Thales has released the findings of its 2025 Data Threat Report: Critical Infrastructure Edition, which reveals that operators in energy, utilities, telecommunications and transportation are entering a new era of cybersecurity risk.
According to the report, nearly three-quarters (73%) of respondents said the fast-changing AI ecosystem is their leading AI-related security challenge, while almost two-thirds (63%) expressed concern about future quantum-driven encryption compromise.
The research, based on a global survey of 513 CI professionals conducted by S&P Global Market Intelligence’s 451 Research, reveals that while reported breach rates have fallen sharply in recent years, new technologies are reshaping the threat landscape.
AI disruption moves to the top of the agenda
Like many industries, critical infrastructure providers are embracing advanced artificial intelligence (AI) systems to boost efficiency and resilience. Yet this shift comes with new challenges. The report found that 74% of organisations are already investing in generative AI-specific security tools, but concerns remain high around model integrity (64%) and the trustworthiness of third-party data sources (53%).
The pace of change in the AI ecosystem is itself a source of risk. Nearly three-quarters (73%) of respondents cited rapid AI evolution as their top concern — a higher level of anxiety than the global average across all sectors.
Quantum threats rise on the horizon
Quantum computing is increasingly seen as a looming challenge. More than half (58%) of CI respondents said they are already prototyping or evaluating post-quantum cryptography algorithms to guard against the risk of “harvest now, decrypt later” attacks, where sensitive data captured today could be broken by quantum capabilities in the future.
Confidence in current encryption strategies is also mixed, with many organisations looking for regulatory clarity and stronger safeguards as they assess how best to protect long-lived data.
Breach rates improve, but risks persist
One area of progress is breach reduction. Only 15% of CI organisations reported a breach in the past year, down significantly from 37% in 2021. This improvement is partly attributed to greater adoption of multi-factor authentication (MFA), which has risen sharply since 2021. Three-quarters of CI organisations now deploy MFA to more than 40% of employees – although adoption still lags the global average by 9%.
Despite the improvement, misconfigurations, exploited vulnerabilities and identity compromise remain the most common causes of incidents, showing that while defences are improving, operational discipline is still critical.
Data sovereignty and security maturity still uneven
Digital sovereignty remains a defining issue. Over half (52%) of CI organisations said compliance with customer, regional or global mandates drove their data sovereignty efforts. However, only 2% have encrypted 80% or more of their sensitive cloud-stored data, far below the global average of 8%.
While nearly nine in 10 respondents reported they can classify at least half their data, widespread use of multiple discovery tools is causing inconsistencies and conflicting policies. This misalignment risks undermining progress on protecting sensitive datasets.
“Critical infrastructure providers have made strong progress in reducing breaches, but the next wave of disruption is already here,” said Todd Moore, Vice President Data Security Products at Thales. “AI and quantum risks are advancing faster than traditional defences. AI-powered attacks are becoming easier to deploy and are more effective. Quantum computing, meanwhile, threatens to completely upturn existing encryption protocols – and that’s before we even consider the possibilities of the two combined for the cyber threats of the future.
“CI providers simply cannot afford to be caught off guard. To safeguard long-lived, sensitive data and keep essential services running, operators must act now: adopt stronger encryption, invest in AI-specific protections, and prepare urgently for the post-quantum era.”
The findings highlight both progress and vulnerability: CI organisations have reduced breach rates but remain exposed to risks driven by fast-moving technological disruption. With rising regulatory scrutiny and heightened geopolitical tensions, balancing innovation with resilience is now mission critical.
+++
About the Report
The 2025 Thales Data Threat Report: Critical Infrastructure Edition draws on insights from 513 CI professionals worldwide, including respondents from energy, utilities, telecommunications and transportation sectors. The research was conducted by S&P Global Market Intelligence’s 451 Research between 2021–2025.
