My first exposure to OT security was a security assessment of a water SCADA system in 2000. It was a disaster from a security perspective. Old OS and apps that hadn’t been touched since install. Poor network segmentation, Admin accounts used by all with default passwords, and unauthenticated, insecure by design control protocols and PLCs and RTUs.
Little changed from 2000 – 2010 except for a few pioneers who started to address these issues. When people learned of the OT security state they asked the question . . . If these ICS are so vulnerable, why don’t we see OT cyber attacks and cyber incidents?
OT security awareness went mainstream in the 2010 – 2020 decade. Pioneers gave way to early adopters and even the early majority for some basic OT security controls. Still the majority of OT systems were far from secure. Far from even implementing whatever you would call the basic security controls and consequence reduction to reduce OT cyber risk. Attack and vulnerability content was widely distributed and hyped, but still the number and impact of OT cyber incidents was small. Tiny, a mere blip compared to other causes of OT outages, physical damage, and safety incidents.
The question being asked that decade was why don’t we see more OT cyber incidents?
In 2025, 25 years after my first OT security gig, the question is still being asked. I’ve never had a great answer, anything more than conjecture. I haven’t heard a great answer from anyone else.
Is it because criminals have easier ways of making money through cyber attacks?
Is it because criminals, nation states, and non-state actors worry about the potential retribution if they take out critical infrastructure? We saw a bit of this fear in the Colonial Pipeline incident.
Is it because the criminals and organizations who might want to damage OT systems through cyber attacks lack the knowledge? This may have been believable up to 2020, but seems hard to believe now. It does take process and automation knowledge to cause a specific type of damage, but it is not required to take a system down. Some OT that “must never go down” is incredibly fragile.
Is it happening a lot more than is publicly disclosed because a) the affected asset owner doesn’t want to disclose or b) the affected asset owner knew there was an incident but didn’t know it was caused by a cyber attack?
I don’t have an evidence based answer. We can be happy that whatever the reason, we, society, hasn’t suffered the expected number and impact, yet.
BTW, that water system from 2000 has never had an outage caused by a cyber incident. And they have an impressive OT security program after 25 years of continued improvement. There are a growing number of asset owners properly addressing OT cyber risk in every sector. Maybe we can get lucky, for whatever reasons, for another 5 or 10 years and the majority will have addressed OT cyber risk.