A perfect storm

Analysts said the shift in attacker behavior is troubling but unsurprising, given the confluence of geopolitical tensions, widely available technical documentation, the democratization of attack toolkits and a decreasing price point for experimentation.

The good news: Organized cybercrime groups typically have little interest in accessing OT and industrial control systems (ICSes) to cause physical harm, said Forrester analyst Paddy Harrington. Rather, they want to make money, and hurting innocent people is inherently bad for business.

"Blowing up a pipeline or an oil rig or taking down an operating room in healthcare -- because you can actually do that if you compromise the systems enough -- leaves a bad taste in everyone's mouth," Harrington said. "You're no longer this Robin Hood figure for taking down Jaguar Land Rover. You hurt people."

In other words, there is a vast difference between run-of-the-mill cybercriminals and Netflix-style cyberterrorists. Even nation-state threat actors are likely constrained by the principle of mutually assured destruction, knowing that a targeted nation could respond in kind.

The bad news: Generative AI could empower a host of attackers with diverse personal or political motives and an appetite for destruction. Capabilities that were once largely limited to well-funded nation-state groups are now broadly accessible, said Gartner analyst Katell Thielemann.

"My concern is that in the age of AI, where technical drawings and process manuals can be ingested at will from public sources, we may not just be dealing with attackers 'being told to prepare to act,'" per the Dragos report, Thielemann said. "Hacktivists or anyone determined enough, with any kind of motive, can learn about these control loops."

Harrington noted that larger attack groups are already using open source models to build their own LLMs focused specifically on cyberattacks. "They can map out -- based on previous OT attacks, vulnerabilities and exploits -- exactly what they need to do," he said. "That, plus the whole geopolitical situation, is driving things faster than I think we've ever seen before."

What OT threats mean for enterprise CISOs

Most organizations have cyber-physical systems, whether they recognize it or not.

"This is not just about OT/ICS in water utilities or process manufacturing," Thielemann warned. Rather, any environment where digital assets interact with the physical world, such as a typical office building, data center or warehouse, could become a target.

Yet, even as threat actors seek to gain physical control of OT environments, enterprises remain largely ill-equipped to defend against them.

"If attackers are learning about control loops, so should CISOs," Thielemann said. "If they are still defending with an IT-centric mindset and have not yet realized that their remit includes cyber-physical systems that need completely different security governance and tooling, they need to catch up -- fast."

If attackers are learning about control loops, so should CISOs.

Harrington agreed, suggesting CISOs start by identifying entry points into their OT environments -- edge devices, cloud connections, internet connections and internal IT/OT cross-connections -- and eliminating any that aren't operationally necessary. Then, he said, drop a firewall across each remaining connection to block threats that might enter the environment from third-party service providers, OEMs or IT.

"Start doing something," Harrington urged. "So many OT environments don't have much of anything. All they're doing is asset discovery and relying on what they think is an air gap, which hasn't existed in the vast majority of environments for a long time."

Harrington admitted he worries about worst-case-scenario cyberattacks on critical infrastructure, the stuff of nightmares and Netflix films. But he also finds the growing push to improve OT security encouraging.

"I'm just hoping it's fast enough."

Alissa Irei is senior site editor of Informa TechTarget Security.