Recently, government agencies in the United States issued a joint advisory warning that Iran-affiliated hackers had disrupted critical infrastructure by targeting the programmable logic controllers that run energy, water and wastewater processes. Strip away the geopolitics and the most revealing part is the recommended response: remove public-facing access, enable multi-factor authentication and monitor for unusual activity.

Not exotic countermeasures, but fundamentals. Months earlier, a destructive attack attributed to a Russia-linked group damaged industrial control devices across Polish renewable energy substations and attempted to wipe systems at a heat and power plant supplying almost half a million customers. Together, they expose a gap that most security strategies fail to confront: the attackers are advanced but the outcomes are decided by something far more ordinary.

Defined by behaviour, not by who is behind it

Advanced persistent threats (APTs) are defined by how they operate rather than who conducts them. Initial compromise often arrives through low-friction routes such as social engineering, credential misuse or exploitation of externally exposed services. However, the defining characteristic is what follows. Attackers persist, escalate privileges and move laterally in ways that mirror legitimate behaviour to remain undetected. In operational technology (OT) environments this is acute, because malicious activity blends into normal system processes for extended periods, allowing attackers to position themselves against critical assets before being identified, if they are identified at all.

The real problem is detection, not frequency

The core challenge facing critical infrastructure is not the frequency of sophisticated attacks, which remain rare, but whether operators would know if one were under way.

Most successful intrusions still trace back to basic weaknesses in remote access, segmentation and credential management rather than advanced tooling. Meanwhile, the adversaries who do bring genuine tradecraft are precisely the ones conventional intrusion detection struggles to see. The industry’s instinct is to answer an advanced threat with ever more advanced countermeasures. The evidence says the reliable gains lie elsewhere.

Why this matters more now

Capabilities once confined to a handful of states are spreading through a mature marketplace, putting once state-grade tooling in the hands of financially motivated criminals. At the same time, legacy OT estates, built for isolation and decades-long lifecycles, are losing their separation from enterprise and cloud networks. The pool of capable attackers is growing just as the pathways into industrial environments multiply.

For operators of physical infrastructure, the boundary between physical and cyber security is dissolving with it: the attacker's route is digital, but the target, and often the consequence, is physical.

See more, detect earlier, fix the basics

  • Build visibility across the OT estate. Detection starts with visibility, yet most OT environments still lack it. Analysts continue to describe a visibility crisis across industrial environments. A clear, current understanding of assets, processes and normal network behaviour is the foundation everything else rests on. Organisations with comprehensive OT visibility consistently contain threats faster than those without it.
  • Treat early detection as damage limitation. The earlier you find an intruder, the less time they have to escalate privileges, reach critical assets and entrench. Behavioural monitoring, enriched with vulnerability data and likely target pathways, focuses attention where attackers are most likely to go. The Polish incident proves the point: CERT Polska's analysis shows the attacker had long-term, privileged access to the heat and power plant's network, yet when they triggered their wiper the operator's detection software blocked it. Detection didn't prevent the intrusion; it decided the outcome.
  • Get the fundamentals right. Segmentation, hardened remote access and disciplined credential management still defeat more intrusions than any bespoke countermeasure, as this year’s incidents keep demonstrating.

Looking ahead

Expect the boundary between state and criminal activity to blur further and the cost of mounting an advanced campaign to keep falling. Leaders should be asking three questions now. Do we know what normal looks like in our OT environment? How quickly would we know if we had been compromised? And have we rehearsed our response under realistic conditions? Operators who can answer all three confidently will turn an intrusion into an incident report rather than an outage.

Looking to close the detection gaps in your critical infrastructure? Speak to our Built Environment and Infrastructure experts.

Article written by: Lee Staff

Get in touch

Can our experts help you?