The threat landscape

Let's be direct. When geopolitical tensions escalate, a regional conflict ignites, sanctions are imposed, diplomatic channels collapse, usually the first thing nation-state cyber units do is not launch missiles. They silently activate pre-positioned implants inside the operational technology (OT) networks of adversary critical infrastructure. This is essentially the new doctrine of coercive statecraft.

The adversaries we are concerned with are not opportunistic criminals by any length of imagination. They are persistent, patient, and mission-driven. Three threat clusters dominate the OT attack landscape:

APT 44 AKA Sandworm (Russia-GRU Unit 74455)

Responsible for the 2015 and 2016 Ukraine power grid attacks and the attack on Poland’s grid in 20205, this group was behind the only publicly confirmed cyberattacks that caused widespread blackouts in civilian populations. They deployed Industroyer/CRASHOVERRIDE, a modular malware platform that natively speaks industrial protocols: IEC 104, IEC 61850, GOOSE, and Modbus. In 2022, Industroyer2 targeted Ukraine's high-voltage substations, demonstrating continued investment in OT-native payloads as well as ongoing interest in active disruption of Ukrainian critical infrastructure. Their TTP: spearphish the IT network, pivot to the OT DMZ, enumerate the process environment, and pre-position for disruption is usually triggered only when politically authorized during specific windows associated geopolitical events.

Volt Typhoon (China-MSS Affiliated)

First reported in 2023, confirmed to have pre-positioned inside U.S. critical infrastructure across water utilities, power, communications. It is known to persist for years without triggering detection. Their approach is deliberately 'living off the land' (LotL): using native OT and IT tools, avoiding custom malware, blending with legitimate maintenance traffic. The goal in most cases is not immediate disruption. It is strategic access. This group patiently waits to activate payloads if China-Taiwan tensions escalate into kinetic conflict. CISA confirmed in 2024 that Volt Typhoon had maintained persistent access for up to five years in some targets.

IRGC-Affiliated Groups (Iran)

CyberAv3ngers targeted Unitronics PLCs in U.S. water systems in late 2023. This group is opportunistic, noisy, and intended for psychological effect rather than physical disruption. However, IRGC-linked groups have demonstrated more sophisticated OT capabilities in the Middle East (attacks on Saudi Aramco, Israeli water infrastructure). More details on these groups is available here.

The inherent uniqueness of OT environments

This is not a rhetorical preamble. If you are coming from an IT security background and have been asked to 'extend security coverage' to the plant floor, you need to absorb this before you do anything else.

The CIA triad is inverted

In IT security, Confidentiality comes first. In OT, Availability is the supreme priority. A safety instrumented system (SIS) that fails-safe due to an overzealous security patch can cause a physical emergency. Integrity matters deeply — corrupted process values or ladder logic can cause equipment destruction or worse. Confidentiality, while important, is third.

Patch cycles are measured in years and not days

Your Siemens S7 PLC controlling a turbine may be running firmware from 2009. The vendor may have EOL'd the product. Downtime for patching may require a maintenance window planned six months in advance. This is not negligence — it is operational reality. Security controls must be designed around this constraint, not in defiance of it.

Proprietary protocols are everywhere

Modbus, DNP3, IEC 61850, PROFINET, EtherNet/IP, BACnet, OPC-UA. These protocols were designed for reliability and determinism, not security. Many lack authentication entirely. Passive monitoring without understanding these protocols is blind. Your security tooling must decode industrial protocol payloads, not just see TCP handshakes.

The Purdue Model has real world implications

The Purdue Enterprise Reference Architecture (PERA) covering Level 0 (field devices), Level 1 (PLCs/RTUs), Level 2 (SCADA/DCS), Level 3 (site operations), and the IT/OT DMZ defines your segmentation strategy, your data flows, and your attack paths. Every APT that has successfully compromised OT has done so by traversing from Level 4/5 (enterprise IT) downward through inadequately enforced zone boundaries.

OT defense measures

Network segmentation and zone enforcement

The single highest-impact control you can implement is strict, enforced segmentation between IT and OT. Not logical segmentation. Physical or cryptographic enforcement (ideally both).

→    Deploy a hardened OT DMZ between Level 3 and Level 4. All data flows must pass through this DMZ. No direct IT-to-OT routable paths.

→    Enforce strict firewall rule sets in the DMZ. Default-deny. Whitelist only required process-specific communications. Protocol-aware firewalls should enforce that Modbus traffic only carries expected function codes — block and alert on unauthorized function code 5 (Write Single Coil).

→    Eliminate remote access paths that bypass the DMZ. Every VPN, remote desktop, or jump server into OT must be accounted for, hardened with MFA, and logged. Remove any that are not operationally justified.

→    Micro-segment within OT zones where operationally feasible. A breach in the wastewater control network should not be reachable from the chemical dosing controller.

→    Segments should be crafted as per IEC 62443

Asset inventory and visibility

You cannot protect shadow OT assets. In most OT environments, an accurate and current asset inventory is the actual gap and not the tools that follow it.

→    Deploy passive OT asset discovery using tools like Shieldworkz. Passive monitoring reads existing network traffic — it does not generate probe traffic that could destabilize PLCs.

→    Build a living OT asset register including: asset type, vendor, firmware version, communication protocols, connected systems, physical location, and criticality classification. Review quarterly at minimum.

→    Track end-of-life (EOL) assets explicitly. These cannot be patched and require compensating controls: physical isolation, additional monitoring, or replacement prioritization.

→    Map process-to-asset dependencies. Understanding which Level 1 PLCs your Level 2 historian communicates with lets you baseline 'normal' — the prerequisite for detecting anomalies.

Remote access hardening

Remote access to OT — whether for vendor maintenance, engineering, or operations — is the single most commonly exploited initial access vector.

→    Require MFA on all remote access without exception. Hardware tokens or certificate-based auth preferred. SMS OTP is insufficient against nation-state actors with SIM-swapping capabilities.

→    Implement privileged access workstations (PAWs) for OT remote access — dedicated machines, locked-down, no internet browsing, used exclusively for OT connections.

→    Use jump servers / bastion hosts inside the OT DMZ. All remote sessions should terminate at the bastion, not at the target device directly. Record all sessions for forensic purposes.

→    Implement just-in-time (JIT) access provisioning for vendor remote access. Credentials should be time-limited, scoped to the specific device, and revoked automatically at session end.

→    Review and revoke all dormant remote access credentials. APT groups frequently find and reactivate forgotten vendor VPN accounts established during commissioning years earlier.

Endpoint hardening for OT workstations

→    Application whitelisting is the most effective endpoint control in OT environments.  

→    Disable USB ports physically or via policy on all OT workstations. Stuxnet's initial infection vector was a USB drive. This attack surface remains underestimated.

→    Remove internet connectivity from OT engineering workstations. The OT workstation is not for general use.

Secure engineering and change management

→    Implement hash verification on all PLC/RTU firmware and logic downloads. Before any workstation pushes a logic update to a PLC, verify the binary against a known-good hash stored in your change management system.

→    Enforce a signed change management process for all OT configuration changes. No unauthorized changes to setpoints, ladder logic, or network configurations outside of an approved change window.

→    Maintain offline, air-gapped backups of all PLC programs, HMI configurations, historian databases, and network topology documentation. Store on write-once media in a physically secured location.

→    Secure the engineering laptop supply chain. Vendor engineers arriving on-site should not connect directly to the OT network — provide them a network-monitored jump host inside your environment.

Geopolitical surge response: Hardening actions during active tension

When geopolitical indicators escalate, execute a pre-defined hardening posture. Don't wait for a specific technical indicator.

Immediate (0–48 hours):  Brief OT security team and leadership. Verify all IT/OT segmentation controls. Suspend non-essential remote access. Rotate all remote access credentials. Alert OT monitoring team to increase watch frequency.

Short-term (48–168 hours):  Initiate a threat hunt across the OT network baseline. Review all firewall rules in the DMZ. Audit all active remote sessions and user accounts. Brief site operations teams on relevant IoCs.

Sustained (1–4 weeks):  Run a tabletop exercise. Verify offline backups. Coordinate with sector ISAC for threat intelligence sharing. Brief plant operations management on safe manual operating procedures in the event of a compromise.

Detection and response

Passive network monitoring is your primary detection tool

Deploy sensors on SPAN ports at critical network points: the IT/OT DMZ, Level 2-to-Level 1 boundaries, and within critical process cell networks. Platforms such as Shieldworkz ingest industrial protocol traffic and provide behavioral baselining, protocol anomaly detection, and known threat actor TTP matching.

What APT behavior looks like in OT networks

→    Reconnaissance traffic: ARP scans, unusual ICMP, or protocol enumeration packets from a workstation that normally only communicates with one SCADA server.

→    Unusual engineering protocol activity: A Modbus read request to a PLC from an IP that has never communicated with it before. A PROFINET DCP identify-all broadcast issued from an unexpected source.

→    Out-of-baseline timing: A device that communicates every 10 seconds suddenly communicating every 2 seconds — possible indication of polling by an implant.

→    Unauthorized logic downloads: A PLC receiving a configuration write outside of a scheduled maintenance window. Treat this as an incident until proven otherwise.

→    Lateral movement indicators: Successful authentication attempts from a workstation to other hosts it doesn't normally reach. Look especially for SMB lateral movement through the OT network.

OT-specific Incident Response

→    Pre-define 'isolation boundaries' with operations leadership before an incident occurs. Which systems can be taken offline? What is the manual fallback? Document this and rehearse it.

→    Do not automatically quarantine OT devices. Evaluate operational impact first. In some cases, maintaining a compromised but operational system while deploying additional monitoring is the correct call.

→    Preserve forensic evidence without disrupting operations. Capture memory images, network packet captures, and event logs before taking remediation action if operationally possible.

→    Engage CISA CIRT immediately. For nation-state level incidents against critical infrastructure, federal resources are available — and timely notification is often a regulatory requirement.

Supply chain risk

A large number of OT security incidents involve a third-party vector including vendors, integrators, or remote support providers. APT groups know this. Rather than directly attacking a hardened utility, they compromise the SCADA software vendor, the engineering firm, or the remote support platform used by their target.

→    Maintain a current, audited list of all vendors with remote access to OT systems. This list should be owned by the OT security team, not procurement. Review quarterly.

→    Require vendors to disclose their software supply chain. Open-source components in industrial software must be tracked via software bill of materials (SBOM).

→    Conduct security questionnaires and periodic audits of critical OT vendors — especially those with persistent remote access.

→    Monitor for compromise of your vendors. Subscribe to threat intelligence feeds that track vendor-specific compromises. If your HMI software vendor's update infrastructure is compromised, you need to know before you push that update to a plant.

Regulatory compliance

Compliance is not security — but regulatory frameworks provide a useful baseline and audit structure. Know which frameworks apply to your sector and build your security program on them — not instead of real security, but alongside it.

Key frameworks

NERC CIP (Energy): CIP-002 (asset categorization), CIP-005 (Electronic Security Perimeter), CIP-007 (System Security Management), CIP-010 (Configuration Management), CIP-013 (Supply Chain Risk Management).

NIST SP 800-82 Rev 3 (ICS): ICS-specific security guidance for all sectors. Aligns with the NIST Cybersecurity Framework and provides ICS-adapted control mappings.

IEC 62443 (Industrial Cybersecurity): Defines security levels (SL0–SL4) per zone. 62443-3-3 covers system security requirements. Internationally recognized with a vendor certification path.

CISA CPGs (Cross-Sector): Cybersecurity Performance Goals (2022). Sector-specific Shields Up guidance during elevated threat conditions. Free operational threat intelligence via the Automated Indicator Sharing (AIS) program.

Compliance actions during a geopolitical crisis

→    Review your current NERC CIP or sector-equivalent compliance posture. Identify any open findings or exceptions that could be exploited. Close or compensate them before a crisis — not during.

→    Subscribe to and actively consume CISA Emergency Directives and Shields Up advisories. During an escalation, treat these as mandatory.

→    Document your control deviations with compensating controls. Regulators understand that some OT systems cannot be patched. Document the risk and implemented compensating controls proactively.

→    Coordinate with your sector ISAC. The E-ISAC (energy), WaterISAC, and sector equivalents provide timely threat intelligence. If you're not a member, fix that today.

 
KPIs for security posture management during geopolitical crisis

The following KPIs are specifically designed for OT environments under elevated threat conditions. Each is measurable, operationally meaningful, and maps to the controls described above. Review Critical-rated KPIs weekly during a geopolitical crisis, all KPIs monthly in steady state.

Here is the operational truth that often gets lost in the glossy pages of threat reports and framework documents: the gap between documented controls and implemented controls is where the APT groups reside and thrive. Nation-state actors with years of pre-positioned access don't break in dramatically. They walk through doors that were never properly closed which could be a forgotten vendor account, an unmonitored historian connection, a DMZ firewall rule added during an emergency three years ago and never reviewed.

Geopolitical events compress your response time and eliminate ambiguity about the threat and you can use that clarity. When tensions are elevated, you have organizational permission to ask hard questions, close access paths that were 'always meant to be temporary,' and prioritize the hunts and audits that never quite made it to the top of the backlog.

The OT networks you are protecting underpin the physical world viz., the power in homes, water in pipes, fuel in distribution networks, planes in the air, trains on tracks. That is not abstraction. Protect it like it matters. Because it does.

Further reading and OT security checklists and KPIs trackers

Talk to an OT security expert from Shieldworkz.

Book a no obligation demo.

NERC CIP-015-1 compliance checklist and KPI tracker
Insider threat protection checklist
Defensive Posture guidance for Middle Eastern enterprises