Recent Lesson from Warfare: Process Integrity Part of the Battleground

New reporting confirms that cyberattacks on Industrial Control Systems (ICS) were part of an offensive military campaign.  Although there were numerous warnings of state-aligned threats, we are seeing first-hand evidence of this within the scope of an active battlefield.

Much of today’s critical infrastructure was never designed for adversarial cyber environments. At the same time, traditional Incident Response processes cannot keep pace with the speed of digital-kinetic conflict. There is growing recognition that attacks on ICS attacks are inevitable and physical processes – the core of operations – are the target.  For Cyber Resilience to be achieved, operators will need to update their approach to Incident Response and prioritize Process Level OT Cyber.

Joint U.S. Advisory: Cyberattacks Are Now Targeting the Industrial Process Itself

The April 2026 Joint Cybersecurity Advisory (AA26-097A), issued by the FBI, CISA, NSA, EPA, and DOE, states that attackers manipulated “data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays,” resulting in “operational disruption and financial loss.”

The objective goes beyond access to the ability to alter how industrial processes behave and how operators perceive them.

Key observations from the advisory include:

Targeting of industrial controllers: Adversaries exploited internet-facing PLCs across multiple sectors, gaining direct access to operational environments.

Interaction with control logic: Attackers used legitimate engineering tools to manipulate project files containing ladder logic – the core instructions governing physical processes.

Operator deception: By altering HMI and SCADA displays, attackers created a mismatch between what operators saw and what was occurring in the process.

Confirmed real-world impact: These activities led to disruptions across critical infrastructure sectors, including energy and water systems.

Why Traditional IR Tools Fail in OT Environments

While the NIST Incident Response (IR) framework is the standard for structured response and recovery, many tools supporting it were designed primarily for IT-centric threats such as data theft, not digital-kinetic warfare. The gap between a NIST-compliant plan and operational reality can become a liability.

It starts with the Preparation and Training phase, where most organizations rely on annual tabletop exercises using static, manual scripts. These scenarios do not reflect today’s reality that include Agentic AI, zero-day exploits and nation states integrating cyber and kinetic warfare. High-velocity, multi-vector attacks can overwhelm human-scale responses.

In the Detection and Analysis phase, standard IR tools pull telemetry from HMIs, SCADA systems, and network logs, all of which exist at the digital layer. However, Advisory AA26-097A confirms that adversaries are now maliciously interacting with PLC project files to manipulate HMI and SCADA displays. If detection tools are ingesting potentially manipulated or unreliable data directly from a compromised controller, the analysis phase is compromised from the outset.

Without real-time decision support, IR teams are forced to wade through overwhelming noise, delaying the identification of the primary threat until physical damage may already be underway.

During Containment, Eradication, and Recovery, playbooks are typically manual and lack real-time visibility into the actual physical process. In a battleground scenario, the decision to “shut down” carries massive strategic and financial weight. Without direct verification of the physical process (Level 0), CISOs are forced to make high-stakes decisions based on incomplete or spoofed data, often leading to either catastrophic physical damage or the incurrence of significant unnecessary downtime.

The Process-Level OT Cyber Alternative: Anchoring Trust in Physics

The SigaML² suite addresses the discrepancy between potentially manipulated digital reporting and actual physical behavior by providing a “Physical Truth” that is independent of the compromised control layer.

Physics-Based Detection (Level 0): Utilizing SigaGuard hardware sensors, the system monitors raw electrical signals directly from the “Unprogrammable Layer” of sensors and actuators. Because these signals represent the actual physics of the process and are captured out-of-band, they are significantly more difficult to manipulate remotely by attackers who have compromised higher-level systems like PLCs or HMIs. This helps ensure the Detection and Analysis phase of the NIST framework is grounded in unfiltered physical reality rather than digital fabrication.

Real-Time Decision Support: Through Parallel Reference Monitoring, SigaML² continuously correlates raw Level 0 data with reporting data from Levels 1-4. This cross-layer analysis allows the system to detect discrepancies consistent with False Data Injection (FDI) attacks – where an attacker manipulates the process while sending false “normal” values to operators. This high-certainty insight filters out the “noise” of digital alerts and provides Incident Response (IR) teams with the data-backed guidance needed to identify sophisticated threats more quickly.

Precise Incident Response: SigaML² serves as an OT Decision Support System (OT-DSS), enabling more precise containment decisions instead of binary ‘shut down or continue’ choices. By verifying the physical state at Level 0, decisions on whether to shut down, disconnect, or continue operations can be made with greater confidence. This allows facilities to maintain verified Operational Continuity, safely isolating the compromised digital network while confirming that the underlying physical process remains stable and under control.

Summary and Conclusion

As documented in Advisory AA26-097A, kinetic warfare now extends to critical infrastructure. When adversaries can manipulate the very data operators use to make decisions, traditional, network-based Incident Response alone is no longer sufficient.

To achieve effective Cyber Resilience, organizations must ground their defense in the physical reality of their operations. By prioritizing Process-Level OT Cyber, infrastructure operators can ensure that even when the network is under attack, the truth remains visible, and the process remains under control.