Is Critical Infrastructure Ready for a Digital Blackout?

When we think about outages in critical infrastructure, we often picture physical events - storms, floods, fires, earthquakes. But increasingly, the risk we need to prepare for isn't visible. It's digital, prolonged, and devastating.

In April this year, a catastrophic loss of power in areas of Spain, Portugal and France led to trains, traffic lights, ATMs, phone connections and internet access being taken out. Fearing that a cyberattack caused the outages, a government investigation has now found cascading technical failures - not nation state attackers - to be behind the blackouts.

Cyber attacks are no longer about short disruptions. The new reality is large-scale, coordinated campaigns designed to cripple systems for weeks or months. And the harsh truth is, most critical infrastructure operators aren't ready for that kind of endurance test.

What would your organisation do if your core systems were offline for 30 days?

• No access to OT environments
• No visibility of SCADA data
• No real-time communication with field teams
• No clean backups

This isn't hypothetical - it's playing out globally:

• The Colonial Pipeline attack shut down fuel supply on the U.S. East Coast
• Norway's Norsk Hydro operated in 'manual mode' for weeks after a ransomware attack
• CrowdStrike's update misconfiguration caused widespread global outages - including impacting public safety systems - and led to a US congressional hearing on Homeland Security
• Closer to Overcyte's home in New Zealand, outages in utility and healthcare sectors have become regular reminders of how fragile our digital backbone really is

Achieving resilience in the face of digital dependencies

So, how do we shift from reactive recovery to resilient continuity?

Here are three questions every executive should be asking:

1. Do we have a tested plan for operating without digital systems - not just for hours, but for weeks? Business continuity plans often assume restoration is fast. But what if it’s not?
2. Have we prioritised our most critical assets for protection and recovery? Many organisations take a broad-brush approach to security. It’s time to zero in on the crown jewels and confirm what a 'Minimum Viable Company' truly looks like.
3. Are we treating cyber resilience like we do physical safety? We run regular fire drills. But when's the last time you ran a 'digital blackout' drill and validated your manual workarounds and backup communication options in the event of infrastructure collapse?

The path forward is clear but not easy: leaner, more robust risk assessments; secure-by-design systems; and operational models that allow us to function securely in a degraded state.

We need to stop thinking of cyber incidents as momentary interruptions. They are now existential threats to public services and societal stability.

The question isn't if an attack will happen - it's how long we can last when it does.

Talk to Overcyte to learn how we can help simplify cybersecurity risk management for your organisation.