Underfunded cybersecurity in critical infrastructure¶

If you ever wondered what keeps a modern city upright and not descending into a howling medieval mess, the answer is simple. A stack of creaking infrastructure systems held together by ancient protocols, budget cuts, and engineers who have been told since birth that taking anything offline is a sin punishable by eternal paperwork.

Imagine the Ankh Morpork power grid. Imagine the pipes under the Shades. Imagine the rail system during peak hour. Now imagine someone trying to secure all that with thirty years of overdue updates and a budget that would not stretch to a tray of Klatchian coffee. That is the state of modern critical infrastructure.

Energy grids. Water utilities. Transport networks. They all have the same affliction. Old systems. Flat networks. A proud tradition of shouting “availability first” whenever the word “security” wanders too close.

Everything runs. Mostly. Nothing is secure. Definitely.

Upgrade cycles move at the speed of a hungover troll. Vulnerabilities gather dust. Attackers gather interest.

The infrastructure nobody sees¶

There is an entire underworld of pipes, wires, signals and pumps. Nobody thinks about it. Nobody celebrates it. Everyone screams when it stops working.

The power grid: The civic miracle that keeps hospitals alive, kettles boiling and data centres humming ominously in the background. Built over many decades by engineers who understand electricity but look at cyber threats as if they are impolite rumours.

Water treatment: A noble effort involving pipes, tanks and control panels older than several council members. Designed in the age when a network was a tangle of serial cables and “remote access” meant someone leaning in from across the table.

Railways: Signals that must never fail, never stop, and certainly never be rebooted. They are often built on operating systems that last saw an update when sequins were fashionable.

Gas distribution: Designed for reliability and pressure control, not for repelling attackers with a fondness for remote code execution.

What they all have in common: Critical to society. Cannot go offline. Built long before the word “cyber” stopped meaning “something in a science fiction booklet.” Run by people whose performance reviews mention uptime, not ransomware. Consequently excellent targets for hostile states, bored hackers and organised criminals doing a bit of light extortion.

Old protocols, the digital archaeology¶

Beneath the blinking lights of control rooms everywhere are protocols so old they practically deserve heritage plaques.

SCADA systems: Invented in a period when “security” meant keeping the dog in the courtyard. No encryption. No authentication. No defence against anyone with a laptop and ambition.

Modbus: A protocol from 1979. Still widely used. Still cleartext. Still blissfully unaware that adversaries exist.

DNP3: Marginally younger and slightly less archaic. Still not what you might call secure in any modern sense.

None of this was bad design. It was design for a world where attackers had to physically break into facilities. Now attackers sit comfortably at home, sipping coffee, probing systems on the far side of the planet.

Modern infrastructure became networked for efficiency and remote monitoring. The security was not invited along for the ride because improvements cost money and downtime, both of which make managers pale and shaky.

Why upgrading is the stuff of fantasy¶

Equipment in critical infrastructure lasts forty years. Vendors vanish. Firmware updates never existed. Testing takes forever. Downtime costs actual millions. Certification demands everything match a specific configuration from the late Bronze Age.

Hence the frequent decision to write down the risk in a report and then heroically ignore it.

Exhibit A: railway signalling Runs DOS. Has not failed in twenty years. Vulnerable to spoofing. Fixing it would cost £200 million and three years of testing. Budget available: a sandwich and a shrug. Result: document risk, do nothing, hope for best.

Minimal segmentation, the flat network problem¶

In theory, networks should be layered like a well organised library. In practice, they resemble the streets of Ankh Morpork during a parade. Everything connects to everything. If you compromise one corner, you may well compromise the entire city.

Segmentation is possible but expensive, fiddly, and often vetoed because a firewall might add a few milliseconds of delay. Apparently the universe will collapse if a pump receives a signal at exactly the wrong moment.

What usually counts as segmentation: A single VLAN, a firewall running rules written by someone who left five years ago, and a diagram that insists there is separation while reality chuckles darkly behind it.

Water treatment systems often have “segmented” networks with more holes than a dwarf mine surveyed by an accountant.

Availability first, security maybe later¶

Operations engineers worship uptime. Patching threatens uptime. Therefore patching is suspicious.

A typical conversation goes like this:

Security: Patch this or attackers will break in.
Operations: Rebooting causes outage.
Security: Only fifteen minutes.
Operations: Out of the question. Next maintenance window is months away.
Security: But attackers are actively exploiting this.
Operations: Have they exploited us?
Security: Not yet.
Operations: Good enough.

This is not malice. It is incentives. Uptime is measurable. Prevented attacks are invisible. The result is a culture where change is the enemy and vulnerabilities are simply interesting footnotes.

The upgrade paralysis¶

In a sane world, systems would be replaced on schedule. In the real world they are replaced when they finally collapse, metaphorically or literally.

Downtime costs money. Budgets are tight. Regulators demand forms for every bolt turned. Boards do not fund invisible improvements. And engineers understandably prefer devils they know.

Hence a controller installed in 2003 is still running in 2025 because replacing it would cost fifteen million pounds and cause an outage long enough to get politicians involved.

The vulnerability landfill¶

Unpatched vulnerabilities accumulate like rubbish behind the Unseen University. They pile up in spreadsheets. They are known to attackers. They remain in place for charming reasons such as “vendor discontinued product”, “patch breaks things”, or “we did not know that system still existed.”

Every year the pile grows. Every year fewer patches land. Nobody has time. Nobody has budget. Everyone has hope.

The maintenance budget fiction¶

Physical maintenance is grudgingly funded. Digital maintenance is treated like an optional add on, much like decorative shrubbery. Capital expenditure gets money because it buys new kit. Operational expenditure gets cut because it is invisible.

Security lives in OpEx. Which means security gets slashed at every opportunity, until a crisis happens, at which point emergency budgets appear like mushrooms after rain.

Afterwards everyone vows to learn lessons. Then immediately forgets.

The public private gap¶

Private infrastructure underfunds security because it eats into profits. Public infrastructure underfunds security because voters prefer shiny projects to boring necessities. Both starve the systems that keep everything functioning.

Boards focus on earnings. Politicians focus on headlines. Nobody focuses on air gapped control rooms running Windows XP.

The insider threat nobody mentions¶

Everyone obsesses about hostile states. Meanwhile, the real danger is often the bored engineer who plugs in a USB stick because the approved process involves seventeen forms and a blood sacrifice.

Policies forbid USBs. Engineers use USBs. Because otherwise nothing gets done. Stuxnet taught the world a lesson. The world ignored it. Tea break continued.

Remote access is meant to be secured. In practice it is often “TeamViewer icon on desktop” and credentials shared among half of Uberwald.

These are not bad people. They are people trying to do work with systems designed by committees that have never changed a filter pump.

The certification straitjacket¶

Safety certification freezes systems in time. Security requires constant change. Recertifying costs vast sums. Managers pick the legal option, not the secure one. Security loses every battle.

A safety system from 2015 gains a critical vulnerability in 2020. A patch exists but installing it invalidates certification. The options are to break the law or stay insecure. Guess which one wins.

The know do gap¶

Everyone knows the infrastructure is vulnerable. Reports are written. Presentations delivered. Conferences held. Everybody nods sagely. Then nothing happens.

Knowing is easy. Doing is ruinously expensive.

And so the city continues. Wires hum. Pumps churn. Signals blink. Systems designed for a gentler era hold back a tide of threats through stubbornness, hope and the heroic refusal to take anything offline for even a minute.

One day something might break loudly enough, such that budgets will materialise and upgrades will happen. Some. Again. Until then the entire edifice runs on inertia and the optimistic assumption that attackers are too busy bothering someone else.