The power grid is getting old, and so is the cybersecurity protecting it

Critical infrastructure is getting older, and the cost of that decay is starting to show. The Arthur D. Little Built to Last? report says that the systems powering energy, water, and transport are reaching the end of their design life.

Old systems, new risks

Much of the world’s infrastructure was built between the 1950s and 1970s. In the United States, nearly 70% of the power grid is over 25 years old, and about one third of bridges need repair. Similar conditions exist across Europe.

Power grids, water systems, and transportation networks rely on hardware and software never meant for a hyperconnected world. Mechanical components corrode or fatigue, while digital systems degrade through outdated software, legacy interfaces, and missed updates.

As operators connect these systems to digital controls, gaps appear between what can be monitored and what can be attacked. A single sensor vulnerability or unsupported protocol can link decades-old control systems to threat vectors.

Interconnected and exposed

The report describes infrastructure as a set of complex systems where one failure can trigger another. Cyber incidents spread in the same way. An infected maintenance laptop or a misconfigured firewall at a substation can ripple across connected networks.

Water systems, transport hubs, and power networks now depend on cloud monitoring and shared data feeds. A problem in one area can quickly affect another. Managing these links has become as important as maintaining the assets themselves.

Predicting failure before it happens

Many operators now use digital twins that combine real-world data with models showing how materials or systems wear over time. These tools help teams act before a failure occurs.

Software and firmware also age. Watching for early warning signs such as unpatched systems, unsupported hardware, and expired certificates can prevent larger issues. Shared data platforms where engineers and security teams view the same information enable faster, more coordinated responses.

Cybersecurity by design

The report urges infrastructure owners to integrate cybersecurity into every stage of system design and renewal. Protecting edge devices, control data, and system interfaces should be part of safety management. Adding defenses later rarely works.

Avoiding vendor lock-in and defining data ownership are equally important. When a provider controls asset data and analytics, operators lose visibility. The report advises organizations to select technology based on their own operational needs and to maintain flexibility as systems evolve.

“Just as for humans, aging is unavoidable for the critical infrastructure that supports our lives. Innovation in aging is about designing systems to work with it, harnessing solutions from predictive maintenance to regenerative materials. Without this, we will face further major disruptions as infrastructure failure impact interconnected systems,” said Dr. Albert Meige, Global Director of Blue Shift at Arthur D. Little.