Three compounding layers—physical cascade topology, monitoring blind spots, and software template monoculture—create a detection gap that existing federal programs do not address.
The conventional framing of infrastructure security asks whether an adversary can breach the perimeter of a defended system. INFORMN asks a different question: what if the topology of the infrastructure itself—the physical dependencies between systems, the gaps in how those systems are monitored, and the shared architectural patterns through which they were built—constitutes the vulnerability?
The three layers described on this page are not independent problems. They interact multiplicatively. Understanding each in isolation understates the risk by a large margin. The contribution of this analysis is the compound picture: the specific way the three converge.
All findings below are drawn from public federal sources: GAO reports, CISA advisories, congressional testimony, DOE program documentation, USACE engineering circulars, and open-source incident records.
The United States built its water, energy, and industrial infrastructure across the twentieth century as an integrated physical system. Rivers are managed by chains of dams in series. Hydroelectric generation feeds regional power grids. Nuclear plants draw river water for cooling. Refineries depend on consistent water supply and uninterrupted power. Each dependency was engineered for normal operations. None was designed for the failure propagation dynamics that cascade dependencies create under adversarial conditions.
| River System | Dams in Series | Downstream Dependencies | Key Vulnerability |
|---|---|---|---|
| Tennessee (TVA) | 49, single operator | Oak Ridge NL, Watts Bar Nuclear, 7-state grid | Single-operator OT, cloud migration underway |
| Ohio (USACE) | 20 lock-and-dam | Pittsburgh, Cincinnati, Louisville industrial corridor | Sole-source vendor for control systems |
| Columbia | Multi-operator | Hanford nuclear site, 15,000-mile transmission grid | Nuclear site dependency, cross-border cascade |
| Colorado | Multi-state | Las Vegas water, Southwest agricultural irrigation | Drought amplification, penstock vulnerability |
| Missouri (USACE) | 6 main-stem | Midwest agriculture, municipal water, navigation | Extended linear chain, remote staffing |
The fundamental problem with cascade topology as a threat surface is temporal. Physical consequences propagate at the speed of hydraulics and electrical grid frequency deviation. Defensive responses propagate at the speed of bureaucratic coordination: Emergency Action Plan activation, inter-agency notification, regulatory waiver processing, incident command establishment.
The 2003 Northeast Blackout demonstrated the velocity differential. A software bug allowed a cascade to develop undetected. Within eight seconds, automatic disconnections had propagated across eight states and two Canadian provinces, affecting 55 million people. No human could have intervened at the speed the physics required.
Winter Storm Uri in 2021 demonstrated the fuel supply cascade. Frozen natural gas wellheads reduced pipeline pressure, shutting down gas-fired power plants. Loss of electrical power then froze more wellheads, further reducing supply. The cascade amplified itself: the event that caused the power failure also destroyed the infrastructure needed to restore it. Texas lost more than a third of its generating capacity in hours. Restoration took weeks.
The 2017 Oroville Dam crisis demonstrated that a credible threat to a dam, even without failure, produces cascade effects. Spillway erosion forced the evacuation of approximately 188,000 people and cost over a billion dollars. An adversary does not need to destroy infrastructure. An adversary needs only to create sufficient uncertainty about integrity to trigger the cascade.
The electrical generation side of a hydroelectric dam falls under NERC CIP standards: continuous monitoring, access controls, incident reporting, regular auditing. The water-retention side of the same dam—spillway gates, reservoir level sensors, water release controls—falls under FERC Part 12, which requires periodic inspections but does not mandate cybersecurity controls, continuous monitoring, or incident reporting for unauthorized control system access.
At an April 2024 Senate hearing, FERC acknowledged that well over half of the 2,500 nonfederal dams it licenses had not received a cybersecurity audit. FERC has four employees dedicated to cybersecurity oversight of those facilities. The agency stated it lacks the funding and staffing to audit the remaining dams within the next decade.
The National Inventory of Dams, maintained by USACE and FEMA, catalogs over 92,000 dams with more than 70 data fields per record covering physical characteristics, operational data, inspection history, and Emergency Action Plan status. The data dictionary contains zero fields for cybersecurity telemetry. No field for control system vendor. No field for remote access capability. No field for network connectivity. No field for cybersecurity assessment date or result.
CISA's Dams Sector Landscape 2024 confirms that unauthorized control system access could allow adversaries to remotely direct physical processes with cascade consequences across flooding, water supply, power, and transportation. The monitoring void and the acknowledged consequence are documented by the same federal apparatus. They have not been connected.
Approximately 16,500 dams are classified high-hazard potential—facilities where failure is expected to cause loss of life. That number has increased nearly 20 percent over the past decade. Sixty-five percent of all US dams are privately owned: approximately 60,000 facilities with no mandatory cybersecurity posture, no CISA relationship, and no federal oversight of their operational technology.
The sectors with the lowest cyber incident reporting rates include water infrastructure, energy operational technology, and dam management. The conventional interpretation is reassuring: few reported incidents suggests the sector is secure. That interpretation is wrong.
Financial services and healthcare report thousands of incidents annually not because they are uniquely insecure, but because they can see what is happening to them. The water sector's near-zero reporting indicates an absence of monitoring capability, not an absence of adversary activity.
CISA advisory AA24-038A documented that the PRC state-sponsored group Volt Typhoon achieved persistent access in water, energy, and communications operational technology using living-off-the-land techniques—with multi-year dwell times of five years or more. An adversary operating in an environment with no monitoring, using techniques designed to evade monitoring, generates no incidents to report.
| Year | Incident | Significance |
|---|---|---|
| 2013 | Bowman Avenue Dam, New York | IRGC-affiliated actors accessed SCADA via cellular modem. DOJ indictment confirmed 2016. |
| 2021 | Oldsmar, Florida water treatment | Remote SCADA access; chemical dosing increased to 111x normal level. Operator noticed cursor movement. |
| 2023 | Aliquippa, Pennsylvania water authority | Iranian-affiliated CyberAv3ngers compromised PLCs with default credentials. CISA advisory AA23-332A. |
| 2023–2025 | Volt Typhoon pre-positioning | Confirmed presence across water sector OT. Multi-year dwell times. Living-off-the-land techniques. |
| 2024 | Muleshoe, Texas water system | Storage tank overflow attributed to adversarial ICS access linked to Russian GRU-affiliated actors. |
| 2025 | Lake Risevatnet Dam, Norway | Russian-attributed actors opened a water valve to full capacity for four hours. Formally classified as hybrid warfare. |
| 2025 | Tczew Hydropower Plant, Poland | Russian hacktivists modified generator parameters, forced turbine stoppage. Second attack on same facility in three months. |
Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in 2022, mandating that operators report significant cyber incidents to CISA within 72 hours. As of early 2026, CIRCIA mandatory reporting has been delayed past May 2026 due to DHS appropriations constraints. The reporting mechanism does not yet exist for the sector that most needs it.
The construction of digital infrastructure for critical facilities has been increasingly executed by a small number of major global systems integrators. These firms design and deploy the software architecture that manages physical infrastructure at national scale. The economics of operating at that scale require standardization: reference architectures tested, refined, and reused across engagements.
The consequence is that the software architectures of utilities, water authorities, military facility management systems, and financial institutions built through the same integrator, using the same reference architecture generation, are not independent. They share a common template family. A vulnerability in that template—a misconfigured access control pattern, a default credential set, a logging configuration that omits a particular class of events—is present in every deployment that used it.
This is categorically different from the conventional supply chain risk model, which asks whether a specific software component has been compromised. The template reuse problem asks whether the structural pattern through which the infrastructure was built has been compromised. That requires looking for shared characteristics across deployments that share no obvious surface-level relationship.
A single integrator's reference architecture does not stay within one sector. The same firm holds contracts in water management, military installations, financial services, healthcare, and government agencies. When procurement standardizes on a single vendor or integrator at the scale of a federal facilities portfolio, it does not simplify the attack surface. It unifies it.
Managed services create persistent, privileged network relationships between the integrator's support infrastructure and deployed operational technology. If compromised within the integrator's own environment, these relationships provide access to every client under active management. The structural conditions for an OT-equivalent of the SolarWinds compromise are present across critical infrastructure.
AI-assisted code generation tools are now deployed within integrator delivery teams, generating infrastructure-as-code, configuration templates, and deployment scripts at speeds that human architecture review cannot match. These tools are trained on existing code—including the same weak template patterns that have characterized deployments for a decade. A model trained on legacy reference architecture output reproduces structural weaknesses at generation speed. The attack surface that any single template vulnerability represents grows with each AI-accelerated engagement.
Each layer makes the others worse. The monitoring void makes the cascade topology more dangerous because an adversary can pre-position within a cascade-connected asset without detection. The template monoculture makes the monitoring void harder to close because the gap is a property of the template, not an independent administrative failure. The cascade topology makes the template problem more consequential in direct proportion to the connectivity of the infrastructure.
No existing federal program reads across all three layers at once. NERC CIP audits individual utilities. CESER applies detection to energy sector environments. CISA coordinates across sectors using indicators—known bad IPs, confirmed adversary TTPs. None reads the structural characteristics of the infrastructure that would predict which assets are co-vulnerable because they share a template family.
The detection capability that does not exist has five requirements: it must read across regulatory boundaries, treat the absence of expected telemetry as a detection signal, detect adversary capability-testing trajectories, identify when multiple adversary groups converge on the same target class, and read the procurement and deployment geometry of the supply chain as a signal.
Existing federal programs are asset-specific and sector-bounded. They are optimized for hardening individual facilities, improving detection within individual systems, and building operate-through-compromise capability within individual organizations. Those are valuable objectives. They do not address the compound vulnerability.
DOE's CESER program was funded at $200 million in FY2024 and FY2025. The FY2026 request is $150 million—a 25 percent reduction in a single budget cycle, against an expanded mission scope. CIRCIA mandatory reporting, which would create visibility into the OT attack surface, has been delayed past May 2026. The gap between the written federal commitment and the funded federal capacity is structural.
USACE has a quantitative model (CRM-D CSM, developed with the Institute for Defense Analyses) that explicitly scores remote-connected control systems at their highest vulnerability rating. The same agency's Remote Lock and Dam Operations program is deploying exactly that configuration. Congress responded with WRDA 2024 Section 136, requiring USACE to certify cybersecurity and physical-security risks before spending funds on remote transitions. The congressional response was nearly unanimous.
The temporal asymmetry continues to grow. As more critical infrastructure is modernized—legacy OT brought onto networked platforms, building management integrated with enterprise IT, AI-assisted infrastructure management deployed—the attack surface expands while the monitoring architecture has not kept pace.
INFORMN was built to operate in this gap.
Built by a team with a decade of edge intelligence deployment across two infrastructure exits.
About the Company