As critical infrastructure defenders accelerate the adoption of artificial intelligence, machine learning, and automated Security Operations Centers (SOCs) to counter new and sophisticated digital threats, an asymmetrical vulnerability is expanding at the very foundational layer of operational environments viz., physical infrastructure.

A recent and highly coordinated intrusion into New York City’s subterranean sewer network highlights a persistent reality that has come to characterize modern hybrid warfare. While the digital perimeter grows increasingly fortified by algorithmic defenses, the physical conduits housing the literal backbone of our digital and civil existence including fiber-optic trunks, power routing, control signaling, and water management systems remain dangerously exposed.

Today’s post examines how sophisticated adversaries, including state-sponsored Advanced Persistent Threats (APTs) and hacktivists, leverage low-tech physical intrusions to bypass high-tech cyber defenses. By analyzing the strategic value of underground systems, the convergence of physical and digital attack surfaces, and the methodologies of subterranean reconnaissance, this article offers Operational Technology (OT) leaders, Chief Information Security Officers (CISOs), and national security stakeholders with a comprehensive framework to defend against converged, cross-domain campaigns.

Before we move forward, don’t forget to check out our previous blog post on Top 5 removable media protection strategies for critical infrastructure here.

You can also download our latest Global OT Cyber Threat Intelligence Advisory H1 2026 here. This report launched two days ago gives you a more detailed context and data on the analysis that follows.  

Incident analysis: The subterranean breach

The unauthorized, nocturnal intrusion into New York City’s sewer system by unknown actors represent far more than a civil trespass or localized criminal enterprise. To a seasoned OT security strategist, the characteristics of these intrusions signal tactical reconnaissance.

Understanding the strategic value of the subterranean topology

Underground utility networks are essentially the literal connective tissue of metropolitan centers and industrial complexes. Attackers target these environments because they offer three distinct strategic advantages:

• Concealment and cover: Subterranean systems allow adversaries to move beneath heavily monitored urban areas undetected by surface-level surveillance, public law enforcement, or standard corporate physical security perimeters.

• Co-Location of critical assets: Modern civil engineering utilizes utility rights-of-way efficiently. A single municipal sewer or transit tunnel frequently co-locates high-voltage electrical transmission lines, municipal water controls, and high-density fiber-optic bundles serving financial districts or telecom hotels.

• Asymmetry of information: Complete, accurate maps of these legacy systems are rarely centralized or digitized with modern security controls, creating an environment where a local physical scout can gain informational asymmetry over an organization's centralized security team.

Analytical extrapolation of attacker motives

While the local law enforcement may treat such breaches as isolated criminal acts or urban exploration, a high-consequence risk assessment points to several sophisticated vectors:

• Reconnaissance and dependency mapping: The primary phase of any nation-state campaign is structural mapping. By entering the system at night, actors can trace physical conduits back to their entry points into critical bank vaults, government buildings, or power substations, mapping interdependencies that cannot be discovered via remote digital scanning.

• Battlefield preparation: Historically practiced by Soviet-era Spetsnaz and modernized by contemporary hybrid doctrine, this involves identifying optimal locations for kinetic sabotage or the placement of long-term technical surveillance counter-measures. All of these measures can be triggered during times of adverse geopolitical interactions between the states

• Testing security latency: Intruders deliberately trip low-level environmental alarms or access hatches to measure the response times, tactics, and communication protocols of municipal authorities and corporate asset owners.

• State-sponsored vs. extremist drivers: While a state-sponsored actor seeks long-term persistence and precise access for strategic leverage, extremist or asymmetric actors view these vectors as single-use pathways to achieve high-consequence civil disruption, such as flooding a financial hub or severing regional communications.

The attack surface that everyone forgot

Organizations routinely invest millions in AI-driven network anomaly detection, next-generation Endpoint Detection and Response (EDR), and cloud-managed SOC infrastructure. Yet, this digital shield is often undermined by an undefended physical underbelly.

The gravitation to the weakest link

The principle of water finding the path of least resistance applies well to offensive operations. When an enterprise hardens its external network perimeter to the point where remote exploitation requires zero-day chains costing millions of dollars, the economic and tactical calculation shifts. It becomes significantly cheaper, safer, and faster for an adversary to deploy a physical operative disguised as a utility contractor to open an unsecured manhole, trace a conduit, and gain direct physical proximity to the target infrastructure.

The convergence of physical and cyber operations

The contemporary threat landscape no longer recognizes a clean bifurcation between physical security and cybersecurity. Modern hybrid campaigns use physical access as the ultimate enabler for cyber compromise.

Rogue hardware implants

Once inside a subterranean vault or utility tunnel, a motivated attacker can identify the network conduits feeding an OT environment or an industrial control system (ICS). By splicing into a line or leveraging an unmonitored field switch, they can install cheap, low-power hardware implants (such as cellular-enabled single-board computers or rogue RF bridges). These devices bypass firewalls, intrusion detection systems, and air-gaps entirely, establishing a permanent, out-of-band remote access pathway directly into the internal trusted network.

Fiber-optic tapping and interception

It is a dangerous misconception that fiber-optic communications are inherently secure against eavesdropping. By accessing underground cable trays, actors can employ non-destructive macro-bending clips. By slightly bending the glass fiber, a fraction of the light signal leaks out through the cladding. This leaked light is captured by a photosensitive receiver, allowing the adversary to clone and intercept raw network traffic without interrupting the physical link or triggering carrier-loss alarms.

Supply chain and insider integration

Subterranean access points are frequently maintained by third-party municipal contractors, diving teams, or sanitation workers whose background vetting standards pale in comparison to those of internal IT or nuclear security personnel. Adversaries exploit this vulnerability by recruiting insiders or compromising the supply chain of maintenance vendors, gaining access to keys, access schedules, and structural blueprints.

Lessons for OT and critical infrastructure defenders

The behavior of the physical intruders in the NYC sewer network mirrors the exact lifecycle of an Advanced Persistent Threat (APT) operating in the digital domain.

Behavioral parallel: The Cyber-Physical APT lifecycle

• Patience and low-significance signatures: Just as a digital APT moves slowly, utilizing native administrative tools ("living off the land") to avoid triggering behavioral alerts, the subterranean intruder moves during periods of peak urban noise or late-night shifts, utilizing standard maintenance attire to blend seamlessly into the urban background.

• Establishing footholds: In both domains, the initial breach is rarely the ultimate objective. The primary entry is used to place a foothold—be it a web shell on a DMZ server or a bypassed lock on an underground drainage junction—ensuring reliable access for future operations.

• The defender's blind spot: Security teams remain fundamentally preoccupied with high-visibility indicators of compromise (IoCs), such as active malware payloads, ransomware signatures, or sudden spikes in outbound network traffic. Consequently, they miss the low-frequency pre-attack preparation activities: the physical exploration of an access point, the probing of an external gate, or the baseline mapping of an industrial facility's peripheral dependencies.

Nation-state and hybrid warfare implications

The integration of physical infrastructure reconnaissance into broader military and intelligence frameworks is a documented core competency of several nation-state actors.

China (Volt Typhoon)

Western intelligence agencies have repeatedly warned of state-sponsored campaigns, such as Volt Typhoon, whose primary goal is not espionage or intellectual property theft, but long-term pre-positioningwithin critical infrastructure. The operational profile of these groups matches the strategic utility of physical subterranean access: establishing deep, quiet persistence within water, power, and transport systems to execute highly disruptive kinetic or cyber-kinetic actions during a geopolitical crisis or kinetic conflict.

Russia (Sandworm and maritime/subterranean reconnaissance)

Russian military intelligence (the GRU), via specialized units like Sandworm, has pioneering experience in executing successful cyber-physical attacks against electrical grids. Concurrently, specialized Russian naval and intelligence assets have routinely mapped undersea and underground communication cables. This dual capability allows them to execute grey-zone operations—highly disruptive acts that fall just below the threshold of open warfare—by combining a localized physical disruption with a coordinated digital denial-of-service or wipe attack.

Strategic objectives: Deterrence and coercion

By mapping and proving the vulnerability of hidden infrastructure assets in major metropolitan areas like New York, nation-states achieve a level of structural deterrence. The implicit message is clear: the adversary possesses the capability to paralyze the economic engines of the target nation from the inside out, leveraging physical access points to amplify the psychological and functional impact of an escalation.

The underappreciated dimensions of subterranean defense

Defending what cannot be seen is one of the most significant challenges in modern infrastructure security. The space below ground operates under a unique set of physical laws and structural realities that favor the attacker.

The Subterranean visibility deficit

Standard security tools are optimized for the atmosphere or the digital cloud. Radio frequencies degrade rapidly through thick concrete, wet soil, and subterranean brickwork, rendering standard wireless security cameras, GPS tracking, and cellular-based physical security sensors ineffective without specialized, hardened repeating infrastructure. Consequently, once an intruder drops below the street level, they enter a total security blind spot where the defender has zero real-time situational awareness.

Terrain-to-digital attack mapping

There is a direct correlation between the physical topology of an urban landscape and the digital logical topology of an industrial network. A river crossing, an underground subway tunnel, or a utility trench dictates exactly where the fiber-optic cables must bunch together to pass through a geographical bottleneck.

The critical vulnerability: A single physical intercept point in an underground bottleneck can grant an adversary simultaneous access to redundant network links that are logically separated on a network diagram but physically adjacent in a single concrete trench.

The intelligence value of utility blueprints

For an intelligence agency, a single legacy civil engineering blueprint detailing sewer routing, water mains, and electrical conduits is worth more than a dozen software vulnerabilities. These documents reveal the precise locations of structural vulnerabilities where a combined attack can cause a cascading failure. For instance, breaching a water main directly above a subterranean telecom vault can use gravity to disable critical digital infrastructure without deploying a single line of malicious code.

Defensive strategy and framework

To mitigate the risks exposed by converged physical-cyber threats, critical infrastructure operators must move away from siloed security paradigms. The following framework provides a model for converged defense:

Governance and risk ownership

• Unified risk ownership: Abolish the operational division between the Chief Security Officer (CSO) responsible for physical gates and guards, and the CISO responsible for firewalls and software. Establish a dedicated Converged security office that owns the risk profile of the physical-cyber boundary without ambiguity.

• Cross-functional responsibilities: Require physical security personnel to undergo basic OT awareness training, and mandate that OT network engineers perform routine physical walkthroughs of the paths carrying their network media.

Enhanced physical security controls

• Underground access hardening: Transition all utility access hatches, manholes, and inspection ports inside or adjacent to critical facilities to monitored, high-security electronic locking mechanisms that require multi-factor authentication (e.g., a physical key paired with a one-time mobile authorization code).

• Tamper detection infrastructure: Deploy passive fiber-optic interferometry systems along critical conduit runs. These systems detect the minute acoustic vibrations or structural shifts caused by someone opening a cable tray, walking near a conduit, or attempting to bend a fiber cable, providing real-time perimeter monitoring below ground.

• Sealed conduit architecture: Encase critical OT and communications cabling within pressurized or epoxy-filled conduits equipped with pressure-drop sensors to instantly alert the SOC if a pipe is cut, drilled, or structurally compromised.

Operational Technology (OT) security enhancements

• Zero-Trust Network segmentation: Implement strict network segmentation (e.g., ISA/IEC 62443 architecture) assuming that the physical layer will be breached. All data flowing from field devices located in remote or underground vaults must be encrypted in transit using IPSec or MACsec.

• Continuous asset inventory and device fingerprinting: Deploy network monitoring solutions that continuously baseline the hardware signatures of the network. If an attacker attaches a rogue hardware implant to a subterranean switch, the system must immediately identify the unauthorized MAC address, device profile, or cryptographic mismatch and isolate the port.

• Hardware root of trust: Utilize field devices and RTUs (Remote Terminal Units) that enforce secure boot configurations and cryptographic device identities, ensuring that physically accessing a device does not allow an attacker to upload modified firmware without valid cryptographic keys.

Integrated monitoring and Incident Response

• The converged SOC: Integrate physical security logs (hatch open alerts, vault temperature spikes, acoustic tamper detections) directly into the centralized Security Information and Event Management (SIEM) system of the cyber SOC. Teach analytics engines to correlate a physical security alarm with a concurrent network anomaly or a temporary loss of signal.

• Hybrid attack ;laybooks: Develop and test incident response playbooks that assume a dual-domain attack. For example, if a critical OT network link goes offline unexpectedly, the playbook must mandate an immediate physical inspection of the routing conduits alongside standard digital troubleshooting.

• Cross-functional exercises: Conduct live, red-team simulation exercises where physical intruders attempt to compromise an OT network by targeting remote utility access points, forcing coordination between corporate security, engineering, facilities, and local emergency services.

Metrics and Key Performance Indicators (KPIs)

To ensure the efficacy of this converged defensive strategy, critical infrastructure operators must track quantifiable metrics across four primary categories:

Physical Security KPIs

• Unauthorized Access Detection Rate ($R_{UAD}$):

Target: >98% for all critical and subterranean assets.

• Time-to-Detect Physical Intrusion ($T_{DPI}$): The elapsed time between the physical breach of a hatch, vault, or conduit and the generation of an actionable alert in the SOC. Target: <60 seconds.

• Physical Asset Inspection Coverage: The percentage of underground conduit miles and remote vaults physically or electronically inspected for structural integrity and rogue implants within a rolling 90-day window. Target: 100%.

OT Security KPIs

• OT Asset Visibility Percentage: The proportion of active devices in the OT environment that are fully profiled and tracked by automated asset management tools. Target: 100%.

• Mean Time to Detect (MTTD) Unmanaged Assets: The time it takes to detect and alert on an unauthorized hardware device plugged into any network port. Target: <5 minutes.

• Network Encryption Coverage: The percentage of cross-site and subterranean network links utilizing active cryptographic encapsulation (e.g., MACsec). Target: 100%.

Hybrid Security KPIs

• Physical-Cyber Incident Correlation Rate: The percentage of physical security alerts that are automatically cross-referenced against digital network logs by the SIEM/SOAR platform. Target: >90%.

• Cross-Domain Joint Exercise Frequency: The number of full-scale incident response simulations conducted annually involving physical security, IT/OT cybersecurity, and operational facilities teams. Target: Minimum of 4 per year.

Executive and Resilience KPIs

• Critical Asset Risk Reduction Score: A composite index measuring the elimination of single points of failure across both physical routing and logical network paths.

• Recovery Time Objective (RTO) for Converged Failures: The targeted duration of time required to restore full operational capability following a coordinated physical destruction and digital wipe event. Target: Environment-dependent, typically <4 hours for critical safety functions.

The security of modern critical infrastructure cannot rely only on digital defenses. As New York City’s subterranean network intrusion demonstrates, an elite adversary does not need to crack a 256-bit cryptographic key or discover a zero-day exploit to compromise an asset. They can simply walk beneath our feet, open an unmonitored hatch, and plug directly into the physical heart of our infrastructure.

In an era increasingly governed by artificial intelligence and automated network defense, the physical world remains the ultimate arbiter of operational resilience. Defenders must look down as often as they look up, recognizing that if the physical pathways connecting our societies remain exposed, the most advanced SOC in the world is merely an expensive spectator to its own undoing. Operational continuity demands a unified, zero-trust approach to defense—one that guards the concrete and copper just as vigilantly as the code.

Recommended technical resources

Incident Response Plan for OT/ICS: A Practical Template to Build Resilience

Link: Shieldworkz OT/ICS Incident Response Playbook

Incident Response Template for Facility Security Events

Link: Shieldworkz Facility Incident Response Template

NIST SP 800-61 Compliance and Implementation Checklist for OT/ICS Environments

Link: Shieldworkz NIST SP 800-61 OT/ICS Checklist

IEC 62443-Based Zoning Implementation and Validation Checklist

Link: Shieldworkz IEC 62443 Zoning Checklist

Comprehensive OT Risk Assessment Checklist

Link: Shieldworkz Comprehensive OT Risk Assessment Checklist

Guide to OT Asset Inventory and Device Management for Improved Security

Link: Shieldworkz OT Asset Inventory Guide

OT / ICS Cybersecurity Operational Security Checklist

Link: Shieldworkz Operational Security Checklist