Critical Infrastructure

Critical infrastructure is the set of physical and digital systems and assets so vital to a society that their incapacitation or destruction would have a debilitating effect on national security, economic stability, public health, or safety. Governments formally designate critical-infrastructure sectors — in the United States the Cybersecurity and Infrastructure Security Agency (CISA) recognises sixteen, including energy, water and wastewater, communications, financial services, healthcare, transportation, and emergency services; the EU's NIS2 Directive and the Critical Entities Resilience (CER) Directive define analogous categories. These systems have become a primary theatre of state-sponsored cyber conflict precisely because compromising them offers strategic leverage: an adversary that can disrupt power, water, communications, or financial settlement during a crisis holds coercive power without firing a shot.

The threat to critical infrastructure has shifted from theoretical to demonstrated. State actors now conduct 'pre-positioning' campaigns — embedding covert, persistent access into infrastructure networks during peacetime so the access can be activated for disruption during a future confrontation. The Chinese actor Volt Typhoon is the canonical example, having burrowed into US communications, energy, water, and transportation networks using living-off-the-land techniques and Operational Relay Box (ORB) relay infrastructure built from compromised edge devices; the related Salt Typhoon campaign targeted the communications sector for espionage. Russian (Sandworm) operations against the Ukrainian power grid and ransomware strikes against pipelines and hospitals further illustrate that both nation-states and financially motivated criminals treat critical infrastructure as a high-value target.

Within the digital-asset domain, critical infrastructure is relevant along two axes. First, financial-market infrastructure — exchanges, custodians, stablecoin issuers, settlement and payment rails — is itself increasingly treated as critical infrastructure by regulators, bringing it within frameworks such as the EU's DORA (Digital Operational Resilience Act) that mandate operational-resilience, incident-reporting, and third-party-risk controls. Second, the blockchain sector intersects with physical critical infrastructure through Decentralised Physical Infrastructure Networks (DePIN), which use token incentives to build distributed alternatives to centralised energy, wireless, storage, and compute networks — raising the prospect of infrastructure that is more resilient because it lacks a single point of failure, while also creating novel attack surfaces.

Example

When CISA and the Five Eyes agencies disclosed in 2023–2024 that Volt Typhoon had maintained covert access to US critical-infrastructure networks — including in Guam — without deploying conventional malware, the campaign was characterised not as data theft but as positioning for potential disruption of communications and logistics during a future Indo-Pacific conflict, redefining critical-infrastructure intrusion as an instrument of geopolitical deterrence.

Why It Matters

As exchanges, custodians, and stablecoin and settlement systems are formally absorbed into critical-infrastructure and operational-resilience regimes (DORA, NIS2, and equivalent regimes worldwide), digital-asset firms inherit heightened obligations around incident reporting, third-party-risk management, business continuity, and defence against the same state-actor tradecraft — ORB relays, edge-device compromise, living-off-the-land — used against traditional infrastructure. Understanding the critical-infrastructure threat model is therefore directly load-bearing for how serious digital-asset operators architect resilience and satisfy emerging regulatory expectations.

Category: compliance, regulatory frameworks, infrastructure applications

Explore the full Web3 Glossary — 2,094+ expert-curated definitions. Need guidance? Talk to our consultants.