Report: Texas Must Secure ‘Critical Infrastructure’

It was a mild, wintry morning in Muleshoe, Texas, on January 18, 2024, when Russian operatives launched a cyber-attack on the city’s systems, draining its water supplies and causing a “massive water loss.”

The citizens of Muleshoe found their small town caught in a global battlespace. This turned out to be just one of several incidents of hostile forces targeting Texas’ critical infrastructure as part of a larger campaign against America.

A report issued by the Texas House Select Committee on Securing Texas from Hostile Foreign Organizations documented this and other incidents, and suggests that lawmakers protect critical infrastructure by enacting stronger cybersecurity measures and preparation for physical sabotage.

Hostile Threats

America faces multiple threats. The U.S. Office of the Director of National Intelligence identified them in its annual threat assessment. They include the operatives of the Chinese Communist Party, the Islamist state of Iran, North Korean government actors, and Russian cyber warriors.

The leaders of the Chinese Communist Party (CCP), in particular, have become increasingly hostile. Michael Lucci of State Armor, an Austin-based security firm, warned state lawmakers that the CCP is “pre-positioning assets in the US to disrupt every normal function of civilian life if a conflict arose.” Their “strategy of disruption is an ‘everything everywhere all at once’ strategy.”

These are no longer far-away threats. Thanks to technology, these actors can reach right into your front yard. Texas’ critical infrastructure—the electrical grid, traffic systems, ports, supply chains, school districts, and hospitals—is targeted.

Cybersecurity

Two specialists laid out the stark situation to state lawmakers. Through technology, they said hands from anywhere in the world can reach out and touch your traffic signal or school district.

“Cyber-crime specifically focuses on ransomware attacks that can disrupt schools, hospitals, and critical infrastructure,” Adam Klein of the University of Texas at Austin’s Strauss Center for International Security & Law warned.

Cyberattacks on America’s critical infrastructure have “risen sharply,” according to David Dunmoyer of the Texas Public Policy Foundation. As critical systems are plugged in with advanced digital technologies, they become vulnerable to cyberattacks. That includes attacks from “state-sponsored actors.”

He cited the work of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It identified 16 critical sectors for American national, economic, and health security. These include water, emergency services, transportation, and energy. CISA reported that “recent trends” present these sectors with more risks from cybercriminals and rogue nations.

Recent data from the FBI finds that more than 40 percent of the 2,825 ransomware attacks in 2023 attacked these areas. That is up 33 percent from 2022. “Notably, foreign adversaries, particularly from Communist China, Russia, North Korea, and Iran, have been responsible for around 60% of these attacks,” Dunmoyer testified, citing a 2023 report in Security Magazine.

Muleshoe became this type of target. It wasn’t alone.

Targeting Local Governments

Hale Center is a small city with a population of almost 2,000 nestled between Lubbock and Amarillo in West Texas. Agriculture is its primary business, and the city’s median income was $47,000 in 2022.

Hale Center citizens have found their small city under siege, caught in this global battlespace, battered by tens of thousands of cyber attacks.

Dunmoyer said these attacks suggest “a deliberate effort by state actors to evaluate weaknesses and refine offensive techniques against U.S. critical infrastructure.”

Nation-states are seeking not just to disrupt but also to gather intelligence.

“With data on vulnerabilities, attackers could coordinate with other cyber or physical tactics to disrupt water supplies or power grids, threatening public safety and economic stability,” Dunmoyer testified.

He said that Muleshoe reacted by updating passwords and putting in place multi-factor authentication. Also known as MFA or Two-Step Verification, this is a process where a user needs to pass an additional verification step after the username and password.

“[This] incident underscores a broader need for security protocols across all levels of critical infrastructure,” Dunmoyer said. “Additionally, CISA and the Department of Homeland Security (DHS) urge enhanced public-private sector collaboration and adherence to cybersecurity best practices to combat state-sponsored cyber threats.”

Targeting Hospitals

Not just their cities but Texans’ hospitals are also within the battlespace.

They “are a major target” for “foreign adversaries.”

That’s what Dr. Tom Roberts of the University of Texas at Tyler’s Center for Cybersecurity and Data Analytics told committee members.

There’s already a case of such an attack on the books. In November 2023, the University of Texas Health East Texas suffered a ransomware attack.

“This attack happened due to an employee downloading a file onto their computer, which was the ransomware file,” Roberts testified. “UT Health East Texas was forced to redirect patients to different hospitals because the cyber attack led to them not having access to patient records, including patients not being able to have their prescription filled.”

Dr. Roberts said the hospital is “still working to recover from the attack.”

Targeting the Power Grid

Concern over Texas’ power grid has grown since the February 2021 winter blackouts.

Experts have repeatedly noted that Texas’ grid is under threat of sabotage or infiltration from America’s enemies—chiefly the Chinese Communist Party (CCP).

That was highlighted by the revelation that CCP-connected billionaire Sun Guangxin proposed building a wind farm after purchasing land in Val Verde, Texas. The land where he proposed to build that farm was near a U.S. military installation. In 2021, state lawmakers banned Guangxin’s wind farm from connecting to the state’s power grid.

Along those lines are concerns about how much of the state’s power grid is foreign-owned.

According to testimony provided to the committee by Mark Stover, executive director of the Texas Solar Power Association, 40 percent of the state’s solar farms are foreign-owned. “The majority of the foreign ownership are countries such as the United Kingdom, France, and Germany,” he testified.

Furthermore, he said that many solar panels are made in Asia but noted “a growing trend toward establishing manufacturing capacity in the United States, including a new facility in Houston, Texas.” Regarding other solar components, Stover stated “that many transmission-related elements are foreign-made.” Specific locations weren’t available at the time.

Regardless, Stover praised the processes of the Electric Reliability Council of Texas (ERCOT), which manages the state’s power grid. He said ERCOT “requires detailed ownership and asset disclosures to ensure that entities with potential security risks cannot connect to the grid without scrutiny.”

ERCOT informed committee members of actions it is taking to identify the ownership of upcoming new power sources, or ”market participants.”

“ERCOT has issued requests for information, RFIs, regarding foreign ownership of proposed resource projects and modified rules governing the connection of new projects to the grid, including registration of ownership,” Senior Vice President Chad Seely testified. “Additionally, by the end of this year, ERCOT expects to receive reports from their market participants detailing the countries of origin for grid and software-related purchases.”

Texas Scorecard asked ERCOT if it would make these reports publicly available. “ERCOT received hundreds of submissions from our Market Participants. ERCOT is still completing an assessment of these and will provide additional details when available,” the organization replied.

We also asked how much of the state’s power grid is foreign-owned. “ERCOT does not comment on specific facilities’ operations and/or locations,” the agency wrote in its reply.

“All ERCOT-registered entities that own generation, transmission or distribution facilities on the ERCOT power grid are required to attest that they do not meet the prohibited foreign ownership criteria in the Lone Star Infrastructure Protection Act (LSIPA),” the agency wrote. “If an entity cannot properly attest to their compliance with the LSIPA criteria, its registration with ERCOT is terminated.”

Seely laid out more ERCOT actions.

According to Seely’s testimony, ERCOT bought software that shows a market participant’s corporate family tree. The organization is also implementing steps to regularly and randomly pull samples of current and new market participants to analyze their corporate family tree reports. Finally, when questions arise regarding a market participant’s attestation on these points, ERCOT will request information.

When asked if it would make such family tree reports public, ERCOT replied, “This software is for ERCOT internal purposes only to help in our risk assessment, consistent with Lone Star Infrastructure Protection Act (LSIPA) requirements.”

Committee members made several recommendations to secure the power grid.

First is creating “a financial penalty” of up to $1 million or another “appropriate amount” for market participants “who provide false or incomplete information to ERCOT” regarding “critical electric grid equipment or services” and the participants’ headquarters, ownership, or citizenship.

The second would be giving ERCOT the authority to “request additional information
from Market Participants” regarding the above topics. Lawmakers argue that granting ERCOT this power “will streamline any potential disputes with Market Participants that may argue additional information is not necessary or confidential in nature.”

The third would be to pair ERCOT with the Texas Attorney General’s Office.

Lawmakers recommended giving the state energy regulator the power to “proactively” provide the AG’s office with information on “suspicious” attestations by market participants on their critical purchases, headquarters, ownership, or citizenship. The AG’s office, which has the power to investigate such attestations, could provide both ERCOT and the Public Utility Commission with discoveries made during its investigations.

Targeting Ports and Supply Chains

Four years ago, the Port of Houston suffered a cyber attack.

Chris Wolski of Applied Security Convergence was there. He testified before committee members.

“Mr. Wolski recounted that the attack occurred rapidly, with the aggressor taking control of the server within seconds of hitting it,” committee members wrote. “Mr. Wolski emphasized that maritime and energy small and medium enterprises are vulnerable to such attacks, as staff may not immediately notice the breach.”

Thankfully, the Port of Houston pulled off “an unusually quick response.” It detected and stopped the attack within 10 minutes, limiting the damage.

More attacks are expected.

“The trends indicate we are on track to see the highest number of cyber attempts since we began tracking these metrics in 2020,” Brooks Lobingier, the Port of Corpus Christi’s director of information technology, told lawmakers. He pointed to a 28 percent increase in year-to-year cyber attacks.

The Port of Corpus Christi is a tempting target. The interim report notes it’s the third largest crude oil exporter worldwide. It is also America’s number one gateway for crude exports and number two for liquid natural gas exports.

The port has created more than 95,000 jobs in Texas. For the past ten years, capital investment in the region has reached $65 billion.

Lobinger said the port is being proactive about self-defense. He pointed to its two security certifications. He also said it abides by the National Institute of Standard Technology and the International Organization for Standardization 2701 framework—“the highest industry standards in cyber risk management.”

“The port has implemented strategies to protect its assets from cyber threats, including advanced persistent threats from countries like China, Russia, North Korea, and Iran,” he testified. “These threats target not only the port’s information systems, but also vulnerabilities within customers and third-party suppliers to gain access to secured data.”

However, Wolski noted that small and medium enterprises struggle to implement essential cyber security due to a lack of resources.

In response, he said the University of Houston is partnering with other organizations to establish a Maritime Cyber Security Center of Excellence. “This initiative aims to provide mutual support among regional entities for cyber security efforts,” Wolski testified.

An important aspect of port security is its value in international trade.

As tensions with communist China rise, committee members recommend conducting a “Statewide Pacific Conflict Stress Test.” The purpose would be to provide a “detailed assessment” of Texas’ preparedness if China invaded Taiwan or another conflict in the Pacific arose.

Either scenario, lawmakers warn, could potentially disrupt Texas’ critical infrastructure and supply chains. “During this stress test, prioritized attention should be paid to our supply chain and critical infrastructure cybersecurity, as Communist China has been already executing probing attacks on these systems,” they wrote.

Texas Scorecard asked State Rep. Cole Hefner (R–Mount Pleasant), the committee chairman, if the results of the stress test would be made public. He didn’t respond before publication.

To prepare for potential disruptions, committee members recommended diversifying the state’s supply chains. “Texas should work to recruit companies to Texas that manufacture critical infrastructure components, pharmaceuticals including active pharmaceutical ingredients (API) and antibiotics, and other products that are critical to the health, safety, and welfare of Americans,” they wrote.

But as Texas prepares, the battlespace is changing rapidly.

AI

Artificial intelligence (AI) is being deployed in this fight.

In his testimony to committee members, Dunmoyer mentioned “AI-driven spearphishing campaigns” and “AI-enabled vulnerability scanning” that can locate and leverage vulnerabilities faster than traditional methods.

“The rise of AI thus raises the stakes, necessitating rapid adaptation within cybersecurity frameworks to prevent malicious AI applications,” he testified.

Flaws in AI technology being deployed within critical infrastructure are also a problem.

Referencing a report from the U.S. Dept. of Homeland Security on AI, Dunmoyer testified that “DHS has identified several risk factors in the AI application across critical infrastructure, citing potential for malfunctions or unintended operational disruptions stemming from design flaws in AI systems.

He added: “Given the rapid pace of digitalization without proportional investment in cybersecurity, the vulnerabilities of AI-integrated systems could be exploited by adversarial actors. These include deficiencies in AI planning, system design, and implementation, which expose infrastructure to malfunctions that impact essential services.”

AI can also be deployed as a shield in the battlespace of cyber warfare. Typically, a data breach takes a maximum of 322 days to detect. Dunmoyer testified that AI could be used to reduce that time.

It also has the potential to counteract hackers and help speed up recovery from ransomware attacks, according to Dunmoyer.

“By analyzing network traffic for anomalies and implementing machine learning-driven pattern recognition, these systems can detect and address cyber threats faster than traditional methods,” Dunmoyer wrote in his testimony. “An example of this utility is seen in recent Chinese hacking campaigns against U.S. transportation hubs, where AI detection tools could significantly reduce the duration of unauthorized access and mitigate potential damage.”

The Need for Preparation

Klein of UT-Austin’s Strauss Center warned that Texas’ public servants should concern themselves with preparing for the possibility of war, especially with communist China.

“Texas facilities would be a crucial part of the United States response in a potential conflict with China, including energy facilities, ports, military bases, and intelligence facilities,” he wrote. “China could target these facilities through cyber attacks, hacking traffic systems, disrupting ports, and using online cognitive warfare tactics to sow fear and undermine national unity.”

He noted that there are “massive amounts of user data” gathered by applications like CCP-connected TikTok, which “poses significant risks.”

Klein stressed the need for local cybersecurity in Texas.

“While international targets like NSA and Microsoft have their own defenses, the focus should be on protecting local systems. Hostile actors could disrupt traffic systems or school districts, impacting workforce indirectly,” he testified. “In order to counter such threats, Texas should identify vulnerable areas within its responsibility, such as school districts, electrical grids, and traffic systems.”

Klein also warned of possible “physical sabotage.” “While the government is becoming increasingly aware of these threats, more action needs to be taken to address them effectively,” he testified.

State lawmakers on the committee wrote that they and their companions in the legislature can harden these targets against the hostile forces targeting them. Gov. Greg Abbott has challenged them to do so. In his 2025 State of the State address, he called for $1 billion annually for a decade to improve the state’s water infrastructure and to create a Texas Cyber Command to protect the state from foreign threats.

State lawmakers have until June 2 to act before the regular legislative session ends.

The threats hostile forces pose to Texas were covered in the interim report from the Texas House Select Committee on Securing Texas from Hostile Foreign Organizations, published in December 2024. Citizens wishing to conduct a deep dive are encouraged to read the report.