Keeping businesses cyber secure in 2026 is, and will continue to be, a challenge; that challenge very much extends to operators of critical infrastructure, as well, particularly those in charge of large installations made up of disparate OT elements.
From attacks on the Asahi breweries in Japan that compromised business processes to Jaguar Land Rover’s production lines crawling to a stop in the wake of a cyber attack, disruptions to vital operational technology can affect not only companies but also entire economies.
However, to understand where we are now, it’s important to understand where we’ve come from and how each phase of evolution in the sector drives a new stage of security threat.
“There’s been sort of … major phases of OT security happening relatively quickly, and each one of them requires companies to step up quite a bit; we’re seeing some companies dialled into it and moving, but the vast majority are in a place where they realise that things are changing,” OT security firm Dragos’ founder, Robert M. Lee, recently told Cyber Daily.
“They want to do something about it, but we’re still operating in one planning cycle to get to the next year’s budget, to do a two-year project later.”
The issue, Lee said, is that the industry is changing at a pace where traditional capital expenditure projects, which get planned with multi-year lead times, just aren’t going to cut it.
In the beginning…
“For a long, long time, we lived in a world of low-frequency, high-consequence attacks,” Lee said.
“We would not have a lot of cyber attacks happening on OT, but when they happened, it was a pretty big deal. And a major reason for that low frequency was it was very costly to develop capabilities to do disruption and destruction.
“You could do espionage, but to really attack something … These systems are so different, like a carbon cracker in an oil and gas facility has almost nothing in common with an electric substation, which has almost nothing in common with a self-driving Caterpillar truck at a mine.”
Essentially, in the early days, attacks needed to be highly customised and tuned for a particular operational environment. This was not only expensive but also, possibly, dangerous for a nation-state to attempt.
“States didn’t really know if attacking this infrastructure was going to get some sort of blowback geopolitically,” Lee said.
“That was true up until 2021, and then through what we saw in Ukraine and everywhere else … There really was no blowback on these different attacks, which answered that question.”
And things were about to get worse.
(Just a) Pipedream
“In 2021, the Pipedream capability came out. Pipedream was the first time we saw something that can be cross-industry, reusable and repeatable, to cause disruption or destruction if the physics allowed it,” Lee said.
First publicly disclosed in 2022, Pipedream has been described as a “Swiss Army knife” for hacking and is thought to have been developed by a nation-state actor.
At the same time, the nature of operational technology was also evolving to a common point.
“What sort of happened was we went to a very homogenous world, where now there is a lot in common between a carbon cracker and a water pump and so forth, in terms of the digital components, and so, for all of industrial security, we were kind of in the same spot until 2021 hit,” Lee said.
“Then we went to this next phase of … Well, you can actually scale attacks now, so we should start seeing higher frequency, and then the next phase happened. Only three years later, in 2024, Dragos found evidence that state actors were sharing infrastructure and knowledge with non-state actors regarding OT.
“So we got into this place where non-state actors were never really relevant in OT security, and all of a sudden we’re seeing hacktivists and ransomware groups that have much more sophisticated capabilities and knowledge now, because state actors … That phase is here.”
Machine (learning) age
The next stage, of course, is one powered by artificial intelligence, though not necessarily in the hands of threat actors, which is a concern held by many cyber security experts – but not Lee.
“We’re about to enter the next one, which is all these companies rolling out AI and various complex automation platforms,” Lee said.
“It’s not the AI cyber threats – I think there’s a lot of hype there – but it’s the massive change to our infrastructure, and it’s all of the complexity that we’re adding into it, and the connectivity where people don’t necessarily even understand all the different ways their operations are running these days.”
The evolution, from the days proper to 2021, to where we are now, has been rapid, with a growing evolution in the threat landscape.
“So you went from status quo until 2021, then big, big change when state actors became scalable,” Lee said.
“Then, within three years, you’ve got non-state actors entering the field, and then all of a sudden, we’re like, ‘Hey, let’s add a bunch of extra software complexity and connectivity to it’. We’re in a really rapidly changing environment, and not just the threats.
“And I don’t think … Actually, I know most companies are significantly underprepared for that.”
The perfect example
In the wake of its catastrophic cyber attack, Jaguar Land Rover was forced to look for a £1.5 billion safety loan to keep it afloat, while the loss of productivity caused the entire UK economy to be affected, with gross domestic product (GDP) dipping in the wake of the attack.
For Lee, it’s a perfect example of why securing OT is so vitally important.
“I think we’re going to need to see more of the details of where exactly they got hit. However, I don’t see how it could have not been on the operations side and had this much downtime,” Lee said.
“And again, I think that’s a great case in point, where everyone’s talking about, ‘Oh, is it a cyber attack?’ And I’m like, ‘What are you talking about?’ Their manufacturing lines are down. It’s obviously OT, and the reason it’s having the GDP impact is not that the website or the ERP server went down, it’s that the manufacturing is down.”
According to Lee, while nations and companies alike are investing in cyber security, OT security is being left behind – with predictably dangerous consequences.
“OT security has national, local, and revenue impacts for a company,” Lee said.
“I think we run the risk of focusing on the wrong problem by mislabeling and not understanding what’s really happening on the OT side.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.