The FBI has launched an initiative to help critical infrastructure operators and other entities strengthen the cybersecurity of their operational technology and information technology assets.
In a YouTube video posted Jan. 28, Brett Leatherman, assistant director of the FBI’s cyber division, described Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) as a cyber counterpart to the winter preparations that infrastructure owners implement each year. Leatherman told listeners that even though winter storms “test our infrastructure … to their limits … the most critical threats to infrastructure don’t come from the weather, they come through our networks.”
The program’s launch came the same week that cybersecurity firm Dragos published a report blaming a group linked to Russia’s intelligence service for a cyberattack against Poland’s electric grid in December 2025 that targeted a system for managing renewable energy sources. (See Dragos Blames Electrum Group for Poland Grid Cyberattack.) In its report, Dragos wrote that attacking a power grid “in the depths of winter is potentially lethal to the civilian population dependent on it.”
The goal of the program is to position “industry not as passive victims or recipients of intelligence but as critical allies … in detecting, confronting and dismantling cyber threats,” the bureau wrote.
“In far too many cyber investigations, we see the same pattern,” Leatherman said. “Adversaries exploit known vulnerabilities [such as] stolen credentials, end-of-life systems [and] third-party access, and they take advantage of incident response plans that look great on paper but break down in practice.”
The Winter SHIELD campaign is built around 10 recommended actions developed by the FBI with input from domestic and international partners, based on adversary behavior and defensive gaps seen in recent cyber events. Each week during the campaign, the bureau will highlight a different action and its security benefits.
Among the FBI’s recommendations are adopting authentication measures to reduce the risk of phishing attacks, such as device-bound passkeys and security keys that comply with the FIDO2 standard developed by Microsoft and other partners and phasing out riskier systems like text-based authentication and authenticator apps with push-only approvals. The bureau also suggested adopting a risk-based vulnerability management program, including a complete asset inventory and aggressive timelines for remediating known risks.
More recommendations include tracking and retiring end-of-life technology, which no longer receives security updates and likely is targeted by cyberattackers, on a defined schedule; exercising tight control over data access by third parties; protecting security logs for detection, response and attribution; and maintaining offline backups and regularly testing restoration.
Finally, the FBI urged organizations to improve the speed and effectiveness of their incident response plans with regular testing.
“The goal is not to check boxes or push for perfection; we want to drive momentum,” Leatherman said. “Nation-state cyber operations are invisible until they aren’t. … Meanwhile, cybercriminals continue to steal our money and hold our data for ransom. But together, we can deny adversaries the digital real estate they need to operate and raise the cost of every attack.”
