How to prevent your greatest asset from becoming your biggest risk

At 12:33 pm on 28 April 2025, a cascading failure plunged the entire Iberian Peninsula into darkness, affecting Spain and Portugal’s 60 million residents in what became the worst blackout in their history.

After Spain’s power grid lost 60 percent of its power generation, trains stopped, traffic lights failed, ATMs shut down, phones and internet connections fell completely offline. Investment bank RBC projected the incident to have cost €4.5 billion.

Our critical infrastructure systems rely on seamless communication and smooth integration to function effectively. But the same connectivity that drives unprecedented efficiency and innovation also creates systemic vulnerabilities that can bring entire industries and countries to their knees.

Interoperability — the ability of different systems to communicate and work together seamlessly — has become the invisible backbone of modern business. From supply chains that span continents to financial networks that process trillions of dollars in daily transactions, our interconnected systems are solving complex problems at unprecedented speed and scale. Beyond connecting systems, interoperability ensures the mutual understanding of data and processes.  

In critical infrastructure such as energy grids, transportation systems, telecommunication networks and financial services, interoperability underpins system collaboration, resource sharing and adaptable responses to various challenges. But what keeps business leaders up at night is the inescapable fact that every connection is a potential point of failure. 

Think of interoperability as a set of Lego blocks: despite their variety, all pieces fit together, allowing creativity and innovation without compatibility issues. In the telecoms sector, internet protocols enable global communication networks, while telephones from different companies connect users worldwide through standardised interfaces. 

Beyond achieving technical compatibility, interoperability extends to organisational and procedural dimensions, which means it requires comprehensive strategies and frameworks to evaluate and manage inherent risks. 

In transportation, where intermodal systems seamlessly transfer goods from ships to trains to trucks, each link in the logistics chain must fulfil a precise role and exacting data requirements. Working together, these systems enhance efficiency and minimise delays, exemplifying the tangible benefits of interoperability. 

Interoperability is a continuously evolving process rather than a one-time event. It encompasses stages such as planning, design, implementation, operation and eventual decommissioning or creative destruction. Throughout all phases, robust data governance practices are crucial to ensure data accuracy, security and effective management. 

This life cycle involves establishing policies and standards to manage and protect data, which mitigates risks of breaches and other security issues while supporting informed decision-making.  

The secure exchange of sensitive data between entities such as contractors and operators requires strict protocols that minimise vulnerabilities. As critical infrastructure systems become more integrated, robust security becomes imperative to sustain operational integrity across interconnected systems. 

Security measures including encryption, multi-factor authentication and regular penetration testing, as well as security audits, are necessary to reduce risks, protect sensitive data and enhance operational stability. Strengthening each link in the interoperable chain is vital for organisations to prevent unauthorised access and mitigate potential threats. 

Regulatory requirements are fundamental in de-risking critical infrastructure, often setting specific standards and frameworks designed to ensure systems are both interoperable and secure.

Globally, there are diverse perspectives and expectations in connection with these requirements, influenced by regional expectations and regulatory standards. Regional differences also influence how these standards are applied and adapted. Recognising this variability is key to fostering globally resilient systems.

According to the World Bank, it is essential that governments, through coordinating authorities, “allocate sufficient resources to implement and monitor critical information infrastructure protection (CIIP) policy and regulatory frameworks with clear legal mandates, roles and responsibilities, security requirements, and legal obligations”.

As the digital landscape evolves, so do regulations, requiring organisations to remain agile and flexible to maintain compliance.

A key strategy in de-risking and securing critical infrastructure is to go beyond the mere implementation of legal requirements. While compliance is necessary, it is rarely sufficient to guarantee necessary and appropriate security and resilience.

Policy intervention is a necessary driver to promote the adoption of standards and promote critical infrastructure resilience. But implementing standards often involves overcoming corporate reluctance, particularly where proprietary considerations are at stake.

Sectors such as water, energy and utilities — each a part of critical infrastructure — should seek to improve critical infrastructure resilience amid changing technological landscapes and increasing interdependencies. Consider the following recommendations:

• Learn from the success of telecommunications, where interoperability has been instrumental in addressing existing gaps by adopting standardised systems, processes, technology and approaches.
• Avoid a rigid approach that risks tying your organisation to proprietary technology that may no longer be fit for purpose as situations evolve. Prioritising interoperability over proprietary systems is foundational to overall system robustness and adaptability.
• Adopt a holistic risk assessment approach that considers industry-specific and application-specific variables within a wider context, rather than viewing risks in isolation. A comprehensive perspective is essential for accurately identifying vulnerabilities and implementing successful mitigation strategies.
• Aim for effective interoperability via a multi-faceted approach encompassing robust security measures, compliance with emerging and evolving regulations, and proactive policy interventions.

By focusing on these areas, organisations can protect their critical infrastructure against emerging threats and ensure their systems are equipped to face the challenges of an interconnected world.