New reporting confirms that cyberattacks on Industrial Control Systems (ICS) were part of an offensive military campaign.  Although there were numerous warnings of state-aligned threats, we are seeing first-hand evidence of this within the scope of an active battlefield. Much of today’s critical infrastructure was never designed for adversarial cyber environments. At the same time, traditional Incident Response processes cannot keep pace with the speed of digital-kinetic conflict. There is growing recognition that attacks on ICS attacks are inevitable and physical processes – the core of operations – are the target.  For Cyber Resilience to be achieved, operators will need to update their approach to Incident Response and prioritize Process Level OT Cyber. Joint U.S. Advisory: Cyberattacks Are Now Targeting the Industrial Process Itself The April 2026 Joint ...

For many years, prevention has been the focus within OT cybersecurity.  This approach is best compared to a fortress – building higher walls and deeper moats with a single, binary goal: keeping the bad actors out. But the landscape of 2026 has made a zero-breach scenario an unrealistic goal.  As nation-state actors grow more sophisticated and AI-driven attacks lower the barrier to entry for complex exploits, a different approach is needed. We are moving from a mindset of if we are breached to a reality of when a disruption occurs. This is in turn changing the CISO's role from prevention to a champion of cyber resilience . The Myth of Total Prevention Gartner’s recent research, Predicts 2026: Cybersecurity Program Rebrands to Cyber Resilience , provides context to this shift. According to the report, cybersecurity leaders must immediately ...

Waterfall’s recent release of the ICS Strive 2026 OT Cyber Threat Report shows a relatively small (and declining) number of cyberattacks with “physical consequences.” This data is seemingly at odds with other research which points to threats especially from nation-states and the increasingly concerning Agentic AI-generated attacks. If anything, there are indications that the industrial sector is increasingly under attack. The easiest explanation is that Waterfall uses a narrow definition of incidents with physical consequences that skew towards the catastrophic end of the spectrum - incidents where the physical impact was undeniable and publicly admitted. In fact, the report itself states that the “incident database and numbers in this report regarding breaches and outages are certain to be an underestimate.” Putting aside their disclaimer, it is worth ...

In OT cybersecurity, a breach (or a suspected breach) creates a state of uncertainty regarding process integrity. This is the Blind Operator scenario: a situation where the control system indicates no unexpected change in asset behavior, but there is no independent method to confirm that this reported state reflects the physical reality of the asset. For the CISO, this is a "source of truth" problem. When the integrity of the control layer is in question, the digital data used to manage the process or asset becomes an "unknown unknown." The Post-Breach Verification Gap Once a breach is suspected, the organization faces a critical visibility deficit. Because network-based monitoring relies on the data packets sent by the devices themselves, it results in a total loss of visibility. For critical infrastructure providers facing sophisticated cyber threats, this ...

For a CISO, the most paralyzing aspect of an OT incident isn’t just the technical restoration - it is the high-stakes dilemma of when to trigger the recovery path. While a confirmed cyber event requires an immediate and clear response, the reality for most operators is a grey zone, a state of unconfirmed suspicion where anomalous behavior is detected but its origin is unknown. According to the 2025 SANS Survey (State of ICS/OT Security), 20% of organizations hit by a cyberattack require over a month to recover. This delay occurs because, unlike IT (where system re-imaging and backup restoration are routine) OT recovery is governed by the rigid requirements of functional integrity and physical safety. When a CISO faces suspicion rather than certainty, they must ask: Is a recovery path even feasible? Can we afford to trigger this process multiple times without total ...

In operational technology, cybersecurity has always relied on people:  operators verifying data, engineers interpreting behavior, and technicians confirming what systems report. In the age of AI-driven cyberattacks, that assumption no longer holds. Autonomous attack agents can analyze control logic, falsify sensor readings, and coordinate consistent data streams across entire networks in real time. To an operator, everything appears normal - yet the process may already be drifting. The belief that humans can reliably “see” what’s real inside the control system has become a costly illusion. Meanwhile, the workforce capable of interpreting process behavior is shrinking. Remote centers now supervise dozens of unmanned sites, while automation replaces routine oversight with algorithms. Efficiency improves, but the last line of physical verification disappears. The result is ...

It’s 3 AM. The CISO’s phone rings. A critical OT cyberattack is underway. Within minutes, the most critical assets - turbines, pumps, valves, and compressors - could be compromised. Every second matters. If attackers gain command of the industrial process, the consequences can be catastrophic. The CISO’s default move is to check the ICS. But what if the displays are wrong? What if the controls themselves have been compromised and the data displayed to operators has been manipulated to hide the attack? Nearly every cybersecurity tool looks at data flowing through the same channels the attacker controls. Once that data is falsified inside a PLC or HMI, the control room will insist that everything is fine - right up until it isn’t. At that point, the CISO faces a high-stakes decision: Shutting down operations could be enormously costly (and ultimately ...

The increased risk from OT cyberattacks by state-sponsored actors and sophisticated criminal networks has driven regulators to tighten requirements. In the U.S., EU, and Singapore, authorities are moving from voluntary guidelines to binding rules that mandate incident reporting within defined timeframes and require documented incident response and recovery plans, In some cases there are significant penalties for non-compliance. Operators will need to adjust to these new mandates and upgrade their incident response planning and processes. Why it matters Expanded Mandates. In addition to voluntary frameworks such as NIST guidance, regulators are introducing enforceable rules: TSA directives for pipelines, NERC CIP standards for the grid, NIS2 across the EU, and Singapore’s amended Cybersecurity Act. These measures impose defined reporting timelines and require ...

With a new Administration that issued a government-wide regulatory freeze on Jan. 20 and launched a deregulatory executive order eleven days later, many in industry expected rollbacks or lighter enforcement this year. In OT, that did not materialize. TSA renewed and updated its pipeline cybersecurity directive effective May 3, 2025, and CISA’s CIRCIA rulemaking continues on a path toward a late-2025 final rule and 2026 effective date. Why it matters Critical infrastructure cybersecurity is being treated as a national resilience priority, not a partisan debate. Despite broader deregulatory signals in 2025, mandatory OT cybersecurity requirements remain in place and CIRCIA reporting is still expected once the final rule takes effect. That keeps pressure on operators to deliver timely, defensible incident evidence. State of play • Pipelines: TSA’s SD ...

This week marks the 15th anniversary of Stuxnet’s discovery on 17 June 2010: the most well-known (and notorious) OT cyber-attack to disrupt physical equipment. With the target of the attack – Iran’s contentious uranium enrichment program – now the most important world event happening today, this is an opportune time to revisit Stuxnet and what lessons can be learned by Industrial Control System operators today. A Quick Refresher Stuxnet penetrated control systems at the Natanz enrichment site through compromised USB drives plugged into engineering workstations. Using four zero-day Windows vulnerabilities, the worm crossed the plant’s air gap and installed itself on Siemens S7 PLCs that controlled the centrifuges. It injected malicious ladder logic that forced rotor speeds beyond safe limits while feeding the control system (and, in turn, plant operators) falsified ...

Most OT cyber threats that target critical infrastructure (power, water, manufacturing) never make the news. They don’t get disclosed. Sometimes, they aren’t even recognized. This persistent underreporting isn’t just a data gap. It’s a risk amplifier - a force multiplier that leaves CISOs blind to real threats, makes security planning reactive instead of proactive, and ultimately puts physical systems at risk. Why? Because underreporting causes: Blind spots across the industry : Without shared incident data, threat intel remains incomplete. That means attack methods get recycled while defenders stay in the dark. Missed warning signals : Trends that should trigger preventive action (like repeat targeting of certain PLCs or entry via IT) go unnoticed across sectors. Distorted risk models : If breach numbers appear low, executives and regulators assume ...

Cybersecurity for industrial systems isn’t a new problem. But too often, it’s still treated like one. Most organizations have well-developed strategies for securing digital assets. But when it comes to Cyber-Physical Systems (CPS) - the power grids, water systems, manufacturing lines, and national infrastructure that depend on both digital and physical processes- cybersecurity strategies often fall short. The reason is simple: many defenses still focus almost entirely on the network layer. The result is that this leaves the physical processes themselves vulnerable to attack. The consequences are real and measurable. These aren’t just data breaches. A successful attack on CPS can result in physical shutdowns, equipment failure, and even risks to human safety. To address this, CPS protection requires a different mindset. One that acknowledges the complexity of ...