On April 28, 2025, a massive power outage affected large areas of the Iberian Peninsula and parts of southern France. Traffic lights, elevators, point-of-sale systems, and many mobile phone and internet networks suddenly stopped functioning. Subways and parts of the rail network ground to a halt. Industrial production and numerous service businesses were interrupted for several hours to a full day. Residents of southeast Berlin experienced a similar disruption in September 2025, when the power supply failed for up to 60 hours.

These incidents highlight the vulnerability of critical infrastructure in our hyperconnected society and illustrate the potential consequences, ranging from the collapse of essential services to the paralysis of retail, banking, industry, and skilled trades, and even fatalities. In Spain and Portugal, at least four deaths were linked to the blackout.

The line between digital threats and physical consequences has blurred, leaving critical infrastructure more fragile than ever. Mitigating these risks requires a clear understanding of our current vulnerabilities and the strategic measures needed to close them.

Lessons from Berlin and Iberia

The cause of the Berlin blackout was quickly identified: an arson attack on an electricity pylon caused a short circuit due to melting cable insulation. In Spain, the blackout lasted longer, initially raising concerns of a cyber-attack. The official cause, determined in June 2025, was excessive voltage in the transmission grid, which triggered a fatal chain reaction.

While investigations ruled out a targeted cyber-attack as the cause, other incidents show the ongoing risks. For example, a ransomware attack on a cloud-based platform used by Collins Aerospace for airport check-in operations caused flight restrictions and cancellations in Berlin, Brussels, London, and other locations in September 2025. Flight safety was never compromised, but the scenario demonstrates how vulnerable critical infrastructures are, and what could happen if hackers targeted air traffic control, energy grids, or other critical infrastructure sectors.

To prevent such scenarios, CISOs must strengthen the cyber defense capabilities of critical infrastructures. Understanding historical incidents helps contextualize the current challenges.

Historical milestones: From Stuxnet to Colonial Pipeline

Stuxnet, a sophisticated computer worm that exploited several zero-day vulnerabilities in Windows systems, is considered a milestone in the history of cyber warfare. In 2010, it enabled the targeted sabotage of Iran’s Natanz uranium enrichment plant and made it clear that malware can cause not only digital but also physical damage.

Stuxnet attacked isolated control systems (SCADA/PLC), simulated normal operation, and damaged a large number of centrifuges in the background. It was spread via infected USB sticks, making it clear that even disconnected networks are not completely secure.

In 2015 and 2016, attacks on the Ukrainian power supply highlighted the danger to critical infrastructure. Using specialized malware (BlackEnergy, Industroyer), the attackers were able to take control of critical infrastructure systems and cause widespread power outages. Particularly worrying was the malware’s ability to manipulate industrial control protocols in a targeted manner.

A ransomware attack on the Colonial Pipeline in May 2021 demonstrated that even everyday security flaws such as weak access data and a lack of multi-factor authentication can have serious consequences. To contain the attack, the largest oil pipeline in the US had to be shut down for several days, causing significant supply shortages on the East Coast and triggering a national emergency.

The growing role of state actors and access brokers

These incidents prove that critical infrastructure is vulnerable to everything from sophisticated malware to simple security gaps. This reality requires a dual approach: maintaining strong security foundations while constantly evolving protective mechanisms.

State-sponsored actors are increasingly infiltrating IT and OT networks for espionage, sabotage, and disinformation. According to the ENISA 2025 report, European public services and critical infrastructure are now the primary targets for these geopolitically motivated attacks.

Supporting this ecosystem are Initial Access Brokers (IABs). These actors specialize in gaining unauthorized entry to corporate networks, selling that access to ransomware groups and state-sponsored sabotage teams on the dark web.

To counter these evolving patterns, organizations must shift from reactive to proactive security. By understanding attacker behaviors and real-world scenarios, CISOs can better inform their security architecture. This intelligence is vital for monitoring critical areas like:

• OT/IT integration and asset visibility.
• Third-party access and supply chain interdependencies.
• Early-warning indicators of compromise.

The rising tide of global cyber resilience regulations

The scale of the threat has triggered a wave of new legislation worldwide. In Europe, the NIS2 Directive (EU Directive 2022/2555) recently went into effect, removing transition periods for nearly 30,000 companies. These organizations are now legally mandated to implement rigorous risk management, supply chain security, and incident reporting.

However, compliance remains a significant hurdle. Reports show that while many companies have adopted basic information security management systems (ISMS), attack detection capabilities are still lagging. Currently, less than half of affected organizations fully comply with these new requirements, a dangerous gap considering that over 100 new product vulnerabilities are discovered every single day.

How to build cyber resilience into critical infrastructure

From a CISO or CEO perspective, the growing number of vulnerabilities and attack vectors, combined with an expanding attack surface, presents a complex challenge. Preventing critical infrastructure failures requires a strategic approach with preventive measures and continuous intelligence gathering.

1. Validating resilience with continuous pen-testing

A key factor is the regular performance of penetration tests, as they enable a realistic assessment of the resilience of systems to the techniques and tactics used by attackers and reveal vulnerabilities. For a CISO or CEO, the report of these tests is considered proof of responsible governance.

With Penetration-Testing-as-a-Service from Outpost24, companies can, for example, continuously check their web applications for security vulnerabilities.

2. Mastering External Attack Surface Management (EASM)

Continuous monitoring of the internal and external attack surface is essential for detecting uncontrolled exposures, open access points, or insecure configurations. Outpost24’s EASM solution identifies, monitors, and prioritizes all internet-facing assets, including social media, look-alike domains, and shadow IT. Incorporating risk indicators, such as unusual traffic patterns, atypical access, or changes in network topology, helps prioritize security measures and provides a constantly updated overview of the dynamic threat level.

3. Strengthening access control and identity management

Effective password management and Identity Access Management (IAM) are critical. We recommend multi-factor authentication and the principle of least privilege. Regularly reviewing privileged accounts minimizes the likelihood that compromised credentials become an entry point for a national-level disruption.

4. Staying ahead with cyber threat intelligence (CTI)

Up-to-date information about potential attackers and attack vectors is becoming increasingly important. A CTI program should therefore be implemented to provide contextual and up-to-date information on real threats, including data on state actors, ransomware campaigns, or brokers selling initial access on the dark web. Outpost 24’s Cyber Threat Intelligence service allows you to stay one step ahead by understanding the “who” and “how” behind the next potential threat.

5. Moving to proactive defense with Compass DRP

Outpost24’s Compass DRP combines external attack surface management, Digital Risk Protection (DRP) and threat intelligence in a single tool. This enables security teams to transition from reactive defense to proactive, adaptive security that can resist the ever-evolving threat landscape of our hyperconnected society.

How Outpost24 can help

The 2025 outages across Europe and the historical lessons of Stuxnet and the Colonial Pipeline illustrate a clear reality: the vulnerability of critical infrastructure has tangible, national-level consequences.

True resilience is not a one-time project; it is a living system. It requires a continuous cycle of identification, validation, and proactive monitoring. By integrating deep threat intelligence with automated attack surface management and expert-led testing, organizations can close the gap between discovering a vulnerability and remediating a risk.

Outpost24 is committed to helping you navigate this complexity. Our integrated approach to EASM, Threat Intelligence, and PTaaS provides the full-spectrum visibility you need to protect your most critical assets and stay one step ahead of the ever-evolving threat landscape.

Have specific security goals or regulatory requirements? Our team of experts, rooted in ethical hacking and years of IT security experience, is here to help. Contact our experts today or book a personalized demo to see our services in action.

You can also try our free Credential Checker tool to get an instant, no strings attached visibility report to see if your corporate domain is linked to any compromised credentials on the dark web.