ASSESSING THE VULNERABILITIES OF CRITICAL INFRASTRUCTURE IN THE AGE OF HYBRID THREATS

Апстракт

The protection of critical infrastructure is vital to the stability and security of modern societies and is a cornerstone of national and international security. As the threat landscape evolves, traditional security measures are increasingly insufficient to address the emerging complexity of hybrid threats. These threats, which combine elements of conventional, irregular, and cyber warfare, pose significant challenges to the resilience of critical infrastructure systems. This paper explores the vulnerabilities of critical infrastructure in the context of hybrid threats, examining the physical, cyber, and organizational risks that compromise the integrity of essential systems such as energy, transportation, communications, water and health. Through case studies, including cyberattacks on critical infrastructure systems and terrorist extremism on oil fields, the paper highlights the multifaceted nature of these threats and their potential cascading effects globally across interconnected infrastructure sectors. The paper concludes by exploring strategies for assessing these vulnerabilities, highlighting the importance of integrated cybersecurity measures and physical security improvements, with an emphasis on unified action by countries and proactive strategies to safeguard critical infrastructure in an increasingly complex hybrid threat environment. 

References

•     Ahmed, S. I. (2019). Oil soars after attack on Saudi facilities, stocks dip. Reuters. Retrieved June 2025, from: https://www.reuters.com/article/business/oil-soarsafter-attack-on-saudi-facilities-stocks-dip-idUSKBN1W00WA/
•     Army Recognition. (2024). Saudi Arabia reveals integration of six advanced air defense systems to counter modern threats. Retrieved June 2025, from: https://armyrecognition.com/news/army-news/army-news-2024/saudi-arabia-revealsintegration-of-six-advanced-air-defense-systems-to counter-modern-threats
•     BBC News. (2019). Saudi oil attacks: Drones and missiles launched from Iran –US. Retrieved June 2025, from: https://www.bbc.com/news/world-middleeast-49733558
•     BBC News. (2021). Hacker tried to poison Florida city’s water supply. Retrieved July 2025, from: https://www.bbc.com/news/world-us-canada-55989843
•     BBC News. (2024, April 8). Mozambique ferry disaster kills more than 90 – officials. Retrieved July 2025, from: https://www.bbc.com/news/world-africa-68758345
•     Brucato, A. (2022). KillNet cyber attacks against Italy and NATO countries. Sysdig. Retrieved July 2025, from: https://www.sysdig.com/blog/killnet-italy-and-nato
•     Council of the European Union. (n.d.). Hybrid threats. Retrieved May 30, 2025, from: https://www.consilium.europa.eu/en/policies/hybrid-threats/
•     Council of the North Atlantic Treaty Organization. (2024). Countering hybrid threats. Retrieved May 30, 2025, from: https://www.nato.int/cps/en/natohq/topics_156338.htm
•     Council of the European Union. (2008). Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. Retrieved May 2025, from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008L0114
•     Council of the European Union, & European Parliament. (2022A). Directive (EU) 2022/2557 of the European Parliament and of the Council on the resilience of critical entities and repealing Council Directive 2008/114/EC. Official Journal of the European Union, L 333, 164–198. Retrieved July 2025, from: https://eur-lex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:32022L2557
•     Council of the European Union, & European Parliament. (2022B). Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive). Official Journal of the European Union, L 333, 80–152. Retrieved July 2025, from:
https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
•     Cybersecurity and Infrastructure Security Agency. (2023A). Infrastructure Survey Tool (IST) Fact Sheet. Retrieved July 2025, from: https://www.cisa.gov/sites/default/files/2023-06/infrastructure_survey_tool_ist_fact_sheet-2023.pdf
•     Cybersecurity and Infrastructure Security Agency. (2023B). Cyber Infrastructure Survey (CIS) Fact Sheet. Retrieved July 2025, from: https://www.cisa.gov/sites/default/files/2023-12/cybersecurity-resources-for-9-1-1-centers_112023_508.pdf
•     Dameff, C., Tully, J., Chan, T. C., Castillo, E. M., Savage, S., Maysent, P., Hemmen, T. M., Clay, B. J., & Longhurst, C. A. (2023). Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA network open, 6(5),
e2312270. https://doi.org/10.1001/jamanetworkopen.2023.12270
•     Dickson, J., & Harding, E. (2025). How a cyber alliance took down Russian cybercrime. Center for Strategic and International Studies. Retrieved July 2025, from: https://www.csis.org/analysis/how-cyber-alliance-took-down-russian-cybercrime
•     Eich, A. (2022). KillNet: Russian hacktivists DDoS US airports, government websites. University of Hawaiʻi–West Oʻahu. Retrieved July 2025, from: https://westoahu.hawaii.edu/cyber/uncategorized/killnet-russian-hacktivists-ddos-us-airportsgovernment-websites
•     European Commission. (2025). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Protect EU: A European Internal Security Strategy (COM(2025) 148 final). Retrieved July 2025, from: https://eur-lex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:52025DC0148&
•     European Parliament. (2025). Report on the security of energy supply in the EU (2025/2055(INI)). Committee on Industry, Research and Energy. Retrieved July 2025, from: https://www.europarl.europa.eu/doceo/document/A-10-2025-0121_EN.html
•     European Union Agency for Cybersecurity (ENISA). (2023). ENISA Threat Landscape 2023. Retrieved June 2025, from: https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Threat%20Landscape%202023.pdf
•     Goodin, D. (2022). Pro-Russia threat group KillNet is pummeling Lithuania with DDoS attacks. Ars Technica. Retrieved July 2025, from: https://arstechnica.com/information-technology/2022/06/pro-russia-threat-group-killnet-is-pummelinglithuania-with-ddos-attacks/
•     Hodge, A. T. (2002). Roman aqueducts & water supply (2nd ed.). London: Duckworth. Retrieved May 2025, from: https://archive.org/details/t.-hodge-roman-aqueductsand-water-supply-2002-compressed
•     Lee, Assante and Conway, E-ISAC. (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid. Retrieved June 2025, from: https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdfv
•     NATO Cooperative Cyber Defence Centre of Excellence. (n.d.). Locked Shields. Retrieved July 2025, from: https://ccdcoe.org/locked-shields/
•     NATO Cooperative Cyber Defence Centre of Excellence. (2023). World’s largest cyber defense exercise Locked Shields brings together over 3,000 participants. Retrieved July2025, from: https://ccdcoe.org/news/2023/6016/
•     NATO Secretary General Stoltenberg. (2019). NATO concerned by attacks on Saudi oil facilities [Press statement]. NATO Watch. Retrieved June 2025, from: https://natowatch.org/newsbriefs/2019/nato-concerned-attacks-saudi-oil-facilities
•     North Atlantic Treaty Organization. (n.d.). Hybrid Warfare: Reports. NATO Library Guides. Retrieved July 2025, from: https://natolibguides.info/hybridwarfare/reports
•     North Atlantic Treaty Organization. (2023). Resilience and civil preparedness in NATO.
NATO. Retrieved July 2025, from: https://www.act.nato.int/article/resilience-andcivil-preparedness-in-nato/
•     Nye, J. S. Jr. (2016). Deterrence and dissuasion in cyberspace. International Security, 41(3), 44–71. https://doi.org/10.1162/ISEC_a_00266. Retrieved May 15, 2025, from: https://www.belfercenter.org/sites/default/files/pantheon_files/files/
publication/isec_a_00266.pdf
•     Organization for Security and Co-operation in Europe. (2013). OSCE guidebook on critical infrastructure protection. Retrieved May 2025, from: https://www.osce.org/files/f/documents/9/5/107155.pdf

•     Shah, S. M., & Khan, R. A. (2020). Secondary use of electronic health record: Opportunities and challenges. https://doi.org/10.48550/arXiv.2001.09479
•     Subramanian, S. (2017). Inside the Macedonian Fake-News Complex. Wired. Retrieved September 2025, from: https://www.wired.com/2017/02/veles-macedonia-fakenews/
•     U.S. Army War College Strategic Studies Institute. (2023). Understanding critical infrastructure: From enabling NATO’s collective defense [Article]. Strategic Studies Institute, U.S. Army War College. Retrieved July 2025, from: https://ssi.armywarcollege.edu/SSI-Media/Recent-Publications/Article/3946047/understanding-critical-infrastructure-from-enabling-natos-collective-defense-ci/
•     Waldron, A. N. (1990). The Great Wall of China: From History to Myth. Cambridge University Press. Retrieved May 2025, from: https://www.cambridge.org/core/journals/china-quarterly/article/abs/great-wall-of-china-from-history-to-mythby-arthur-waldron-cambridge-cambridge-university-press-1990-296-pp-3950-isbn-0-521-36518-x/97A7315FC7DEB956C35BBD07F68B8649
•     Yu, Z., Kaplan, Z., Yan, Q., & Zhang, N. (2021). Security and privacy in the emerging cyber-physical world: A survey. IEEE Communications Surveys & Tutorials. https://doi.org/10.1109/COMST.2021.3081450