Chaos is the goal. OT is the target

Trevor Dearing at Illumio describes how organisations can better secure their operational technology environments

 

Industrial control systems have become a prime target for adversaries whose goal is no longer just direct data theft, but outright disruption. Whether it’s state-backed actors seeking to weaken rival nations or independent criminal gangs seeking big ransomware paydays, critical infrastructure is increasingly under attack.

 

With so many sectors relying on operational technology (OT) to manage cyber-physical systems, these assets are a key point of vulnerability. In sectors such as energy and healthcare, where uptime isn’t just a KPI but a matter of public safety, this “chaos factor” is a deliberate weapon in OT attacks.

 

While many organisations pour budget into prevention, modern IT–OT convergence has opened new pivot points for attackers, making perfect defence unattainable. Instead, teams must adopt an “assume breach” mindset, focus relentlessly on containment at every IT–OT junction, and limit the blast radius to protect critical operations.

 

The growing threat to OT systems

Attacks targeting OT are growing both more numerous and more likely to succeed. Recent research commissioned by Siemens and carried out by Ponemon found that 77% of companies had suffered an attack compromising confidential data or disrupting their OT over the last 12 months.

 

Most believed they were likely to suffer an OT-related breach within the coming year, and most felt their networks were not adequately protected against the risk, especially in terms of vulnerability management and segmentation.

 

OT systems are hardly alone in facing great cyber risk – we’re seeing a more hostile cyber threat landscape in practically every field. But OT is especially vulnerable because it was never designed for today’s digital threats.

 

Legacy protocols like Modbus, DNP3 and PROFINET carry no native encryption or authentication, allowing attackers to intercept or inject commands directly into programmable logic controllers (PLCs). What were once “air‐gapped” networks are now bridged by TCP/IP retrofits, remote‐access VPNs and unmanaged IoT sensors, creating blind spots for security teams.

 

Without a single, accurate inventory of controllers, HMIs and edge gateways, organisations struggle to know which assets are exposed.

 

The IT–OT convergence “chaos factor”

Over the past decade, enterprises have woven operational technology into corporate IP fabrics, connecting controllers, HMIs and field sensors to networks hosting Active Directory, EDR tools and VPN concentrators.

 

While this convergence usually drives efficiency, IT and OT are very different worlds, their collision has opened multiple new attack vectors.  IT systems have evolved around strong identity and policy frameworks. Users and machines alike are expected to authenticate, exchange credentials, and be governed by granular, centrally managed rules.

 

On the other hand, OT assets such as PLCs and SCADA were largely designed before the internet. Devices were meant to be accessed locally, with no built-in notion of IT sensibilities such as authentication or segmentation. When OT environments are plugged into IT networks without the right precautions, they’re wide open by design.

 

Early OT integrations often simply “wrapped” serial links in TCP/IP to enable remote control, frequently without adding any authentication or firewalling. Many operations are still relying on OT devices running decades-old firmware or even BIOS-only stacks that cannot be retrofitted with conventional agents or encryption. They demand an overlay of segmentation and policy enforcement around them, rather than within them.

 

Remote‐access pathways such as VPN appliances and edge gateways now straddle IT and OT boundaries: a single compromised domain‐administrator token or misconfigured firewall rule can expose safety‐critical controllers to remote command injection.

 

While this technical exposure has been present for many years, it has become an urgent risk today as we observe a shift in attacker motivation and strategy. Today’s state-sponsored groups and “chaos-as-a-service” operators deliberately target OT to spark wide-scale societal disruption, such as power blackouts and healthcare service denial.

 

With sophisticated and well-resourced threat groups looking for weaknesses, no organisation can afford to continue putting off OT security.

 

Why containment must be the north star

In OT environments, 100 percent prevention is a pipe dream. Legacy controllers, hard-coded credentials and unpatched firmware mean adversaries will inevitably breach perimeter defences. Rather than chase illusionary impenetrable walls, security teams must adopt an “assume breach” posture and make containment their guiding principle. The goal isn’t just to detect threats, it’s to stop them from spreading.

 

It can be daunting to secure years, sometimes decades, of overlapping legacy technology. A proven roadmap begins with identifying the minimal set of critical assets needed for operations, whether that’s PLC shutdown functions, SCADA historian databases or HMI consoles, and then building micro-perimeters around each. By segmenting one surface at a time, teams can incrementally reduce risk without disrupting operations and, more importantly, limit how far an attacker can move if they get in.

 

The focus must shift to containment, minimising the blast radius of any breach to reduce its impact. Achieving this requires more than just technical solutions; it demands a cultural transformation. Senior leaders must move away from post-incident narratives rooted in blame and instead emphasise recovery and resilience.

 

By accepting that attacks are inevitable and not every breach can be prevented, organisations can redirect their efforts towards maintaining the functionality of their critical systems. This mindset empowers teams to prioritise uptime and operational continuity, which is essential in industries where even brief disruptions can have significant consequences.

 

Embedding containment metrics such as blast-radius size and mean time to containment into executive dashboards cements the mindset that while breaches can’t be stopped, their impact can be minimised.

 

Implementing effective containment in OT environments

Effective containment begins with comprehensive mapping. Organisations should use specialised OT-discovery tools to inventory every controller, gateway and sensor, and visualise IT–OT and OT–OT traffic, including legacy protocols and unauthorised tunnels.

 

With this visibility, teams can group assets by function (e.g., emergency-shutdown PLCs vs engineering workstations) and implement microsegmentation at the OT edge. Enforcing Zero Trust principles ensures segmentation without disrupting the legacy devices.

 

Next, security teams should adopt exception-based allow-listing and behavioural baselining. By disabling all unused ports and protocols and permitting only multi-factor-authenticated operational flows, organisations can reduce their attack surface to the bare minimum.

 

AI-driven security graphs then learn normal communications patterns and automatically isolate anomalous process-level commands, stopping threats before they can propagate laterally.

 

Regular validation through fail-safe drills and governance ensures containment remains reliable. Quarterly “network unplug” exercises in each critical OT zone test manual SCADA and PLC operations under realistic attack scenarios will uncover hidden dependencies.

 

By following these steps, organisations can ensure that, even if perimeter defences are breached, critical OT systems remain insulated from cascading failure, keeping essential services running and mitigating the chaos attackers seek.

 

When chaos is the objective, resilience—not perfection—is the true measure of security. By understanding the risks of IT–OT convergence and embedding breach containment strategies at the heart of OT security, organisations can ensure that inevitable intrusion does not escalate into full-blown crises.

 

---

 

Trevor Dearing is Director of Critical Infrastructure at Illumio

 

Main image courtesy of iStockPhoto.com and gorodenkoff