Carbonatix Pre-Player Loader

Audio By Carbonatix

Cyber conflict increasingly reaches beyond stolen records and interrupted websites. In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency, FBI, NSA, Department of Energy, and other federal agencies warned that Iranian-affiliated actors were exploiting internet-facing programmable logic controllers across U.S. energy, water, and government facilities.

The agencies said the attackers interacted with PLC project files, altered information displayed through human-machine interfaces and supervisory control systems, and caused operational disruption and financial loss in some cases.

This was not an isolated warning. In April 2022, Russian-linked Sandworm operators attempted to disrupt Ukrainian high-voltage electrical substations using Industroyer2 malware designed to interact with industrial control systems that manage power flows, while also deploying wiper malware against supporting systems. In late 2022, researchers reported that Sandworm caused a power disruption at a Ukrainian electrical substation by manipulating circuit breakers during a period of Russian missile attacks, then used data-wiping malware to complicate recovery. These incidents show how cyber operations can interfere with electricity generation, grid monitoring and control functions, and the industrial systems on which national resilience depends.

The architectural problem is that much of critical infrastructure was built around a trusted network perimeter. That model becomes difficult to sustain when utilities connect operational technology to remote engineers, contractors, cloud applications and distributed monitoring systems.

CISA’s guidance for secure OT connectivity recommends removing direct inbound exposure and mediating remote access through controlled gateways. Its advisory on the Iranian-affiliated campaign similarly urged operators to disconnect PLCs from the public internet, enforce multifactor authentication and control external access through gateways, firewalls or virtual private networks.

Cloud-native security can support a different model, but only when security is built into the architecture. Centralized logging can bring identity, cloud, network and selected OT telemetry into defined collection and retention paths.

Infrastructure as Code allows network boundaries, logging requirements and access controls to be versioned, reviewed and deployed consistently rather than recreated through manual configuration. The AWS Well-Architected Security Pillar, for example, recommends using Infrastructure as Code to standardize resource and security-service deployments across accounts and environments.

The greater change is Zero Trust Architecture. NIST defines Zero Trust as a shift away from static, network-based perimeters toward protecting users, assets, and resources. Access is not trusted merely because a person or system sits inside a particular network; it is evaluated according to identity, authorization, device or workload context, and the resource being requested.

For critical infrastructure, this means designing separate trust decisions for administrators, vendors, applications, and machine identities. A remote engineer should receive only the access needed for an approved task. Service accounts should use narrowly scoped permissions and temporary credentials where supported.

Critical workloads should be segmented so that compromising a business application does not automatically provide a path into control systems. Logs from identity providers, administrative actions, and network gateways should support continuous evaluation rather than a one-time decision made at login. CISA’s Zero Trust Maturity Model organizes this transition around identity, devices, networks, applications and workloads, and data, while its OT guidance stresses that Zero Trust must be adapted to operational requirements rather than copied directly from enterprise IT.

Cloud adoption raises a legitimate data sovereignty question. Some jurisdictions can support sovereign-cloud models through domestic regions, screened personnel, residency controls, and nationally supervised infrastructure, while others may depend on foreign hyperscale providers, regional data centers, cross-border connectivity, and external managed security services.

Absolute data localization may increase control in some contexts but reduce resilience, raise costs, or limit access to threat intelligence, disaster recovery, and modern security tooling in others. For critical infrastructure, the more realistic approach is risk-based sovereignty: classify grid-control data, operational telemetry, customer records and aggregated analytics by sensitivity; keep the most critical operational and national-security data under domestic or trusted regional control; require strong encryption, audit rights and exit options; and permit governed cross-border processing where it improves continuity and security.

Ghana’s Cyber Security Authority has identified sectoral CERTs as part of the country’s incident-response ecosystem and has publicly discussed advanced efforts to establish and operationalize an Energy Sector CERT. As that capability develops, its effectiveness will depend not only on the monitoring tools selected, but also on whether utilities adopt consistent identity, segmentation, logging and access-control architecture across their environments.

Critical infrastructure does not become secure simply because workloads move to the cloud. The security gain comes from deliberate architecture: removing unnecessary exposure, verifying each access request, limiting privileges, separating critical resources, preserving trustworthy telemetry and governing configurations as code. Firewalls remain necessary, but they can no longer carry the entire defensive burden.

About the author

Theodora Teikor Tetteh holds an M.Sc. in Cybersecurity and Networks from the University of New Haven, an M.Sc. in Energy Economics from the Ghana Institute of Management and Public Administration, and a Bachelor of Business Administration from the University of Professional Studies, Accra. She is an AWS Certified Solutions Architect, a Cisco Certified Network Associate, and holds CompTIA Security+ certification.

DISCLAIMER: The Views, Comments, Opinions, Contributions and Statements made by Readers and Contributors on this platform do not necessarily represent the views or policy of Multimedia Group Limited.
DISCLAIMER: The Views, Comments, Opinions, Contributions and Statements made by Readers and Contributors on this platform do not necessarily represent the views or policy of Multimedia Group Limited.