We are sitting on a list of predictable failures. Critical infrastructure operators, regulators, and their vendors are still treating yesterday’s problems like curiosities, not front-line threats. That complacency is the blind spot. It will be exploited, and it will cost lives or livelihoods unless organizations change how they prioritize risk.

Blind spot 1: Known exploited vulnerabilities left unpatched. CISA’s KEV catalog remains a blunt signal that attackers are actively weaponizing old and newly discovered flaws. When agencies and operators treat patching as optional, they invite fast, inexpensive compromise. Federal guidance now compels remediation for the highest risk CVEs, but private and local operators lag. Prioritize the KEV list and make remediation routine, not negotiable.

Blind spot 2: The managed service and third-party dependency. Attacks against or through service providers cascade. Recent KEV entries tied to widely used remote management products underscore how a single vendor weakness can expose dozens or hundreds of customers. Contracts and operational oversight still fail to reflect that reality. Tighten vendor controls, demand transparency on patching and detection, and stop assuming your MSSP or MSP will absorb your risk.

Blind spot 3: Small operators, essential services. Water and wastewater systems are textbook weak links. The Oldsmar incident exposed how accessible remote interfaces and minimal monitoring can turn a small town into a national story. Regulators are pushing tools and guidance, but many systems lack staff, budgets, and the fundamentals of cyber hygiene. Treat water utilities as critical, not marginal. Fund basic defenses, mandate inventories, and enforce minimum cybersecurity standards.

Blind spot 4: Physical shock to cyber-dependent systems. The battlefield in Ukraine proved that kinetic and low-cost aerial threats can cripple power and distribution networks at scale. Waves of missiles, loitering munitions, and drones have knocked out generation and transmission capacity, causing cascading outages. Domestic infrastructure must plan for similar asymmetric physical attacks, because the tools and tactics are proliferating. Hardening controls and adding graceful-fail modes matter as much as firewalls.

Blind spot 5: OT-IT convergence without proper segregation. Operators keep bolting business systems onto industrial networks and wonder why attackers move laterally so quickly. Supervisory control and data acquisition systems remain in many places accessible through remote access tools and weakly defended HMIs. Assume every IT compromise will be tested against OT controls. Segment, limit privileges, enforce multi-factor authentication, and assume detection will be imperfect.

What to do, in plain terms:

  • Make KEV remediation a quarterly, audited priority. If a CVE is in active exploitation, assume it will be used against you.
  • Treat third parties as extensions of your network. Require proof of patch cadence, logging, and incident response playbooks. Consider contract clauses that allow independent security validation.
  • Fund and enforce baseline cybersecurity for small utilities. Inventory assets, remove unnecessary remote access, and install manual overrides where chemical and public health risks exist.
  • Prepare for physical attack. Map interdependencies between energy, water, telecom, and healthcare. Build graceful degradation into operations so a single point of failure does not become a sector collapse. Use tabletop exercises that simulate drone and missile strikes on key nodes.
  • Segment OT from IT and require multi-factor authentication on every remote control path. Train operators to recognize adversary behavior and respond without waiting for centralized IT permission.

Stop outsourcing judgment. The threat picture is noisy but not unknowable. The real risk is organizational: budgets misaligned, threats underestimated, and practices stuck in the status quo. Fix the basics first, then build resilience into systems that cannot be patched away. Do that and you reduce your blind spots. Fail to do it and you will be surprised by an attack someone else already rehearsed.