NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Industry Insights
    • Security Operations
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
July 2, 2025

Beyond Compliance: Building Critical Infrastructure Security That Actually Works

Kyle Smith Kyle Smith

The headlines tell a familiar story. Hackers breach a Norwegian dam and open valves at full capacity. A ransomware attack on National Health Service (NHS) pathology services contributes to a patient's death. Critical infrastructure attacks aren't theoretical risks anymore. They are operational realities with human consequences. 

Most security conversations still sound like this: "We need to patch CVE-2024-XXXX and implement additional endpoint detection." Meanwhile, the board asks: "What does this actually mean for our business?" 

This communication gap isn't just frustrating. It's dangerous.

The Translation Problem in Critical Infrastructure

When attackers target infrastructure, they're not just stealing data. They're threatening the systems that keep society running. But too often, security teams present these threats in technical terms that don't translate to business impact. 

Consider a water treatment facility facing potential cyber threats. The CISO reports: "We have several high-priority vulnerabilities in our SCADA environment that require immediate remediation." 

The board hears: "Some technical maintenance issues that IT needs to handle." 

What the CISO should communicate: "We have vulnerabilities that could allow attackers to contaminate our water supply, shut down service to 200,000 residents for 3-6 weeks, cost us $15 million in emergency response and recovery, expose us to regulatory fines, and create a public health crisis. We need $1.5 million in security investment to mitigate a potential $50 million business and community impact." 

The difference isn't just semantic. It's the gap between technical risk and business reality.  

When Security Breaks Operations

The second critical challenge is building security that doesn't break the very operations it's meant to protect. But there's an even deeper problem: security teams and operational staff often can't communicate with each other effectively. 

The security analyst speaks in terms of threat vectors, vulnerability assessments, and compliance frameworks. The technician with the wrench speaks in terms of pump pressures, flow rates, and equipment uptime. When the security team says "we need to implement network segmentation," the plant operator hears "more complexity that might interfere with my ability to keep the lights on." 

This communication gap creates dangerous blind spots. Security teams design controls without understanding operational workflows. Operations staff resist security measures they view as obstacles to getting their job done. The result? Security that looks good on paper but fails in practice. 

Critical infrastructure can't afford downtime for security patches or configurations that interfere with essential processes. The dam operator who needs to open valves during flood conditions can't wait for IT approval. The hospital technician running blood tests for emergency patients can't work around security controls that delay critical lab results. The water treatment technician monitoring chemical levels can't work around security controls that slow down emergency responses. 

Traditional corporate security approaches often fail in operational environments because they don't account for these realities. The security control that works perfectly in an office environment can create dangerous situations when applied to systems that control physical processes.

A Different Approach to Infrastructure Security

Effective critical infrastructure security requires three fundamental shifts:

First, risk communication must be business-focused. Every security briefing should answer the question: "What happens to our operations and our community if this threat materializes?" Boards need to understand specific scenarios. Service disruptions, public safety impacts, financial consequences, and regulatory exposure. Abstract vulnerability scores don't drive decision-making. Clear business impact does.

Second, security teams must become bidirectional translators. They need to speak both languages. Translating operational concerns into security requirements and security needs into operational terms. When the plant technician says "I can't patch that system because it controls emergency shutdown," the security team needs to understand that this isn't resistance. It's critical safety information. When security says "we need better access controls," they need to explain it as "making sure only authorized people can control critical equipment during emergencies."

Third, security design must prioritize operational continuity and accept OT realities. Controls should be built around the principle that infrastructure must keep running. But there's another reality: many OT environments can't be "patched" in the traditional IT sense.

The firmware running a dam's valve controller or a power plant's turbine system isn't like software on a corporate laptop. These systems often run for decades without updates. When updates do happen, they require planned shutdowns that can affect entire communities. You can't just push a patch to a water treatment plant's control system and hope for the best.

This is why effective OT security focuses heavily on the IT/OT bridges.

  • The web portal that connects to your valve controller.
  • The historian server that collects operational data. The engineering workstation that programs your PLCs.

These connection points are where attackers typically gain access to operational systems.

On the pure OT side, the strategy shifts to limiting outbound connectivity. If operational systems can't communicate with external command and control servers, attackers lose their ability to maintain persistent access or exfiltrate data. This approach reduces attack vectors without requiring firmware updates that might destabilize critical processes.

Building Security That Enables Operations 

The goal isn't to eliminate all risks. It's to build practical protection that allows critical infrastructure to operate safely. This requires security teams that understand both cybersecurity and operational environments. 

Effective infrastructure security starts with questions like: What happens if this system goes offline? Which processes can't be interrupted? How do operators actually use these systems daily? What does an emergency response look like? What concerns do the people with wrenches have about our security proposals? 

The answers inform security decisions that protect infrastructure while maintaining the operational capability that communities depend on. More importantly, they create security programs where operational staff become partners rather than obstacles—because they understand that security is designed to support their mission, not complicate it. 

When security works alongside operations rather than despite them, organizations get protection that actually functions in the real world. They get boards that understand cyber risks and approve appropriate investments. They get operators who follow security procedures because those procedures support their mission rather than hindering it. 

Most importantly, they get infrastructure that can resist attacks while continuing to serve the people who depend on it. Because when critical infrastructure fails, the consequences aren't just technical. They're human.

Don't miss another article. Subscribe to our blog now. 

Subscribe now

 

Included Topics

  • Compliance,
  • Security Operations
Kyle Smith
Kyle Smith

Kyle Smith is the Vice President of Product Management at NuHarbor Security. He leads the development and execution of strategic product initiatives, ensuring that NuHarbor’s solutions are aligned with the evolving needs of both public and private sector organizations. During his two decades in the cybersecurity industry, Kyle has held leadership roles across multiple domains, including security operations, network architecture, and product innovation. Before joining NuHarbor, he led cross-domain technology teams, spearheading security and systems initiatives to protect organizations from advanced threats. Kyle's experience as an IT technologist, security operator, and client advocate has combined to make him an empathetic and practical leader as NuHarbor develops and delivers new, valuable capabilities to our clients.

Related Posts

Industry Insights 3 min read
6 Compelling Ways to Gain Buy-In for Your Cybersecurity Budget
Read More
Threat Intelligence 3 min read
What State and Local Governments Need to Know About Escalating Iran Cyber Threats
Read More
Cyber Talent 6 min read
Secure Your Organization Despite the Cybersecurity Talent Shortage
Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.