Cybersecurity Risks in Critical Infrastructures: Insights from CISA and ENISA Data

Abstract

Cyberattacks on critical infrastructures have escalated in frequency and complexity over the past decade, posing systemic risks to national security, public safety, and economic stability. This study analyzes cybersecurity risks across key infrastructure sectors including energy, healthcare, finance, transportation, and others, drawing on threat intelligence from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the EU Agency for Cybersecurity (ENISA), and industry sources such as IBM X-Force and Verizon DBIR. We compare U.S. and EU regulatory approaches, identifying strengths and limitations in frameworks like the Network and Information Systems 2 Directive (NIS2 Directive) and the National Isntitute of Standards and Technology (NIST) Cybersecurity Framework. Our findings show that while the EU favors centralized and mandatory compliance, the U.S. has leaned toward voluntary and sector-specific standards, although this is gradually changing. We also examine the most frequently targeted sectors, highlight trends in attack types such as ransomware, and discuss how smaller organizations, particularly SMEs and minority-owned businesses, often serve as vulnerable entry points for attackers. The results emphasize the urgent need for integrated and forward-looking cybersecurity strategies that combine regulation, collaboration, and continuous adaptation to an evolving threat landscape.