Reporting around the US operation to capture Venezuelan president Nicolás Maduro in early January, and the near-simultaneous power loss in parts of Caracas, has prompted many uncomfortable questions around national security. In particular, it has resurfaced one question back into the critical national infrastructure security agenda: how much of a modern operation happens before anyone sees visible force deployed.
Public comments from US officials have hinted at technical enablement, while stopping well short of detailing methods, leaving analysts to piece together fragments from open reporting, timing, and infrastructure effects.
That uncertainty matters less for attribution than it does for defence. Power systems fail for many reasons, particularly in stressed or ageing grids, and external observers have limited visibility into Venezuelan infrastructure. For CNI operators elsewhere, however, ambiguity is the default condition. It’s now a matter of needing to understand how complex operations are increasingly shaped well in advance of execution, often in ways that look mundane until it is too late.
Rob Demain, CEO at e2e-assure, has been analysing the incident as a case study in what he describes as multi-domain preparation. “When the US attacked Venezuela it was the final stage of a much longer campaign carried out in the cyber realm,” Demain said, arguing that “SPACECOM and CYBERCOM and other interdepartmental agencies were all used to lay the groundwork, including cutting the power to Caracas to allow the attack to proceed under cover of darkness.”
Demain’s account is a hypothesis rather than a verified timeline, but it reflects a pattern CNI operators will recognise: patient access, detailed reconnaissance, and the manipulation of dependencies that turn a local issue into a wider operational problem. “Turning out the lights would have required months of preparation,” he said, describing a scenario in which an attacker could “shut down specific substations in the region where the helicopters were flying,” which in turn “would have required access to the computer systems controlling the power grid.”
In his reading of the timing, “The power went out at 2:00am with the helicopters landing at 2:01am meaning cyber, space command and military forces coordinated efforts to execute the attack in just a one minute window.”
Whether or not Caracas was an example of cyber-enabled disruption, Demain argues the defensive lesson is consistent: focus less on the dramatic moment, and more on the administrative drift that makes it possible.
“Threat actors will prepare such attacks well in advance,” he said. “Phase one sees infiltration of the supply chain and human access seeding. The low level noise created by the compromise of initial access points, credential harvesting and use of persistence mechanisms will to all intents and purposes make it appear as business as usual.”
For CNI organisations where IT and OT are already intertwined through remote access, vendor support paths, and temporary network links that never go away, that business-as-usual camouflage is often enough to survive routine monitoring.
Once inside, Demain says, the objective is not to smash systems, but to understand them in uncomfortable detail. He describes “deep reconnaissance of the infrastructure, mapping OT/IT convergence and business processes as well as carrying out control dependency analysis to identify which systems need to be shut off or used to create a cascade effect that achieves the end goal i.e. a regional blackout.”
That is the point at which traditional SOC comfort blankets start to look threadbare; a well-positioned attacker does not need novel malware if they can abuse existing tools, legitimate access, and brittle operational dependencies.
In Demain’s model, the second phase is where defenders should be sweating, because it is where the environment is quietly reshaped. “Phase two will see the attacker subtly reshape the environment by introducing new firewall rules, backup routing paths and shadow admins while weakening detection mechanisms,” he said.
In parallel, he argues, “internet controls are also subverted through BGP/DNS surveillance, traffic redirection rehearsals, and intelligence collection that monitors the response times of SOCs and ISPs to see who notices.” It is not glamorous work, and that is why it persists; most organisations still treat external routing and DNS behaviour as someone else’s concern until it becomes an incident.
Demain also points to the risk of mistaking “imminent attack” for “pre-attack positioning”. “There were indicators that the attack was imminent, however,” he said, citing “suspicious activity 14 hours before the raid,” and adding, “I suspect the Venezuelans, in common with critical national infrastructure (CNI) organisations the world over, were looking for indicators of an attack, not the steps leading up to it.” That’s particularly important as a sophisticated adversary’s most detectable behaviour may sit in the weeks-long lead-in: privilege changes, abnormal persistence, configuration edits, and rehearsals conducted below the threshold that triggers crisis response.
“There are some clear lessons here for defenders,” Demain said. “Firstly, they need to watch for the steps that indicate an adversary may be preparing to attack. The real detection window is weeks if not months before a sophisticated attack rather than the day it is executed.” He adds that CNI organisations “need to consider the threat posed by geopolitical events and not just hackers intent on disruption or financial gain,” and warns that “air gapped systems aren’t nearly as isolated as people think.”
For security teams, the practical shift is away from alert-chasing and towards continuous validation of trust assumptions across identity, configuration, and OT telemetry. “These cyber kinetic attacks are very different from traditional attacks. They’re quiet, focus on configuration abuse, IT/OT and identity systems and are environment driven,” Demain said, arguing that defenders must look for “long-lived dormant access, identity privilege drift, OT telemetry inconsistencies, internet routing anomalies and config changes.”
That is an awkward proposition for organisations that measure maturity by the number of tools deployed, rather than by the discipline of baselining, auditing, and hunting across systems that were never designed to be monitored in the first place.
Caracas may remain debated in its specifics, but the ramifications are not. If the next serious CNI disruption is preceded by months of low-level access and environment shaping, the organisations that cope best will be those funding continuous threat hunting, identity governance, and configuration control as core operational functions, rather than treating them as aspirational projects that can wait until after the next outage.
