As digital threats continue to advance and become increasingly complex, safeguarding Operational Technology (OT) in critical infrastructure has shifted from a specialized focus to a critical responsibility. Sten Skov Lehnert, Senior Security Advisor at the Institute for Cyber Risk, an interdisciplinary knowledge powerhouse in Denmark, says: “We have been very fortunate in the last 20 years to enjoy a stable geopolitical environment. But we need to face reality: disruptions are coming, and we must be ready.”
The invisible crisis: OT security neglected for too long
Critical infrastructure, such as water management systems, power plants, and industrial control networks, is at the heart of our modern society. Yet, it remains dangerously under protected. The issue, Lehnert points out, is not just about outdated technology but a fundamental misalignment in how we approach security.
“For many years, senior management has focused on IT security—the systems they know. But OT? That’s a different beast altogether,” he explains. Unlike IT systems, OT is not designed for frequent patching. Systems in power plants and water management facilities can run for decades with minimal updates. This creates an Achilles’ heel that cybercriminals are beginning to exploit.
The real-world impact: when hackers target waterworks
Denmark learned this lesson the hard way in December 2024, when Russian threat actors successfully hacked a small municipal water facility. “They wanted to work from home, just like everyone else. So, they connected IT and OT, allowing remote control of valves. The result? The hackers increased water pressure to a dangerous level, bursting pipes and leaving 50 households without water,” Lehnert recounts.
This incident underscores a critical point: IT and OT cannot be treated as a single entity. Blurring the lines between them, whether for convenience or cost-saving, invites disaster. The solution? Proper segmentation and layered security measures.
Segmentation: the first line of defense
One of the key strategies for protecting OT environments is segmentation. Lehnert is unequivocal: “I would like to see OT, especially legacy systems that cannot be patched, fully segregated from the internet. If you can’t update it, you must isolate it.” He urges organizations to conduct thorough risk assessments and apply standards such as IEC 62443 to secure their infrastructure.
Fox Crypto specializes in these security measures, ensuring that critical systems remain protected even as threats evolve. By scanning for unknown vulnerabilities and implementing robust segregation strategies, organizations can significantly reduce their risk exposure.
Learning from the past: Stuxnet and human weakness
The infamous Stuxnet attack on Iran’s nuclear facility serves as a stark reminder that even air-gapped systems can be compromised through human error. “The facility was segregated, but a simple USB transfer bypassed all the security barriers. That’s why we need to analyze not just technical vulnerabilities, but also human behavior,” Lehnert warns. Training personnel, enforcing strict policies on data transfers, and continuously testing for weaknesses are all essential steps.
Building resilience: preparing for the inevitable
The future of OT security is not just about preventing attacks, but about ensuring continuity when disruptions occur. Lehnert believes that organizations should embrace a mindset of resilience: “We should prepare for manual failover procedures, just like in the old days. If Ukraine can do it under war conditions, we can do it too.”
By conducting scenario planning—whether for cyberattacks, natural disasters, or even accidental system failures—organizations can ensure they remain operational under any circumstances. “The key question isn’t ‘How do I stop an attack?’ but ‘How do I keep my business running even when something goes wrong?’” Lehnert emphasizes.
A call to action for CISOs and boards
Ultimately, the responsibility for OT security does not rest solely with IT departments—it starts at the top. “Your board of directors sets the risk appetite. As a CISO, your job is to translate that into actionable security measures,” Lehnert points out.
Instead of reinventing the wheel, companies should leverage existing frameworks like ISO 27001, CIS 18, and IEC 62443. “We already have the tools. The challenge is implementing them effectively,” he notes.
The time to act is now
The threats to OT security are not hypothetical—they are here, and they are growing. Whether it’s a cyberattack on a water plant, a power outage caused by an overlooked vulnerability, or a human error that disrupts essential services, the consequences of inaction are severe. As Lehnert aptly puts it: “Resilience is not just a buzzword. It’s the difference between recovery and catastrophe.”