Cyber threats against critical infrastructure have become one of the most pressing national security challenges of our time. From power grids to water systems, the risks posed by adversarial nation-states and emerging technologies like artificial intelligence demand a proactive approach to defense.
We sat down with Greg Wessel, Chief Technology Officer (CTO) at TAC and an expert in operational technology (OT) cybersecurity, to discuss how these threats have evolved, where our vulnerabilities lie, and what can be done to better protect the infrastructure that powers our nation.
Evolving Threats to Critical Infrastructure
Q: Have cyber threats against critical infrastructure evolved in the last five years?
Greg Wessel:
“In the last five years, nation-states, especially China, Russia, and North Korea, have become the primary actors targeting our infrastructure. They embed themselves so that, when the time comes, they can disrupt systems and cause havoc.
I don’t see them necessarily taking down power grids or cutting off water, but they could make water undrinkable or drain power systems. One of my bigger concerns is nuclear facilities, many were built in the ’60s and ’70s, and the infrastructure is old, making it difficult to defend or even install cybersecurity products.
The threats have shifted. Previously, attacks were often ransomware or just meant to show access. Now, adversaries hide within systems, lying dormant until they decide to act. There’s even a U.S. initiative called ‘China 2027,’ which assumes China might turn against us around that year, and they are positioning themselves within our infrastructure in preparation for that.”
The Impact of AI on Cybersecurity
Q: How is the rise of AI changing the way attackers target infrastructure systems?
Greg Wessel:
“AI has made attacks faster and easier to automate. Instead of a human manually scanning networks for vulnerabilities, AI can do it automatically, letting the attacker know when they’re embedded. Then they can act when it’s time.
On the defensive side, AI must catch up. Security teams need AI to detect unusual behaviors or threats faster than humans ever could. AI can monitor network activity and flag nefarious actions in real time, which is crucial for protecting infrastructure.”
A Personal Mission to Defend Infrastructure
Q: What does defending the infrastructure that runs the nation mean to you personally?
Greg Wessel:
“To me, defending infrastructure means protecting power, water, nuclear, and oil and gas systems with whatever mechanisms we can. Most of these systems aren’t well protected because cybersecurity products don’t always work with older operational technology.
There are three main challenges: first, we’ve traditionally focused on IT, not OT or SCADA systems. Second, the protocols are different from those on the IT side. Third, much of the equipment is old and can’t easily be updated.
Protecting infrastructure means building layers of defense around the systems themselves and using IT-side monitoring to detect threats before they reach OT systems. AI can play a critical role here by recognizing suspicious behaviors and helping to secure these vital systems.”
Vulnerabilities in America’s Critical Infrastructure
Q: When you think of America’s critical infrastructure, what systems are most at risk and why?
Greg Wessel:
“Power companies are well-funded and have resources to secure their systems. Water infrastructure, on the other hand, is the most vulnerable. There are countless small municipal systems across every state that lack the funding and personnel to implement strong cybersecurity.
For example, in Maryland alone, there are 15 to 20 local water systems in just one county, compared to larger, regulated power companies. Unlike power and oil and gas, water systems have very few regulations and cybersecurity requirements, which leaves them exposed.
This is well known, for instance, Maryland has prioritized securing water systems in the next two years and even involved the National Guard to help identify protection strategies.”
The Power of Hands-On Training
Q: Why is hands-on training so important for teams defending IT and OT systems?
Greg Wessel:
“Hands-on training is essential because you work with real equipment and tools, not just virtual simulations. You’re interacting with actual PLCs, routers, and firewalls. Being able to touch and manipulate the hardware provides experience that virtual labs simply can’t replicate.”
Closing the Gaps in Preparedness
Q: What gaps do you see in the way most organizations currently prepare for infrastructure attacks?
Greg Wessel:
“The biggest gap is funding. Cybersecurity is often the last thing to get money because keeping infrastructure running takes priority over securing it.
The second gap is trained personnel. It’s relatively easy to train IT security professionals, but OT security requires a different skill set. Many OT workers come from manufacturing or operational backgrounds and aren’t trained to defend against cyber attacks.”
Preparing for Real-World Scenarios
Q: How does TAC training uniquely prepare professionals to defend real-world systems?
Greg Wessel:
“TAC’s OT Boot Camp helps IT professionals understand OT systems and the security involved, and helps OT professionals understand IT and security practices.
This cross-training ensures IT security people become better at securing OT systems, while OT professionals gain awareness of cybersecurity risks. This dual understanding is what sets TAC’s training apart and strengthens the overall defense of critical infrastructure.”
Looking Ahead
Q: What’s at stake if we fail to defend our infrastructure?
Greg Wessel:
“If we fail, adversarial nations like China, Russia, North Korea, or Iran could disrupt, pollute, or shut down critical systems, either on a large scale or in smaller, chaotic ways that cause widespread disruption.”
Learning from Real-World Incidents
Q: Can you share a real-world incident that shows the ripple effect of a critical infrastructure attack?
Greg Wessel:
“There have been many incidents, particularly involving water, but they often go unreported because companies don’t want to admit attacks. For example, Anne Arundel County Public Works experienced an attack they called ransomware. It’s unclear if it was ransomware or an OT-targeted attack. Contractors managing these systems often avoid publicizing incidents.
The U.S. has historically been reactive rather than proactive. When Stuxnet hit or when Sony was hacked, efforts to secure systems intensified, but we often wait for a crisis rather than hunting for threats in advance. Simply securing infrastructure isn’t enough if attackers are already inside.”
Becoming Proactive
Q: What do you think we need to do to be more proactive? Why are we so reactive?
Greg Wessel:
“The government issues policies through the cyber director’s office and CISA, but there are no consequences for failing to follow them. Without enforcement, policy is just words. There needs to be laws and real consequences to ensure organizations implement the protections necessary to safeguard our critical infrastructure.”
