The Infrastructure Nobody Thinks About Until It Fails
On a February morning in 2021, operators at the water treatment plant in Oldsmar, Florida, observed the remote cursor on a control screen moving on its own — adjusting the concentration of sodium hydroxide (lye) in the drinking water supply from 100 parts per million to over 11,000 parts per million. An operator intervened within minutes to reverse the change. The Pinellas County Sheriff initially described the incident as a cyberattack exploiting TeamViewer — a remote desktop application used by the plant with no multi-factor authentication and shared passwords among employees. However, the FBI later stated it could not confirm the incident was initiated by a targeted cyber intrusion. A former city manager told reporters in 2023 that the incident was likely employee error, not an external attack.
Whether or not Oldsmar was a hack, the investigation exposed a disturbing reality: the plant was running Windows 7 (end-of-life since January 2020), used shared credentials, and had remote access tools with no MFA or network segmentation. These are not unusual conditions. In May 2024, the US Environmental Protection Agency issued an enforcement alert revealing that over 70% of water treatment systems inspected since September 2023 were in violation of Safe Drinking Water Act cybersecurity requirements — including failures to change default passwords and failures to revoke access for former employees.
And the threat actors are already inside. In May 2023, Microsoft and the Five Eyes intelligence alliance publicly attributed a sophisticated cyber campaign to Volt Typhoon, a Chinese state-sponsored threat group pre-positioning in US critical infrastructure networks — not stealing data, but establishing persistent footholds for potential future disruption. By early 2024, follow-up advisories revealed the group had maintained access for at least five years across communications, energy, transportation, and water systems. In the same period, a coordinated attack campaign in Denmark exploited vulnerabilities in Zyxel firewalls to breach 22 energy companies simultaneously — the largest cyberattack in Danish history.
Operational Technology (OT) and Industrial Control Systems (ICS) — the digital nervous systems of power grids, water treatment plants, oil refineries, manufacturing plants, and transportation networks — represent the most consequential attack surface in cybersecurity. When IT systems are breached, data is stolen. When OT systems are breached, physical processes are disrupted, safety systems can be disabled, and people can be harmed.
Understanding the OT/ICS Stack
The terminology can be confusing. Here is a clear breakdown:
OT (Operational Technology) is the broad category of hardware and software that monitors and controls physical processes — everything from a thermostat in a building to the turbine controllers in a power plant.
ICS (Industrial Control Systems) is a subset of OT that specifically refers to the systems controlling industrial processes:
- SCADA (Supervisory Control and Data Acquisition): Centralized systems that monitor and control geographically dispersed infrastructure — pipeline pressure sensors across thousands of miles, electrical substations across a region, water flow meters across a city.
- PLCs (Programmable Logic Controllers): Purpose-built computers that directly control physical equipment — opening a valve, adjusting a motor speed, triggering a safety shutdown. PLCs execute the actual “control” in industrial control systems.
- DCS (Distributed Control Systems): Used in process industries (oil refining, chemical manufacturing) to control continuous processes where many variables must be coordinated simultaneously.
- HMI (Human-Machine Interface): The screens and panels that operators use to monitor and interact with the process — showing real-time data, alarm status, and manual override controls.
The fundamental challenge of OT security is that these systems were designed for reliability and safety, not for cybersecurity. Many PLCs and SCADA systems were deployed 15-25 years ago, run proprietary or legacy operating systems (Windows XP, real-time OS variants), cannot be patched without shutting down the process they control, and were never intended to be connected to the internet.
But they are now connected. The convergence of IT (Information Technology) and OT — driven by the desire for remote monitoring, data analytics, predictive maintenance, and operational efficiency — has exposed systems designed for isolated networks to the full threat landscape of the internet.
Volt Typhoon: The Pre-Positioning Campaign
In May 2023, Microsoft and the Five Eyes intelligence agencies (US, UK, Canada, Australia, New Zealand) publicly attributed a sophisticated cyberespionage campaign to Volt Typhoon, a Chinese state-sponsored threat group. The campaign targeted critical infrastructure organizations in the United States and its territories, including Guam.
What made Volt Typhoon alarming was not what it did, but what it did not do. The group did not steal intellectual property, deploy ransomware, or demand payment. Instead, it pre-positioned — it gained access to critical infrastructure networks, established persistent footholds, and waited.
Techniques: Volt Typhoon specialized in “living off the land” — using legitimate system tools (PowerShell, WMI, ntdsutil) rather than malware to avoid detection. It compromised internet-facing devices (routers, firewalls, VPN appliances) as entry points, moved laterally through networks using stolen credentials, and established persistent access that could be activated on command.
Targets: Communications, energy, transportation, water systems, and wastewater infrastructure. The geographic focus included infrastructure in Guam and the US West Coast — regions strategically relevant to a potential Taiwan conflict scenario.
Implications: US intelligence officials stated publicly that Volt Typhoon’s objective was to pre-position in US critical infrastructure so that, in the event of a military conflict in the Pacific, China could disrupt American power grids, communications networks, and water systems to slow US military deployment and create domestic chaos. In January 2024, the FBI disrupted Volt Typhoon operations by removing the group’s malware from hundreds of compromised small office and home office routers. A February 2024 joint advisory from CISA, NSA, and the FBI revealed the group had maintained access to some networks for at least five years.
This is not espionage. This is preparation for cyber warfare targeting civilian infrastructure. And it represents a paradigm shift in how nations think about critical infrastructure security.
Advertisement
The Ransomware Threat to OT
While nation-state pre-positioning is the most strategically dangerous threat, ransomware is the most frequent threat to OT environments.
Colonial Pipeline (2021) remains the paradigm case. On May 7, 2021, the DarkSide ransomware group gained access to Colonial Pipeline’s IT network using a compromised password for an inactive VPN account that lacked multi-factor authentication — the password had been found in a batch of leaked credentials on the dark web. The company shut down its OT pipeline operations as a precaution, unable to determine whether attackers had also reached operational systems. The six-day shutdown caused fuel shortages across 17 US states, panic buying, and gas prices hitting their highest levels in over six years. Colonial paid a $4.4 million ransom (75 bitcoin), though the DOJ later recovered approximately 84% of the payment. The attack did not directly compromise OT systems, but it demonstrated that IT/OT convergence means that IT compromises can force OT shutdowns.
Since then, ransomware attacks on industrial organizations have accelerated:
- JBS Foods (2021): REvil ransomware shut down meat processing plants across the US, Canada, and Australia.
- Dole (2023): Ransomware forced the shutdown of production plants across North America.
- Change Healthcare (2024): The BlackCat (ALPHV) ransomware attack on UnitedHealth’s Change Healthcare platform disrupted medical claims processing for months — one of the most consequential healthcare cyberattacks in US history.
- Water utilities (2023-2024): Iranian IRGC-affiliated threat group CyberAv3ngers targeted water utilities using Unitronics Vision Series PLCs, exploiting the default manufacturer password (“1111”) to gain access to operational systems. Between November 2023 and April 2024, at least 29 confirmed intrusions were linked to the group, including a high-profile incident at a water authority in Aliquippa, Pennsylvania.
The pattern is clear: ransomware groups increasingly target organizations that operate critical infrastructure because these organizations are under extreme pressure to pay — every hour of downtime has physical, safety, and economic consequences.
The Security Gap: IT vs. OT
Securing OT environments is fundamentally different from securing IT environments, and IT security practices often cannot be directly applied:
Patching: In IT, security patches are applied regularly (monthly Patch Tuesday, automated updates). In OT, patching a PLC or SCADA system often requires shutting down the physical process it controls — stopping a turbine, pausing a production line, taking a substation offline. Many OT systems run legacy software that is no longer supported by vendors. Patching may require complete system replacement.
Scanning: Vulnerability scanners that work safely on IT networks can crash OT devices. Active network scanning (sending packets to discover devices and their vulnerabilities) can overwhelm PLCs with limited processing capacity, causing them to fail — potentially with dangerous physical consequences.
Authentication: Many OT systems use shared credentials, default passwords, or no authentication at all. Implementing modern authentication (MFA, certificate-based) requires firmware updates that may not be available for legacy equipment.
Availability: In IT, the security triad is “Confidentiality, Integrity, Availability” (CIA) — with confidentiality typically prioritized. In OT, availability is paramount. A power grid that goes offline kills people (hospital equipment fails, traffic lights go dark, heating systems stop in winter). Security controls that reduce availability are unacceptable, even if they improve confidentiality.
Defensive Strategies for 2026
Despite these challenges, organizations are making progress in OT security:
Network segmentation (Purdue Model): The most fundamental defense is separating OT networks from IT networks and the internet. The Purdue Enterprise Reference Architecture defines zones (from Level 0 — physical process — to Level 5 — enterprise network) with controlled interfaces between each level. A Demilitarized Zone (DMZ) between IT and OT networks ensures that no direct communication path exists between the internet and operational systems.
Passive monitoring: Instead of active scanning (which can crash OT devices), passive monitoring tools observe network traffic without sending any packets. Solutions like Claroty, Nozomi Networks, Dragos, and Microsoft Defender for IoT passively analyze OT network traffic to discover assets, detect anomalies, and identify threats without risking operational disruption.
Threat intelligence: Dragos publishes detailed threat intelligence on OT-specific threat groups (CHERNOVITE, BENTONITE, KAMACITE, etc.) with indicators of compromise and defensive recommendations tailored to industrial environments.
Regulatory frameworks: The US CISA has established sector-specific agencies for critical infrastructure security. The EU’s NIS2 Directive (effective 2024) imposes mandatory cybersecurity requirements on essential service operators. NERC CIP standards mandate specific cybersecurity controls for the North American electric grid.
Secure remote access: The Oldsmar water plant incident — regardless of its true cause — exposed the dangers of insecure remote access configurations. Modern OT remote access solutions (Claroty xDome Secure Access, Cyolo) provide MFA-protected, monitored, session-recorded remote access to OT systems — replacing the TeamViewer and VPN configurations that are commonly exploited.
Advertisement
Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | Critical — Algeria’s energy infrastructure (Sonatrach, Sonelgaz), water systems, and transportation networks are prime targets; energy sector is strategically important for both revenue and national security |
| Infrastructure Ready? | Weak — Most Algerian OT environments have minimal cybersecurity controls; IT/OT convergence is ongoing with limited segmentation; legacy systems are common |
| Skills Available? | Very Limited — OT security is a niche discipline globally; Algeria has very few specialists with experience in ICS/SCADA security |
| Action Timeline | Immediate — Network segmentation and passive monitoring should be implemented now; comprehensive OT security programs require 18-24 months |
| Key Stakeholders | Sonatrach (oil/gas), Sonelgaz (electricity), Algérie Télécom, SEAAL/ADE (water utilities), ANESRIF (rail), Ministry of Energy, Ministry of Defense, CERT.dz |
| Decision Type | Strategic-National Security — OT security for energy and water infrastructure is a national security matter, not just a technical IT decision |
Quick Take: This is arguably the most critical cybersecurity domain for Algeria. Sonatrach and Sonelgaz operate SCADA systems controlling oil/gas production and the national electrical grid — infrastructure that directly generates government revenue and supports civilian life. Algeria should prioritize: (1) network segmentation between IT and OT environments at energy facilities, (2) deployment of passive OT monitoring (Claroty, Nozomi, or Dragos) to gain visibility into OT networks without disrupting operations, and (3) partnership with international OT security firms to build domestic expertise. The Volt Typhoon precedent demonstrates that nation-states are actively pre-positioning in critical infrastructure worldwide — Algeria’s energy infrastructure is a plausible target given its strategic importance in global energy markets.
Sources
- CISA — Volt Typhoon Advisory (AA24-038A)
- Microsoft — Volt Typhoon Analysis (May 2023)
- CISA — Oldsmar Water Treatment Advisory (AA21-042A)
- EPA — Enforcement Alert: Drinking Water Cybersecurity (May 2024)
- CISA — CyberAv3ngers / Unitronics PLC Advisory (AA23-335A)
- SektorCERT — Danish Energy Sector Attack Report (2023)
- Dragos — OT Cybersecurity Year in Review 2025
- NIST — Guide to ICS Security (SP 800-82)
- Claroty — State of XIoT Security Report
- Nozomi Networks — OT/IoT Security Report
- EU NIS2 Directive
- NERC CIP Standards
Advertisement