For decades, we’ve focused on keeping attackers out of critical infrastructure. And for good reason. Attacks on critical infrastructure can be widespread and catastrophic.  

But what happens when cybercriminals inevitably get in? Because they will.  

This isn’t pessimism — it’s reality. If we’re still throwing money at preventing attacks instead of preparing for them, we’re doomed to repeat the same mistakes.

Stop chasing the probability unicorn

Cybersecurity strategies have long been focused on reducing the probability of an attack. Traditional prevention and detection tools are designed to keep attackers out.  

But here’s the hard truth: It’s not working. The number and severity of critical infrastructure breaches are growing exponentially. The more we spend trying to make our systems impenetrable, the less we gain in actual protection. It's diminishing returns on security investment.

Unfortunately, the result is that systems are still vulnerable. Attackers are getting bolder, and organizations using traditional security are stuck in a losing battle.

Modern cybersecurity is about cyber resilience

One of the biggest lies we’ve told ourselves in cybersecurity is that we can prevent every attack. If the last decade has taught us anything, it’s that breaches are inevitable.  

Instead of obsessing over stopping every breach, critical infrastructure organizations need to prepare for how to contain the impact of those breaches when they happen.

This shift from a prevention mindset to a resilience mindset is crucial. It’s about ensuring that even if an attacker gets in, they can’t move freely or take down what matters most. Reducing the impact of a breach requires proactive planning and a focus on containment.

Zero Trust is critical to this strategy.

Zero Trust assumes attackers are already inside your system and operates on the principle of “never trust, always verify.” By enforcing strict access controls using microsegmentation, Zero Trust limits lateral movement, confining attackers to a single area and preventing widespread damage.

Breach containment in a Zero Trust environment isn’t just about damage control — it’s about resilience. By isolating critical assets and monitoring activity continuously, organizations can reduce the impact of breaches, ensure essential systems stay operational, and buy time to respond effectively.

With Zero Trust, breaches are no longer catastrophic; they’re manageable.

Minimum Viable Operation (MVO): How to prioritize Zero Trust for critical infrastructure  

A resilience mindset also means knowing what to protect and what to let go in a crisis. Not everything in your organization is critical.

During an attack, do you really need billing systems or email servers running? Probably not. What you need is the bare minimum to keep the lights on, the water flowing, and the trains running.

That’s the essence of Minimum Viable Operation (MVO). Zero Trust principles are instrumental here. By identifying and isolating your most essential systems, you can ensure they stay functional no matter what’s happening elsewhere.

Zero Trust allows you to apply strict controls that prevent attackers from moving laterally. This ensures attacks are contained so they can’t spread and wreak havoc.

With this framework, critical infrastructure organizations can contain the blast radius of an attack, safeguarding their most vital systems and giving them the breathing room to recover.

The reality check for critical infrastructure

We've seen the aftermath of attacks on critical infrastructure. The downtime, the finger-pointing, the scramble to recover — it’s ugly. But it’s also a wake-up call.

The labs, grids, and networks we rely on every day are prime targets. And as they integrate more smart technology, they only become bigger ones.  

It’s time to stop treating Zero Trust like a nice-to-have and start treating it as the backbone of resilience.

Critical infrastructure can’t afford to cling to outdated ideas of cybersecurity. The future is resilience, and Zero Trust is how we get there. Let’s stop chasing perfection and start building systems that can withstand the inevitable.

‍