From halting fuel pipelines to crippling hospital IT systems, cyber attackers are seeing continued success in targeting the infrastructure that underpins society.
Some of these attacks are the work of high-level, state-backed operatives seeking to weaken rival powers. Other incidents stem from opportunistic criminal gangs aiming for digital extortion, such as the recent spate of attacks using the Medusa ransomware-as-a-service.
Director of Critical Infrastructure at Illumio.
Whatever the motivation, the objective is the same: cause maximum chaos and disruption. In sectors like energy, manufacturing, and healthcare, even a brief outage can be economically devastating or, worse, life-threatening. And that’s exactly what threat actors are counting on.
These attacks are especially effective at the intersection of digital and physical systems, which means they are increasingly targeting operational technology (OT) systems interconnected with IT networks.
To protect vulnerable OT systems and keep operations running, organizations must shift their focus from prevention to containment, limiting the reach and impact of inevitable breaches.
How attackers are exploiting OT’s unique weaknesses
OT environments weren’t built for today’s threat landscape. Most systems were engineered decades ago for reliability and continuity, often with local-only access in mind. Any security measures were concerned purely with physical access to control panels.
Today, those same systems are increasingly connected to broader corporate networks to facilitate remote access and automation. It’s common to find protocols like Modbus, PROFINET and DNP3 still running unmodified from their legacy pre-digital days without encryption or authentication.
Industrial controllers and field devices rarely support modern defences like endpoint agents or patch management. In some cases, even identifying which assets exist on the network is a challenge.
Add in remote-access VPNs, retrofitted TCP/IP, and shadow IoT devices, and the once-isolated OT domain becomes an open playing field for attackers. They don’t need sophisticated exploits; gaining a foothold in a flat network is often enough to start causing chaos.
Many of these OT systems aren’t just vulnerable, they’re predictably exploitable, and adversaries know it. According to recent research 77% of companies suffered an attack compromising confidential data or disrupting their OT over the last 12 months
Why OT needs more than prevention
One reason so many attacks succeed is that many organizations still pin their hopes on traditional perimeter defense, tools like firewalls, antivirus, and access controls, which are geared to keep threat actors out.
But it’s been clear for some time that this approach has reached its limit against modern attack strategies, and nowhere is this more evident than in OT environments.
Industrial systems often rely on hardcoded passwords, unpatched firmware, and/or decades-old hardware that can’t support modern security tools.
In many cases, installing endpoint protection or making configuration changes isn’t possible without risking system instability.
In OT environments, breaches are increasingly inevitable. And when a threat actor gains network access, the real danger begins. Lateral movement allows them to hop between systems, turning a single breach into a full-blown incident that can grind an entire operation to a halt.
Relying solely on prevention creates a false sense of security. The smarter strategy is to assume the perimeter will fail, and build in controls that limit the damage. In critical environments, containment must be the foundation of a resilient defense
How containment builds true resilience
Containment isn’t about locking everything down. It’s about understanding your environment and how systems are connected, and putting guardrails in place so a breach can’t spiral out of control.
OT environments often consist of a piecemeal collection of legacy tech added over time, with no unified inventory. That makes getting started on security feel overwhelming.
Visibility is the first step to making it manageable, using discovery tools to build a complete inventory of the OT environment. From there, the priority is identifying the minimal set of systems critical to operations such as PLC shutdown functions and SCADA historian databases.
Next, it’s time to apply microsegmentation, one of the most critical capabilities in containing intrusions and preventing lateral movement. Apply microsegmentation to one surface at a time, starting with high-priority assets that are likely to be targeted by attackers seeking to cause maximum chaos.
One effective OT approach is to group assets by function, such as emergency shutdown systems, historian databases, or engineering workstations, and place them in separate security zones.
Once assets and connections have bene identified, policies can be set up to govern system access using exception-based allow-listing and behavioral baselining. Disabling all unused ports and protocols and permitting only multi-factor-authenticated operational flows will drastically reduce the attack surface.
Applying Zero Trust principles to microsegmentation ensures that access is never granted without the right level of authorization. Allowing only verified traffic between authorized systems prevents attackers from using tools like RDP or SMB to skirt around defenses and achieve lateral movement.
Finally, AI-driven security graphs can learn normal communication patterns, enabling security teams to automatically isolate anomalous commands before they can escalate into full-blown attacks.
With the right strategy, this containment approach will protect what matters most, without disrupting what keeps the lights on.
Organizations should regularly test their defenses against real-world threats, including quarterly “network unplug” exercises that manually validate SCADA and PLC operations under simulated attacks.
Why shifting to containment demands a cultural change
Alongside the technical challenges of securing complex OT environments, cultural blockers can be a major obstacle. In many industrial settings, change is seen as risk. Some systems may have operated for decades without incident, and any initiative that threatens uptime, even temporarily, can face strong resistance.
This resistance often extends to risk and security management. Some organizations still rely on outdated frameworks like the Purdue model, which no longer aligns with the open, interconnected nature of today’s digital environments.
There’s a persistent ‘if it ain’t broke…’ mindset around OT systems, but in today’s threat landscape, that attitude is increasingly dangerous.
Securing the OT systems that power our most critical infrastructure demands a shift in mindset, from prevention to resilience. Embedding this approach starts with tracking what matters. Metrics like mean time to containment, blast radius size, and operational impact offer far more meaningful insights than the number of alerts closed.
OT environments can’t afford to wait for new regulations, major incidents, or board-level directives to act. Containment is achievable now, and it doesn’t require a complete overhaul.
Start with the basics: visibility, segmentation, and access control. Identify what matters most and make it harder to reach. Resilience, not perfection, is the new security benchmark. For OT environments facing adversaries bent on chaos, that shift in mindset might be the most important upgrade of all.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.