Operators of critical infrastructure are entering a new era of cybersecurity risk, with artificial intelligence (AI) disruption and quantum computing emerging as the most pressing threats. This is according to the 2025 Data Threat Report: Critical Infrastructure Edition by Thales, which found that breach rates have fallen significantly in recent years, but new technologies are reshaping the threat landscape in profound ways.
The global report, based on a survey of 513 professionals across energy, utilities, telecommunications, and transportation, revealed that nearly three-quarters (73%) of respondents view the rapidly evolving AI ecosystem as their top security challenge. At the same time, almost two-thirds (63%) are concerned about the potential for quantum computing to compromise encryption in the future.
The findings reflect a sector that has made notable strides in traditional security practices but now faces emerging risks that demand new approaches and urgent preparation.
AI security challenges grow more complex
Like many other sectors, critical infrastructure providers are integrating advanced AI technologies to improve efficiency, reliability, and resilience. However, this adoption is creating new attack surfaces and introducing unique security concerns. According to the report, 74% of organisations are already investing in generative AI-specific security tools. Despite this, confidence remains low around key issues such as model integrity (64%) and the reliability of third-party data sources (53%).
The pace of AI development is itself a major source of anxiety. Nearly three-quarters of respondents cited the rapid evolution of the AI ecosystem as their leading concern, a higher level of worry than the global average across all industries. This reflects growing recognition that traditional security frameworks may struggle to keep up with the scale and speed of AI advancements.
Quantum computing threats loom large
Beyond AI, quantum computing is emerging as another significant challenge for the sector. The report found that 58% of respondents are already exploring or prototyping post-quantum cryptography algorithms designed to protect against so-called “harvest now, decrypt later” attacks. These involve adversaries collecting sensitive encrypted data today with the expectation that future quantum capabilities could decrypt it.
Confidence in existing encryption strategies remains uneven, with many organisations seeking clearer regulatory guidance and stronger safeguards to protect long-lived sensitive data. The potential convergence of AI and quantum computing adds another layer of complexity, raising the stakes for organisations seeking to secure essential services.
Breach rates fall, but vulnerabilities persist
Despite these emerging challenges, the sector has achieved notable improvements in reducing data breaches. Only 15% of organisations reported a breach in the past year, a significant decline from 37% in 2021. This progress is partly attributed to the widespread adoption of multi-factor authentication (MFA), which has grown considerably over the past four years. Three-quarters of critical infrastructure organisations now deploy MFA for more than 40% of their employees, though adoption remains 9% below the global average.
However, the report notes that misconfigurations, exploited vulnerabilities, and compromised identities remain the most common causes of incidents. This indicates that while security measures are improving, operational discipline and continuous vigilance are still essential.
Data sovereignty and security maturity uneven
Data sovereignty continues to be a defining challenge for the sector. Over half (52%) of respondents said compliance with customer, regional, or global regulations is the main driver behind their data sovereignty strategies. Yet only 2% of organisations have encrypted 80% or more of their sensitive cloud-stored data, compared to a global average of 8%.
Additionally, although nearly nine in ten organisations said they can classify at least half of their data, the widespread use of multiple data discovery tools is leading to inconsistencies and conflicting policies. This lack of alignment risks undermining broader efforts to protect sensitive information and maintain regulatory compliance.
Todd Moore, Vice President of Data Security Products at Thales, said the findings highlight a dual reality for critical infrastructure operators. “Critical infrastructure providers have made strong progress in reducing breaches, but the next wave of disruption is already here,” he said. “AI and quantum risks are advancing faster than traditional defences. AI-powered attacks are becoming easier to deploy and are more effective. Quantum computing, meanwhile, threatens to completely upturn existing encryption protocols – and that’s before we even consider the possibilities of the two combined for the cyber threats of the future.
“CI providers simply cannot afford to be caught off guard. To safeguard long-lived, sensitive data and keep essential services running, operators must act now: adopt stronger encryption, invest in AI-specific protections, and prepare urgently for the post-quantum era.”
The report underscores the need for critical infrastructure operators to rethink their security strategies as technological change accelerates. While breach rates are falling, the sector faces growing risks driven by AI, quantum computing, and increasing regulatory and geopolitical pressures. Balancing innovation with resilience has become an essential priority for safeguarding the systems that underpin modern society.
