, or insufficiently secured against ransomware. We lack a unified framework to coordinate cyber, operations, and emergency teams such as ISA’s ICS4ICS.”
“When extreme weather and cyber-attacks coincide, the biggest gaps appear in field recovery. The industry lacks enough skilled engineers on the ground with the spare parts and mobility needed for rapid restoration,” according to Kreukniet. “Ukraine has shown what highly coordinated, resilient field operations look like under extreme pressure. At the same time, today’s larger, more interconnected grids involve many more stakeholders, slowing decision-making and complicating joint incident response. As a result, coordinated recovery across cyber, physical, and operational domains remains far too fragmented for the scale and speed these compounded crises demand.”
Building climate-resilient cybersecurity for critical infrastructure
The executives look at what a climate-resilient industrial cybersecurity posture will realistically require over the next decade and whether organizations are investing at the scale and pace needed to achieve it.
Butrimas pointed out that it requires contingency planning for those bad times. “The plans come from close public and private collaboration and most importantly, holding exercises to test if the plan has a good chance of working if implemented. I participated in a NATO Civil-Military exercise in 2012 that included natural disasters and cyberattacks in its scenarios. To my knowledge, this combination of a naturally occurring incident and malicious cyber components in the exercise scenario was never tried again at that scale. However, to my mind, it represented what would be experienced in the real world.”
“I can’t speak to the pace, but to the previous question, having the digital defenders more closely coordinate with each other will certainly help,” Bochman said. “And as GenAI and agents are embraced as a force multiplier by both a mutual understanding and countering the new risks they bring, they could serve to build a bridge between digital and physical defense teams.”
Gale said that a climate-resilient industrial cybersecurity posture will require organizations to move toward a unified, all-risk approach over the next decade. “Cyber, physical, and environmental risks must be assessed together, not in isolation. That means integrated risk frameworks and joint response playbooks. Engineering, security, and safety teams must work from the same standard, such as the ISA/IEC 62443 series. While awareness is growing, many organizations are not yet investing at the scale or pace required to implement fully integrated resilience strategies.”
“A climate-resilient cybersecurity posture demands far more investment in grid flexibility, renewables integration and digital resilience, where grid bottlenecks heighten systemic exposure,” Kreukniet said. “At the same time, executives now view cyber risk as the sector’s greatest threat, yet capability gaps persist and OT security investment still lags the pace of digitalization and decentralization as seen in our Cyber Priority Report.”
He concluded that real climate-resilient security requires sustained, scaled investment, far beyond today’s levels, paired with integrated governance, grid-edge visibility, and secure-by-design operations.
