Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur eleifend tortor nec augue pretium
Cybersecurity is no longer solely a digital or operational issue – it is an environmental one. Cyber threats on environmental systems are becoming more sophisticated and damaging. Without swift action to clarify liabilities, stronger insurance markets and effective regulation, we risk sleepwalking into a future where the digital compromise of green systems results in ecological and societal collapse.
Green infrastructure is no longer just about solar panels and wetlands. Today, it includes digitally enabled systems designed to deliver environmental outcomes – such as carbon neutrality, climate adaptation, water conservation and biodiversity enhancement – by blending natural processes with engineered, tech-driven solutions.
These systems increasingly rely on automation, telemetry, cloud platforms and data-processing tools. They optimise performance but also introduce vulnerabilities. Cybersecurity, in this context, is no longer just a matter of protecting data, but is fundamental to protecting environmental performance, public safety and ecological stability.
As global infrastructure becomes increasingly digitised, environmental systems – once seen as niche targets – are now squarely in the sights of malicious cyber actors. Growing geopolitical conflict, including the ongoing Middle East war, have heightened these risks.
In June 2025, US intelligence agencies and industry-specific security groups, including IT-ISAC and Food and Ag-ISAC, warned that Iranian-affiliated actors are preparing targeted cyber attacks on US critical infrastructure. The (UK) National Cyber Security Centre (NCSC) – which is a part of GCHQ – has repeatedly warned that the UK must accelerate work to keep pace with the changing threat, and enhance cyber resilience in the nation’s most critical sectors.
Since 2022, the NCSC has observed the emergence of a new class of cyber adversary in the form of state-aligned actors sympathetic to Russia’s further invasion of Ukraine, or highly sophisticated Chinese operators seeking to project their influence beyond the country’s borders, who are ideologically, rather than financially, motivated.
While traditional sectors such as energy and transportation remain primary concerns, there’s a rising awareness that environmental infrastructure and ecological service providers are equally at risk – and far less prepared (see boxout).
Governments are beginning to respond, though approaches vary globally. The US Environmental Protection Agency now mandates cybersecurity audits for public water systems, though enforcement authority is contested.
In the UK, the forthcoming Cyber Security and Resilience Bill expands regulation of critical infrastructure but does not mandate insurance coverage for environmental harm. National cyber strategies across the US, UK and EU emphasise shared responsibility and risk pooling, but none yet mandate integrated protection for green systems. There is currently no international framework – such as a Green Infrastructure Resilience Liability Framework – to guide resilience for this hybrid risk.
To close the growing insurance protection gap, insurers and policymakers should consider integrated coverage that combines cyber and environmental liability into unified policies. Government-backed reinsurance pools are also needed for cyber-environmental disasters, while operators of green infrastructure should be required to carry comprehensive, blended insurance.
We need sector-specific guidance to provide clear underwriting standards for energy, utilities, environmental consultants and data providers, and to enable consistent data collection to guide underwriting, pricing and risk assessment.
For organisations, proactive incident response is essential to reduce risk and protect critical infrastructure, including:
- Continuous monitoring and early threat detection: real-time surveillance of digital and operational networks to spot anomalies before they escalate into full-blown attacks.
- Rapid containment and mitigation: immediate isolation of compromised systems to prevent malware spread or disruption of critical controls.
- Forensic investigation: detailed analysis of attack vectors and system breaches to assess the scope and impact, supporting recovery efforts and insurance claims.
- Recovery and remediation: restoring affected systems, with enhanced security measures to prevent recurrence, ensuring operational continuity.
- Intelligence sharing: collaboration with industry peers and regulators to track threats and adapt defences accordingly.
Organisations should prioritise these measures now to build resilience, support regulatory compliance, and safeguard ecological and public health outcomes. Organisations should also look to integrate some aspects of cybersecurity into their environmental management and compliance systems – checking the regular maintenance of, for example, chemical containment, infrastructure integrity, and fuel distribution systems. It also needs to include building in checks and stress-testing of automated control and monitoring systems. Taking early, informed action can make the difference between a manageable incident and a catastrophic failure.
The environmental impact of cyber attacks is often underreported, but several incidents illustrate the risks.
Oldsmar, Florida (2021):
A hacker gained access to a water treatment plant and tried to spike sodium hydroxide levels (the hacker accessed the treatment software and increased the sodium hydroxide content from 100 parts per million to 11,100ppm). Disaster was narrowly averted.
Wind farms in Germany (2022):
A cyber attack on KA-SAT satellite systems disrupted control over 5,800 turbines. Power held, but the control systems failed. An official noted that while “the exact cause of the disruption (was) not yet known, the communication services failed almost simultaneously with the start of the Russian invasion of Ukraine”.
US sewage systems (multiple events):
Intrusions into wastewater treatment plants have triggered unmonitored discharges, putting nearby ecosystems at risk.
These attacks show that digital breaches can have physical, ecological consequences and that our green tech is often under-defended.
The risks to environmental infrastructure and ecological services from cyber attacks
1. Pollution and ecological damage
Cyber attacks on wastewater treatment plants, landfills or industrial effluent facilities could trigger sewage spills, toxic releases or unmonitored contamination. Many rely on remote access and ageing infrastructure, making exploitation a low-barrier, high-impact proposition.
2. Infrastructure disruptions
If water treatment or renewable energy systems are taken offline – especially during an emergency such as a flood – the results can be devastating. Systems meant to adapt to environmental pressures may instead amplify them, turning natural events into man-made disasters.
3. Data integrity risks
Environmental consultancies, carbon accounting firms and biodiversity labs rely on secure data to meet regulatory compliance and climate commitments. An attack that corrupts emissions reports, deletes habitat data, or hijacks monitoring platforms could derail sustainability strategies, exposing clients to legal and reputational risk.
4. Vulnerability goes beyond infrastructure operators
Beyond infrastructure, environmental service providers are also at significant risk. This includes environmental regulators, ecological consultancies, laboratories and sustainability data firms. For example, a ransomware attack on a biodiversity consultancy could lock away sensitive species data or delay planning applications. Manipulation of carbon emissions accounting software might undermine net-zero reporting or lead to client fines. An attack on remote monitoring hardware used in contaminated land remediation could compromise environmental health and safety.
Despite the severe economic, ecological and reputational consequences of such events, the sector remains under-regulated and underinsured.
5. Climate change and systemic risk
As climate change intensifies, and adaptive infrastructure becomes more digitally complex, the attack surface will grow. Extreme weather will place additional stress on systems already vulnerable to digital interference. Malicious actors could exploit these weaknesses to cause maximum disruption, and systemic failures could have cross-border environmental consequences.
6. Cross-border cyber spillover
Cyber attacks linked to regional tensions – such as the Middle East conflict – means that spillover is a real and immediate concern. Shared cloud platforms, IoT-based sensors and international software supply chains connect European and US systems to a wider cyber threat radius.
7. Uninsurable exposure
The convergence of environmental dependency and cyber threat creates dangerous blind spots for the insurance sector. Many policies do not cover:
- Environmental damage, pollution or bodily injury caused by cyber events
- Cyber attacks attributed to nation-states (often excluded under “acts of war”)
- Business interruption, unless physical damage occurs.
The result? Organisations could face severe financial, ecological and reputational fallout – with no safety net.
Alistair Donohew CEnv FISEP is principal environmental director at Crawford & Company
Illustration by Pieluigi Longo
