Industrial Control Systems Are Still Running on Trust and Prayer

TLDR: Industrial control systems and critical infrastructure remain dangerously exposed due to a lack of visibility and reliance on outdated, unpatched technology. Attackers are increasingly targeting these environments with sophisticated techniques, yet defenders often lack the telemetry required to detect them. Security professionals must move beyond perimeter-based defenses and prioritize evidence-based resilience to survive in an increasingly asymmetric threat landscape.

Operational technology environments are currently facing a reality that most enterprise IT teams would find terrifying. While we spend our time obsessing over the latest browser zero-days or cloud misconfigurations, industrial control systems are often operating on decades-old hardware that lacks basic security primitives. The asymmetry here is stark. An attacker only needs to find one unpatched controller or a single misconfigured gateway to cause kinetic damage, while the defender is tasked with securing a sprawling, heterogeneous network that was never designed to be connected to the internet in the first place.

The Reality of Asymmetric Warfare

Defending critical infrastructure is not about building a higher wall. It is about understanding that the wall has already been breached. When we look at the current state of industrial security, we see a massive gap between the tools we use to defend these systems and the reality of how they are being attacked. Many organizations are still relying on OWASP Top 10 style web security controls to protect systems that are fundamentally different from standard web applications.

Injection attacks, such as SQL injection, are still a primary vector for compromising the management interfaces of these systems. However, the impact of a successful exploit here is not just data exfiltration. It is the potential for physical disruption. We are seeing adversaries who are not just interested in stealing credentials. They are interested in manipulating the logic of the controllers themselves. When an attacker can modify the input to a PLC or a SCADA gateway, they are effectively controlling the physical process.

The Visibility Gap

One of the most significant challenges for any researcher or pentester working in this space is the lack of telemetry. You cannot defend what you cannot see. In many industrial environments, the network traffic is opaque. We lack the granular visibility into the proprietary protocols that these devices use to communicate. Without this visibility, we are essentially flying blind.

If you are performing an assessment on an industrial network, your first priority should be identifying the communication flows between the HMI and the field devices. Use tools like Wireshark to capture traffic and look for anomalies. If you see an HMI sending commands to a controller that it has no business talking to, you have found your pivot point. The goal is to move from a state of blind trust to a state of verified communication.

Moving Toward Evidence-Based Resilience

We need to stop pretending that we can patch our way out of this problem. Many of these systems cannot be patched without significant downtime, which is often not an option for critical infrastructure. Instead, we need to focus on building resilience into the architecture itself. This means implementing strict network segmentation and ensuring that every device is running only the services it absolutely requires.

If you are a developer or a security engineer working on these systems, look into Terraform for infrastructure as code. By automating the deployment of your security controls, you can ensure that your environment remains in a known good state. This is the only way to scale security across a large, distributed environment. You cannot manually configure hundreds of firewalls and expect them to remain secure over time.

The Role of Standards and Coordination

Collaboration is the only way we are going to get ahead of this. We need to be more active in standards bodies. If you look at RFC 9424, you can see the kind of work that is being done to address these challenges at a fundamental level. We need more of this. We need to be sharing our findings, not just with our internal teams, but with the broader community.

When we find a vulnerability in a piece of industrial equipment, we need to be responsible about how we disclose it. We need to work with the vendors to ensure that the fix is not just a band-aid, but a fundamental improvement to the security of the device. This is a long-term game. We are not going to solve these problems overnight.

What Comes Next

The future of industrial security is going to be defined by our ability to adapt to new technologies while securing the legacy systems that form the backbone of our society. We are going to see more integration of AI and machine learning into these environments, which will bring both new opportunities and new risks. We need to be prepared for both.

Start by auditing your own environment. Look for the low-hanging fruit. Are your management interfaces exposed? Are you using default credentials? Are your controllers communicating over unencrypted channels? These are the questions that we need to be asking ourselves every single day. The adversaries are not waiting for us to catch up. They are already inside, and they are already looking for the next way to cause disruption. It is time we started acting like it.