There is a distinction in cybersecurity that does not receive enough attention in the boardroom: the difference between a breach and pre-positioning. A breach is an intrusion with an immediate objective — data theft, ransomware deployment, operational disruption. Pre-positioning is something more patient and more dangerous. It is the establishment of persistent, low-visibility access inside a network with no immediate exploitation, designed to be activated at a moment of maximum strategic impact.
This is what is happening inside U.S. critical infrastructure right now.
What We Know
Microsoft Threat Intelligence and the Cybersecurity and Infrastructure Security Agency have documented campaigns attributed to Volt Typhoon, a PRC state-sponsored threat actor, in which intruders used legitimate credentials and built-in administrative tools — a technique known as living off the land — to embed within operational technology environments across multiple sectors. Rather than deploying custom malware that might trigger detection, these actors relied on the same tools that administrators use daily, making their presence nearly indistinguishable from routine operations.
CISA's advisory warned explicitly: PRC state-sponsored actors are maintaining persistent access that could be activated during a future crisis. This is not espionage in the traditional sense. It is operational preparation for contingent disruption.
Why This Matters for the C-Suite
For board members and senior executives, the implications are profound. Traditional cybersecurity metrics — time to detect, time to respond, number of incidents resolved — do not capture a threat that is designed to remain undetected indefinitely. Pre-positioning does not look like an attack. It looks like normal operations. This means that conventional security assessments may provide false assurance.
The shift in adversary intent also matters. The goal is not data compromise. It is operational disruption — the ability to degrade, disable, or destroy systems that control physical processes. In the energy sector, this means generation and distribution infrastructure. In water treatment, chemical dosing systems. In transportation, signaling and traffic management. The potential consequences are measured in physical terms, not data terms.
The Five Structural Realities
Analysis from Microsoft identifies five realities that define the critical infrastructure threat landscape. Identity is the primary entry point — compromised credentials and insufficient identity governance are the most common vectors. Hybrid IT-OT architecture has expanded the attack surface, connecting systems that were never designed to be network-accessible. Nation-state pre-positioning is an ongoing, active concern. Preventable exposures — known vulnerabilities, misconfigured systems, inadequate segmentation — continue to drive a disproportionate share of intrusions. And the adversary objective has shifted from data to operations.
What Security Leaders Should Do
First, conduct an honest assessment of IT-OT convergence risks. Many organizations have connected operational technology to their IT infrastructure for monitoring and efficiency gains without corresponding security investment. The result is expanded attack surface with diminished visibility.
Second, implement identity governance across both IT and OT environments. If a compromised credential can traverse from a corporate email system into an industrial control environment, the segmentation is inadequate regardless of what the network diagram shows.
Third, invest in detection capabilities specifically designed for living-off-the-land techniques. Traditional signature-based detection will not find adversaries using legitimate administrative tools. Behavioral analytics and anomaly detection in OT environments are essential.
Fourth, participate in government and industry information-sharing programs. CISA's advisories and sector-specific ISACs provide actionable intelligence that most individual organizations cannot generate on their own.
Fifth, update incident response plans to account for pre-positioning scenarios. This means planning not for a ransomware event but for the discovery of persistent access that may have been in place for months or years. The response playbook for these two situations is fundamentally different.
The regulatory trajectory is clear. Governments worldwide are advancing policies that require critical infrastructure organizations to prioritize continuous readiness. The organizations that build this capability proactively will be better positioned — not only to withstand a crisis, but to demonstrate to regulators, insurers, and stakeholders that they have taken reasonable steps to protect the systems that society depends on.
