For years, cybersecurity was treated as something adjacent to infrastructure. Power systems, emergency communications, public agencies, manufacturing sites, transportation networks, and cloud collaboration platforms were built, upgraded, funded, and connected. Security was often added afterward as a control layer, a compliance function, or a remediation project.

That approach is becoming harder to defend.

Recent developments this week across industrial security, federal policy, emergency communications, quantum computing, law enforcement, and cloud access management point to the same conclusion: cybersecurity is no longer a supporting function. It is becoming part of the infrastructure itself.

The shift is visible in the operational technology sector, where connected industrial systems are under rising pressure from attackers. It is visible in federal grant discussions, where policymakers are being urged to make cyber controls a condition of infrastructure funding. It is visible in public safety, where cloud communications and NG911 modernization require security, resilience, and interoperability from the start. It is visible in law enforcement, where INTERPOL and Europol are deepening coordination against borderless cybercrime. It is visible in quantum policy, where government leaders are trying to prepare for both commercial opportunity and cryptographic risk. And it is visible in everyday enterprise collaboration tools, where even Google Groups is moving toward stricter access boundaries.

These are not separate stories. They are signs of a larger operating reality. Modern infrastructure is connected infrastructure. Connected infrastructure has an attack surface. And attack surfaces now influence public safety, business continuity, national security, and investment decisions.

The industrial cybersecurity market offers one of the clearest signals. Accenture’s agreement to acquire a majority stake in Dragos and full ownership of runZero and NetRise for about $4.175 billion, covered in Industrial Cybersecurity: Billions Invested to Meet Rising Needs, reflects how operational technology security has moved from a specialized engineering concern into a broader enterprise and national security priority.

The logic is straightforward. Industrial organizations have many assets that were not originally designed for continuous internet-era exposure. Manufacturing systems, water facilities, utility networks, logistics operations, building controls, and field equipment often include a mix of legacy devices, embedded software, remote management tools, and newer cloud-connected platforms. Security teams need to know what assets exist, what software and firmware they run, how they communicate, and which exposures matter most.

That is difficult in conventional IT environments. It is more difficult in OT environments, where uptime, safety, and physical process constraints can limit patching and scanning. A vulnerable device may not be a standard server that can be updated during a routine weekend maintenance window. It may be part of a production line, utility process, or remote field system where downtime carries operational consequences.

That challenge is highlighted by the reported active exploitation of a Lantronix EDS5000 flaw. The article Exploited Lantronix Flaw Imperils Industrial OT Devices describes a critical vulnerability involving unsafe input handling in the device’s HTTP RPC module. The issue can allow arbitrary operating system command execution with root privileges. In practical terms, a small device used to bridge older serial equipment with IP networks can become a powerful entry point.

This is the kind of risk that makes OT security different. The device itself may be low cost and easy to overlook, yet its position inside an industrial environment can make it strategically important. Serial-to-Ethernet gateways, edge devices, remote access appliances, and networked management interfaces often sit at the boundary between legacy operations and modern connectivity. Attackers understand that boundary. They look for systems that are exposed, difficult to monitor, and slow to patch.

The broader implication is that infrastructure operators can no longer rely on assumptions about isolation. Many industrial environments were once designed around the idea that operational systems were separated from enterprise networks. Over time, remote support, analytics, cloud dashboards, vendor access, and supply chain integrations changed that model. The question is no longer whether operational systems are connected. The question is whether organizations have enough visibility, segmentation, monitoring, and governance to manage that connectivity safely.

This is where market investment and threat activity converge. The multibillion-dollar push into OT cybersecurity is not just a vendor consolidation story. It reflects demand for platforms that can identify assets, assess exposures, detect suspicious activity, and help operators prioritize remediation without creating unnecessary operational disruption. As industrial networks become more software-defined and more data-driven, this type of visibility may become a baseline requirement.

Federal infrastructure funding is moving in a similar direction. The article Institute for Security and Technology Calls for Stronger Cyber Rules in Federal Infrastructure Awards focuses on a policy memo calling for stronger cybersecurity requirements in federal infrastructure grants and awards. The underlying concern is that public money can fund systems that become digitally dependent without requiring recipients to prove they can protect them.

That is a major governance gap. Infrastructure spending increasingly supports projects with digital components, including smart transportation systems, water utilities, energy infrastructure, broadband projects, public safety networks, and connected municipal services. If cybersecurity is not built into the funding process, the result can be a modernized asset with an underdeveloped defense model.

The policy argument is not simply that every grant recipient should fill out another compliance checklist. The issue is whether cybersecurity planning should be treated as a funding condition, similar to engineering, environmental, operational, or financial requirements. If a project relies on networked controls, cloud software, sensors, remote administration, or third-party data exchange, then cyber risk is part of the project risk.

This will matter for state and local governments, smaller utilities, agencies, and private contractors that depend on federal infrastructure programs. Many of these organizations have limited internal cyber expertise. Some may have aging systems, thin staffing, and budget pressure. A stricter funding model could create near-term administrative burden, but it could also help prevent the more expensive outcome: critical infrastructure built or upgraded without the controls needed to defend it.

The same theme appears in public safety communications. In Cloud Communication Strategies That Help First Responders Modernize Incident Response, the focus is on how emergency response agencies evaluate cloud communications, NG911 alignment, mobile call handling, LTE and 5G backhaul, CAD integration, logging, and multi-channel incident workflows.

Public safety modernization is not just about replacing phone systems. It is about changing how voice, text, video, location data, and incident metadata move between callers, dispatchers, first responders, agencies, and mutual aid partners. Legacy systems were built for a voice-centric world. Modern emergency communications must support a more complex flow of information, often across IP networks and cloud platforms.

That brings significant benefits. A dispatcher may be able to receive richer location data, transfer structured information into a CAD system, coordinate with mobile responders, and manage voice, messaging, and video in a more unified environment. During a complex incident, better information flow can improve coordination and reduce manual re-entry of critical data.

But the same modernization also expands the dependency chain. Emergency communications now rely on broadband, cloud services, APIs, identity controls, device management, logging, failover paths, and interoperability standards. Resilience and cybersecurity cannot be separated from functionality. If a dispatch platform is more capable but also more dependent on external networks and cloud integrations, agencies must test continuity, access controls, logging, incident response, and fallback processes with the same seriousness they apply to call routing.

This is why cybersecurity is becoming an infrastructure requirement rather than an IT preference. The systems being modernized are not optional business tools. They support emergency response, industrial operations, government services, and public trust.

The international law enforcement response reinforces the same point. Global cybercrime response intensifies with INTERPOL, Europol describes renewed operational priorities between INTERPOL and Europol across cybercrime, organized crime, financial crime, and counter-terrorism. That coordination reflects the structure of modern cybercrime itself.

Cybercriminal groups do not operate neatly within national boundaries. Infrastructure used in an attack may span multiple jurisdictions. Stolen credentials may be sold through global marketplaces. Phishing infrastructure may be hosted in one country, victims may be in another, money may move through a third, and the operators may sit somewhere else entirely. Organized crime, financial crime, and cybercrime increasingly overlap.

This creates two pressures for enterprises and public agencies. The first is defensive: organizations need stronger controls because the threat environment is more professional, automated, and distributed. The second is procedural: organizations may need better logging, evidence preservation, and cooperation processes as law enforcement agencies pursue cross-border investigations. Cybersecurity is becoming part of corporate governance, legal readiness, and international cooperation.

Quantum policy adds another layer. The article Executive Order 14411 advances US quantum capabilities discusses a federal effort to accelerate quantum computing, sensing, networking, supply chains, and workforce development. Quantum technology carries major scientific and commercial potential, but it also raises security planning questions, especially around cryptography.

For business and government leaders, the key takeaway is not that today’s encryption is suddenly obsolete. The more practical issue is planning horizon. Some data needs to remain confidential for many years. Some infrastructure has long procurement cycles. Some embedded systems and industrial assets remain in service for a decade or longer. If future quantum capabilities create risks for certain cryptographic systems, organizations need migration strategies that start before the risk becomes immediate.

This is especially relevant for critical infrastructure and regulated sectors. Long-lived assets, complex supply chains, and fragmented vendor ecosystems make rapid cryptographic migration difficult. Asset inventory, software bill of materials practices, certificate management, vendor risk management, and architecture planning all become more important. Quantum readiness is therefore not only a research topic. It is part of long-term cyber resilience planning.

Even the Google Groups access-control update fits the larger story, though at a different layer. The article Google Groups to Rein In External Sharing with Stricter Access describes stricter internal and external classifications intended to reduce unintended exposure through group memberships. This may seem far removed from OT security or emergency communications, but it reflects the same movement toward enforced security boundaries.

Collaboration platforms are now infrastructure for daily work. Groups, shared drives, messaging channels, mailing lists, and identity directories can determine who has access to sensitive files, workflows, systems, and alerts. A stale external member in a group may not look like a dramatic cyber incident. Yet permission sprawl is one of the ways data exposure happens quietly. A contractor is added for a project, a nested group expands access, a legacy distribution list becomes an authorization mechanism, and nobody revisits the structure until an audit or incident reveals the issue.

Stricter defaults in SaaS platforms suggest that vendors are recognizing a difficult truth: organizations often struggle to maintain access hygiene manually. Security settings that depend entirely on perfect human administration tend to erode over time. Automated classification, clearer external-user indicators, API-aware controls, and least-privilege defaults can reduce some of that drift.

This connects back to the infrastructure discussion. Whether the asset is a cloud group, an emergency communications API, a serial-to-Ethernet gateway, or an industrial monitoring platform, the same questions keep surfacing. Who has access? What is exposed? What is connected? What can be patched? What must be segmented? What logs exist? What happens during failure? Who is accountable?

The answer cannot be one product or one regulation. Infrastructure resilience requires a layered model. Asset discovery matters because organizations cannot defend what they cannot see. Access governance matters because identity has become a primary control plane. Segmentation matters because failures and intrusions should not spread easily. Monitoring matters because prevention will not catch everything. Procurement matters because insecure systems become long-term liabilities. Funding rules matter because underfunded cybersecurity becomes deferred risk. Law enforcement cooperation matters because attackers exploit jurisdictional gaps. Quantum planning matters because security architecture has to account for future threats as well as current ones.

For executives, the practical message is that cybersecurity should be included earlier in infrastructure decisions. It should be part of board discussions, capital planning, grant applications, vendor evaluations, emergency communications upgrades, M&A diligence, cloud administration, and operational modernization. Treating it as a late-stage review increases cost and leaves gaps.

For public agencies, the message is similar. Digital modernization can improve service delivery, emergency response, and operational efficiency, but public trust depends on resilience. Citizens rarely separate the digital layer from the public service. If a city system fails, a dispatch platform is disrupted, or a utility is compromised, the impact is felt as an infrastructure failure, not an IT issue.

For industrial operators, the priority is visibility and risk-based action. Not every legacy device can be replaced quickly. Not every system can be patched immediately. But every organization can improve its inventory, isolate high-risk assets, review remote access, monitor management interfaces, validate vendor support, and plan upgrades around operational realities.

For enterprise IT and security teams, the lesson is that SaaS, identity, and collaboration controls deserve the same discipline as firewalls and endpoint protection. External sharing, group membership, administrative APIs, and nested permissions are now part of the attack surface.

The common thread across all these developments is accountability. Attackers are taking advantage of weak links between old systems and new connectivity. Policymakers are asking whether public funding should require stronger security. Vendors are tightening defaults. Law enforcement is coordinating across borders. Large consultancies are investing heavily in OT cybersecurity. The federal government is planning for quantum-era opportunities and risks.

None of this means cyber risk can be eliminated. It does mean organizations have fewer excuses for treating cybersecurity as optional. The infrastructure being built today will shape operational resilience for years. The organizations that plan security into that infrastructure from the start are likely to be better positioned than those that wait for regulators, insurers, customers, or attackers to force the issue.

Cybersecurity has become part of how infrastructure is designed, funded, operated, and trusted. That is the larger story linking these developments together. The future of infrastructure is connected. Its resilience will depend on whether security becomes equally embedded.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 9-11, 2027 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 9-11, 2027, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing