The false sense of security of modern infrastructure is shattered not by sophisticated algorithms, but by mundane negligence, which in the hands of state actors is gaining the status of a strategic weapon. Incidents targeting US operational technology systems prove that the weakest link in digital power can sometimes be a lack of elementary network hygiene, turning a routine configuration into a critical point for state stability.
While the public debate revolves around mythical zero-day tools and sophisticated cyber-espionage, the reality turned out to be painfully trivial. The key to physical process control systems was not a new generation of digital lockpicks, but an open door that no one saw fit to close.
Fundamental to this problem is the methodological regression of the aggressors. Traditionally, we view state-owned hacking groups as digital laboratories creating unique code with huge market value. Meanwhile, actions targeting the water or energy sectors reveal a shift towards an operational model based on cost efficiency.
Instead of investing millions of dollars in finding unknown software vulnerabilities, the attackers used widely available scanners of network resources. In this new doctrine of ‘cyber-pragmatism’, it is not the hacker that adapts to the target, but the target that is chosen because of its public visibility and lack of elementary barriers such as unique passwords or multi-component authentication.
This situation exposes a profound crisis in the concept of air-gapping, the physical isolation of operational technology (OT) systems from external networks. For decades, the belief in the security of PLC logic controllers or SCADA systems was based on their supposed inaccessibility. However, the Industry 4.0 paradigm, enforcing a constant flow of analytical data and the need to remotely service devices, has quietly and effectively crushed this wall.
In many cases, systems that were listed as isolated in the documentation actually had active connections to the internet, configured on an ad hoc basis for the convenience of administrators or external providers. This ‘digital convenience’ has become the most effective ally of foreign intelligence.
Operational technology has specific characteristics that make it extremely vulnerable to simple attacks. Unlike the dynamic world of IT, where the life cycle of hardware closes in a few years, industrial infrastructure is designed for decades. Many of the controllers currently in operation date back to a time when communication protocols such as Modbus were built with performance in mind, completely ignoring security aspects. In that world, trust was the default.
Today, these same devices, lacking encryption or identity verification mechanisms, are rendered defenceless against anyone who can establish a communication session with them. This is not a bug in the code; it is a bug in the very design philosophy of systems that have suddenly gained global connectivity.
An analytical look at the timing of these attacks allows us to see them as a form of digital signal diplomacy. These incidents occurred at a sensitive moment of international tensions, suggesting that their main objective was not total physical destruction, but a demonstration of capability. Hitting the municipal sector, often seen as less protected than military systems, allows the aggressor to dose the pressure with precision. It is a kind of proof of access – proof of having access to the critical switches of the state, which can be used as a bargaining chip at the negotiating table. Such a strategy allows operating below the threshold of open armed conflict, while creating real social and political unrest.
It should be noted that attribution in cyberspace always remains subject to a degree of uncertainty, which favours a strategy of so-called plausible deniability. The use of simple tools and known vulnerabilities means that traces left by attackers can mimic the actions of amateur hacking groups or common cyber criminals. For the targeted state, this creates a doctrinal dilemma: how to respond to an incident that is technically primitive but strategically strikes at the heart of citizen security.
The lessons learned are harsh for existing risk management models. Focusing resources on combating the most advanced threats while ignoring digital hygiene in the OT sphere is akin to building an armoured door in a house with open windows. The challenge is no longer simply to purchase more expensive AI-based defence systems, but to return to rigorous network segmentation and auditing of the simplest access settings.
