The Cyber Risk Not Planned For: Degraded Operations
Critical infrastructure faces a different kind of cyber risk – not total failure, but degradation – systems might still function, but not well enough to support the total mission objective.
Most cyber incidents don’t look like a complete catastrophe at first. Things might slow down, interdependencies might start acting strangely, and lead to using workarounds. Operating in a degraded state compounds over time (ie. Death by a thousand paper cuts), eventually affecting your capabilities to deliver on your organizational mission. The challenge being able to recognize something is happening early and preparing for it intentionally.
The first step is shifting how you frame the risk. Cybersecurity teams often focus on vulnerabilities in IT systems, which is important — but the real impact shows up when something stops working at the mission level. A school without access to student records, a loading dock resorting to manual operations, or a power utility unable to coordinate with their crews may still be “online,” but none of them are as effective as they need to be. Risk assessments should start with thinking about critical functions, not tools. Everyone need to understand what matters most and prepare to protect it, when conditions are far from ideal.
“Everyone has a plan until they get punched in the mouth” - Mike Tyson
We also need to challenge our assumptions. Many organizations are relying on untested beliefs about what can’t happen, which systems might recover first, or which failures are acceptable. These kind of assumptions need to be evaluated. Thinking about real world scenarios that consider cascading effects across power, communications, operations, and people. The 2025 Iberian Peninsula blackout where around 55 million to 60 million people across Spain, Portugal, and parts of France lost power demonstrated the interconnected cascading effects power loss can create for society.
We need to connect likelihood and consequence to real operational impact. Enabling informed decisions about where to invest time, attention, and resources.
Preparation matters more than prediction.