The British press is currently having a collective meltdown over reports that the UK's critical national infrastructure suffered 200 cyber incidents in a single year. Security vendors are salivating. Government officials are grimacing on television. The consensus is clear: we are under an unprecedented, existential siege, and the only solution is more funding, more bureaucratic oversight, and more panic.
It is a comforting narrative for those who sell software, but it is entirely wrong.
The fixation on raw incident counts is a vanity metric that actively compromises national security. Counting "incidents" without weighting their severity is like treating a swarm of mosquitoes with the same urgency as a airborne missile. By treating every minor network blip or routine phishing attempt as a crisis, the cybersecurity industry has created a boy-who-cried-wolf dynamic that blinds us to actual systemic risk.
I have spent nearly two decades auditing security architectures for heavy industry, energy grids, and maritime logistics. I have watched boards greenlight multi-million-dollar software suites to stop low-level noise while ignoring glaring, decades-old architectural flaws in their operational technology. The obsession with the sheer volume of attacks is the ultimate distraction.
The Tyranny of the Arbitrary Metric
To understand why the "200 incidents" headline is misleading, you have to look at how a government agency defines an incident. In most frameworks—including those used by the UK National Cyber Security Centre (NCSC) or the US Cybersecurity and Infrastructure Security Agency (CISA)—an "incident" can range from a highly sophisticated state-sponsored intrusion to an automated scanning script that happened to hit a poorly configured public-facing server.
When an agency announces a triple-digit number of incidents, they are inflating their statistics with events that resulted in exactly zero operational downtime, zero data exfiltration, and zero real-world impact.
- The Reality of Network Noise: Every organization connected to the internet is probed millions of times a day by automated bots. If a bot successfully logs into a non-critical honeypot or triggers an automated alert on a secondary corporate network, it frequently gets logged as an incident.
- The Distortion of Compliance: Regulatory mandates force critical infrastructure operators to report almost everything to avoid catastrophic fines. This creates a perverse incentive to over-report minor anomalies, artificially inflating government data to demonstrate "proactive compliance."
When we treat 200 disparate events as a monolithic wave of aggression, we dilute our defensive focus. Resource allocation becomes an exercise in playing whack-a-mole with low-level threats rather than hardening the core assets that keep the lights on.
Stop Trying to Protect the Corporate Network
The most egregious error in modern critical infrastructure defense is the failure to separate IT from OT.
Information Technology (IT) is your email, your HR software, and your billing systems. Operational Technology (OT) is the programmable logic controllers (PLCs), the SCADA systems, and the physical valves that control water pressure or electrical distribution.
When the media reports that a nuclear facility or a water treatment plant was "hit" by a cyber incident, ninety-nine times out of a hundred, the compromise occurred on the corporate IT network. Someone clicked a bad link in an email. A finance spreadsheet was compromised.
The Blunt Truth: A ransomware attack on a water utility's billing department does not mean the water supply is poisoned. It means people might get their invoices late.
Yet, the industry reacts with uniform hysteria. Defenses are poured into securing the corporate perimeter, adding layers of identity management and endpoint detection to office laptops. Meanwhile, the actual industrial control systems remain air-gapped only in theory, frequently bridged by lazy contractors who need remote access via unencrypted legacy protocols.
Imagine a bank that spends its entire security budget reinforcing the revolving doors at the lobby entrance while leaving the vault door propped open with a wedge of wood because the mechanics find it tedious to turn the dial. That is the current state of critical infrastructure defense.
The Dangerous Myth of the Sophisticated State Actor
Blaming failures on "highly sophisticated nation-state actors" is the ultimate get-out-of-jail-free card for incompetent executives. It shifts the blame from systemic negligence to an unstoppable, mythical adversary.
The vast majority of compromises in industrial environments do not require nation-state sophistication. They require basic internet scanning tools like Shodan and a complete lack of shame.
[Internet] ---> [Exposed Remote Desktop Protocol (RDP)] ---> [Default Credentials] ---> [Core SCADA Network]
This isn't The Matrix. This is basic hygiene failure.
In 2021, the cyber attack on the Oldsmar water treatment plant in Florida was widely publicized as a terrifying breach of critical infrastructure. The intruder gained access to a system controlling chemical levels. How did they get in? The facility was running an unsupported operating system (Windows 7), shared a single password for remote access via TeamViewer, and had no functional firewall separating the industrial control system from the public internet.
Calling that a sophisticated cyber incident is an insult to intelligence. It was administrative malpractice. No amount of government funding or threat intelligence sharing feeds can fix a culture that allows critical infrastructure to be managed like a high school computer lab.
Dismantling the Consensus: Your Questions Are Flawed
When industry analysts address the public, they routinely answer questions that misdirect the audience from the real vulnerabilities. Let's look at what people actually ask, and the uncomfortable truths behind them.
"How do we prevent 100% of cyber attacks on our infrastructure?"
You don't. The premise itself is flawed. Any architecture built on the assumption of total prevention is doomed to catastrophic failure. If your security strategy relies on the perimeter never breaking, you have already lost.
The goal must shift from prevention to graceful degradation. When an intrusion occurs—and it will—can your system isolate the breach, drop into a manual override mode, and continue pumping water or transmitting electricity? If the answer is no, your design is defective.
"Will upgrading to AI-driven security tools solve the resource shortage?"
Absolutely not. The push for automated, algorithmic security triage is a marketing gimmick designed to abstract away the fact that companies refuse to pay for skilled systems engineers. Adding a complex, unvetted layer of automated software on top of fragile, legacy industrial systems increases the attack surface. It introduces unpredictable failure modes into environments that require deterministic reliability.
The High Cost of the Contrarian Approach
Admitting that raw incident counts don't matter requires a level of intellectual honesty that many organizations cannot stomach. It means acknowledging that you might need to stop buying flashy software updates and instead invest in grueling, unsexy structural work.
- You must physically segregate networks. This means running actual, physical cables and using unidirectional data diodes that allow data to travel out of the operational environment for monitoring but make it physically impossible for commands to travel back in.
- You must design for manual override. If a digital system failures, workers must be trained to operate valves, switches, and breakers by hand. This requires continuous training and physical staffing—two things corporate accountants hate because they represent ongoing operational expenses rather than depreciable capital investments.
The downside to this approach is that it doesn't look good in a quarterly slide deck. It doesn't generate a neat compliance certificate that you can wave in front of regulators to prove you are "aligned with global frameworks." It just keeps the system running when the world goes sideways.
The Hard Re-Centering
Stop looking at the 200 incidents headline with terror. Look at it with skepticism.
If 200 incidents occurred and the lights stayed on, the trains ran on time, and the water remained clean, then the systems either worked as intended or the incidents themselves were trivialities elevated by bureaucrats to justify their budgets.
The real threat is not a wave of digital masterminds breaching our defenses through unpatchable zero-day exploits. The threat is the slow, quiet rot of operational discipline hidden behind a wall of compliance checklists and inflated statistics.
Fix the default passwords. Sever the connections between your corporate email and your industrial machinery. Train your operators to pull the plug and run the pumps manually.
Everything else is just noise.
