The OT risks communicated in media are diametrically opposed to the number of documented cyberattacks on industrial networks. So is this much ado about nothing? Or are we falling prey to a misunderstanding that has been projected from IT security into OT?
We never tire of pointing out that OT networks urgently need visibility and intrusion detection because:
- networks, components, protocols, and systems were never developed with cybersecurity in mind, but always with a focus on availability and keeping the machine running.
- there are many more people (internal, external) with a wide variety of roles (technology, production, machine operation, OEM, maintenance, service providers) who often have extensive privileges in OT.
- basic security mechanisms such as multi-factor authentication, access management, encryption, strong password management, consistent patch management, and segmentation often do not exist.
- we find proof for this in absolutely every Rhebo Industrial Security Assessment.
At the same time, statistics on OT cyberattacks are negligible compared to the number of attacks on IT networks—at least if one relies on reported incidents.
Evidence vs expertise
The discussion between two big names in the OT security community, Dale Peterson and Robert M. Lee, in October 2025 highlights this irritation that exists between statistics and warnings.
Dale Peterson has long been calling for evidence of cyberattacks on OT. Despite his authority, he himself is an outsider in this regard. He admits that he has no insight into the area of OT incident response and is simply surprised that so little data is available on the subject.
In the other corner sits Robert M. Lee who comes from the field, from the front lines, so to speak. He assures us that there are more and more attacks on OT networks. However, he claims he can't share details – and thus evidence – because NDAs, national security, and other confidentiality interests prohibit this. He asks us to trust his word based on his expertise.
Of course, it's a dead-end discussion.
IT is where the money is
But perhaps we are also falling prey to false expectations based on our familiar perspective of IT security—and in particular, the omnipresent ransomware attacks.
IT security is always about data protection. This is hardly surprising, as cybercriminals and state-sponsored intelligence activities are primarily looking for one thing: valuable information that:
- can be resold,
- can be used for other purposes,
- is worth paying a hefty ransom for, and
- is almost always found in IT.
In most cases, IT attacks are therefore either about money or usable information (which can often be converted into money).
OT is where de-stabilization looms
OT, on the other hand, is about protecting availability, continuity, people, and the environment. Attackers targeting OT are less interested in quick, profitable campaigns that sweep through the infrastructure like classic ransomware incidents. OT is about disruption as a strategic tool in the context of geopolitical conflicts and hybrid warfare.
Disruption as a means of destabilizing supply chains, basic services, and society.
This objective means that these attacks follow different timelines and processes. IT attacks are about identifying assets and striking as quickly as possible. It can take just a few weeks from the initial attack to data extorsion and IT system encryption.
In contrast, in OT there is not necessarily a fixed schedule for detonating the digital bomb. The timing depends on whether the affected infrastructure will be of interest in a future geopolitical conflict. Active disruption after a successful network compromise remains hypothetical for the time being. Though, the attacks ensuring the implementation of these future disruption are taking place today.
Why so few OT attacks make it to the public
Accordingly, OT attacks are very slow, cautious, and long-term. The primary goal is to position oneself in critical areas of OT networks and ensure persistence. This strategy of prepositioning has been observed repeatedly in recent years by state-sponsored APTs such as VoltTyphoon and SaltTyphoon.
These different motivations for attacks between IT and OT also explain the difference in statistics. IT incidents are fast-paced, money-driven, and aimed at achieving an efficient, loud impact. OT incidents are slow, strategic, and aimed at quiet positioning. (Of course, those prepositioning attacks also target IT as means of access, reconnaissance and privilege escalation.)
Attacks on IT mainly originate from the field of classic cybercrime. Attacks on OT take place in the context of hybrid warfare, mainly from the field of strategically oriented state-sponsored APTs (even though these are increasingly utilizing the market for cybercriminal services).
What can companies do about it?
Companies, and especially operators of critical infrastructure, should therefore not assume that their OT is secure and free from compromise simply because there has been no bad news. Instead, they should integrate it into their cybersecurity strategy just as meticulously as their IT.
The following three sets of measures reduce the risk of becoming a victim of an OT disruption in the future.
1. Make access to OT more difficult
- Ensure that no OT or building automation systems are accessible via the internet. Platforms such as Shodan and Censys provide targeted search capabilities.
- Monitor and control remote and direct access to OT systems by OEMs and service providers without exception. Prevent unregulated and unmonitored privileges for system manufacturers and service providers.
- Prevent direct connections between IT and OT. Both networks should be clearly segmented from each other using firewalls, DMZs, and, if applicable, data diodes.
- ALWAYS change standard and manufacturer passwords before integrating OT components.
- Update authentication to state-of-the-art methods. NTLM v1 and v2 are NOT among them.
2. Make lateral movement more difficult
- Segment the OT network according to criticality, vulnerability, and level of trust. Depending on the data flow model, data diodes can also be used to control communication between different levels of trust.
- Disable unnecessary services, ports, and protocols. This applies in particular to broadcast services that are enabled by default by manufacturers.
3. Detect suspicious activities in OT early-on
- Install and operate an intrusion detection system (IDS) to detect suspicious, non-signature-typical processes and communication patterns at an early stage. A network-based intrusion detection system (NIDS) uses passive security monitoring and anomaly detection for this purpose. We explain the requirements in detail in “What are the main characteristics of an IDS in OT?"
- Find out more about the requirements for such systems from official guidelines provided by the German Federal Office for Information Security (on general IDS) and NERC (on NIDS).
