Modernizing Critical Infrastructure While Strengthening Cybersecurity

Modernizing critical infrastructure requires organizations to balance decades-old operational technology with today's cybersecurity demands, according to Kynan Carver, Vice President of Cybersecurity at Maximus.

Carver says the energy sector illustrates this challenge particularly well because many organizations operate environments where legacy operational technology and modern digital systems coexist.

"The energy infrastructure is both dated and somewhat modern," Carver says. "That's really the crux of the problem."

Many operational technology systems predate current cybersecurity standards, creating challenges that differ from traditional information technology environments.

While common IT vulnerabilities are often documented and publicly tracked, older operational technology frequently lacks the same level of standardized security information. As a result, Carver explains, threat actors increasingly investigate these environments themselves.

Once attackers identify the type of operational technology being used, they can leverage artificial intelligence and other tools to conduct extensive research into potential weaknesses.

"They use AI and other technology to really dig into what that looks like," Carver says.

Because some legacy technologies were never designed with today's cyber threats in mind, organizations must decide whether to protect those systems through additional security controls or replace them with modern hardware and software that better supports current security practices.

Unlike many federal systems, however, much of the nation's critical infrastructure is privately owned.

That reality changes how government agencies encourage stronger cybersecurity.

Rather than imposing direct requirements, Carver says agencies promote recognized security frameworks and industry standards, including guidance developed through organizations such as NIST and ISO.

Those best practices help organizations strengthen cybersecurity while working toward a more consistent security posture across sectors.

One framework receiving increased attention is zero trust.

Carver contrasts zero trust with the traditional "castle and moat" approach that has shaped cybersecurity for decades.

Historically, organizations focused on building strong perimeter defenses around networks.

Today's environment, however, requires a different mindset.

With artificial intelligence expanding the speed and sophistication of cyber threats, Carver says organizations should assume attackers may eventually gain access to some portion of their environment.

"Zero trust is really changing the way that that works," he says.

Instead of relying primarily on perimeter defenses, zero trust focuses on limiting access, verifying users and systems continuously, and reducing the impact of any successful intrusion.

For critical infrastructure, that approach helps prevent attackers from moving laterally between systems.

"If you can confine that threat actor... then that prevents that from doing a lateral movement into a grander system," Carver explains.

Although zero trust is not a one-size-fits-all solution, he believes it provides an important framework for organizations modernizing operational technology.

Carver also emphasizes that artificial intelligence should not be viewed only as a tool for attackers.

While much public discussion focuses on AI-enabled threats, he says the technology offers significant opportunities for cybersecurity professionals.

AI can improve efficiency inside security operations centers by helping analysts filter large volumes of data, identify vulnerabilities more quickly, and accelerate remediation efforts.

That combination allows cybersecurity teams to spend more time addressing meaningful threats instead of manually processing information.

"You'll have more remediation, faster remediation," Carver says.

He also expects AI to improve the collection and analysis of threat intelligence, allowing organizations to identify vulnerabilities before attackers exploit them.

"It's important to look for those vulnerabilities before they're exploited," he says.

For organizations responsible for protecting critical infrastructure, combining AI with experienced cybersecurity professionals creates opportunities to strengthen resilience while supporting ongoing modernization.

Throughout the discussion, Carver presents modernization and cybersecurity as complementary efforts.

As infrastructure evolves, organizations must modernize technology, adopt updated security frameworks, and leverage emerging capabilities like artificial intelligence to better protect systems that millions of people depend on every day.