Operational technology security is entering a new phase. For years, concern centered on espionage. Nation-state groups sought network diagrams, engineering data, operational knowledge, credentials, and sustained visibility into critical systems. Those activities carried significant risk, yet intelligence collection remained the primary objective.

The more pressing concern today is adversary positioning. Threat actors seek persistent access within OT environments, establishing footholds that can support future operations.

For critical infrastructure operators, this shift changes the cyber risk discussion. The issue extends beyond data theft from power grids, water facilities, pipeline operators, manufacturers, and transportation systems. A more consequential concern is whether an adversary can retain access long enough to influence or disrupt operations when geopolitical conditions align with strategic objectives.

This represents a fundamental change in risk. OT security has evolved from a specialized engineering concern into a business continuity, public safety, and national resilience priority.

The Pivot From Espionage to Pre-Positioning

The industrial cyber threat landscape was once defined by rare, high-impact incidents. Stuxnet demonstrated that malware could create physical consequences. BlackEnergy and Industroyer showed how cyber operations could affect power systems. These events were treated as exceptional. They were technically sophisticated, strategically significant, and limited in frequency.

That assumption no longer holds.

IBM reported that critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to in 2024, with more than one quarter of those attacks caused by vulnerability exploitation. 1

Those figures point to a larger reality. Critical infrastructure is no longer an occasional target. It is becoming a preferred pressure point for adversaries that understand how deeply modern societies depend on continuous industrial operations.

Volt Typhoon and the Logic of Dormant Access

Volt Typhoon illustrates why the OT threat model needs to change. The concern around this actor is not only intrusion. It is pre-positioning.

In February 2024, CISA, the NSA, the FBI, and international partners warned that People’s Republic of China state-sponsored actors had compromised and maintained persistent access to U.S. critical infrastructure organizations. 3

The advisory described activity across critical infrastructure sectors, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems.3

That is not ordinary espionage. It suggests an access strategy designed for future leverage. In practical terms, the access itself becomes the weapon. An adversary may not need to deploy destructive malware immediately. It may simply need to understand the environment, maintain persistence, and preserve options.

CISA Director Jen Easterly warned in January 2024 that the PRC cyber threat was “not theoretical” and that CISA teams had found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. 4

For boards and executive teams, this changes the timeline of risk. A ransomware group usually wants fast monetization. A nation-state actor may operate patiently, waiting for a geopolitical trigger. That means defenders need to detect quiet persistence, not just visible disruption.

FrostyGoop Shows What Active Disruption Looks Like

If Volt Typhoon represents the danger of pre-positioned access, FrostyGoop shows what operational disruption can look like when adversaries act.

Dragos reported that a January 2024 cyberattack affected a municipal district energy company in Ukraine that supplied central heating to more than 600 apartment buildings. 5

Dragos also identified FrostyGoop as ICS-specific malware written in Golang that directly interacts with industrial control systems using Modbus TCP over port 502.6

The significance is not simply that malware was used. It is the malware communicated through an industrial protocol widely present in OT environments. Modbus was designed for reliability and simplicity, not modern adversarial conditions. In many deployments, it lacks authentication and encryption, leaving industrial commands difficult to distinguish from malicious manipulation when monitoring is weak.

This is why FrostyGoop matters beyond Ukraine. It demonstrates that attackers can use familiar industrial communications to create real-world effects. The attack path does not need to look exotic. It can use the same protocols that operators rely on every day.

IT/OT Convergence Has Become a Strategic Liability

One reason the threat is accelerating is the continued convergence of information technology and operational technology. Connectivity improves efficiency. It enables remote monitoring, predictive maintenance, centralized management, vendor support, and faster decision-making. But it also creates pathways between environments that were once separated by design.

When IT and OT systems overlap, compromise in one environment can become a stepping stone into another. A vulnerable remote access appliance, exposed firewall, weak credentials, unmanaged engineering workstation, or poorly segmented network can provide adversaries with the reach they need.

Fortinet reported that 52% of organizations placed OT security under the CISO in 2025, up from 16% in 2022. 7

That is a positive sign, but it also reveals the unfinished work. Nearly half of organizations still do not place OT security under direct CISO ownership. In a threat environment shaped by nation-state pre-positioning and industrial disruption, fragmented governance is a material risk.

The deeper concern is governance convergence. Security, engineering, operations, procurement, risk, and executive leadership need the same operating picture of OT exposure.

Why Legacy Detection Is Not Enough

Many industrial environments were built for availability first. That priority is understandable. A plant, grid, refinery, transportation network, or water facility cannot treat downtime as a minor inconvenience. Aggressive patching, intrusive endpoint agents, and frequent scanning can create operational risk if applied without an engineering context.

However, this is also an advantage that adversaries can exploit to their benefit. Living off the land techniques, use of credentials, misuse of remote access, and protocol manipulation are unlikely to trip up malware detection systems. The OT red flag is behavior. A command is issued at an unusual time. A controller receives an unexpected instruction. A remote session touches systems it should not reach. A trusted account begins behaving outside its normal operating pattern.

That is why OT security programs need protocol-aware monitoring, asset visibility, network segmentation, secure remote access controls, and threat intelligence mapped to industrial tactics. Visibility must extend beyond whether systems are online. It must show whether the activity is operationally legitimate.

What Leaders Should Prioritize Now

Reachability should be the first question. Critical infrastructure operators need a clear view of which OT assets can be reached through IT networks, vendor connections, remote-access tools, cloud services, or undocumented pathways. It often turns out that in the case of an event, actual reachability is greater than anticipated.

The second priority is segmentation. Segmentation cannot simply be relegated to policy charts. It needs to be tested, tracked, and enforced. In cases where IT-OT paths are required, access needs to be tightly controlled, logged, time-limited, and role-based.

The third priority is behavioral detection. OT defenders need baselines for normal industrial communications, including Modbus, DNP3, OPC, vendor remote access tools, engineering workstation activity, and privileged account usage. Without baseline behavior, anomalous activity remains invisible.

The fourth priority is geopolitical threat intelligence. OT threats emanating from nation-states cannot be defined using just IOCs. Leaders require intelligence that helps them link technical operations to geopolitical goals, doctrines, sector targeting, and timing. 

Finally, boards need a different risk narrative. OT security is not only about preventing cyber incidents. It is about sustaining essential operations under adversarial pressure.

Strategic Takeaway

The OT threat has moved from occasional disruption to strategic pre-positioning. That is a fundamental change.

Knowledge about how infrastructure operates is not enough for adversaries. What they now seek is the ability to interrupt that process. The distinction is important since it affects what is to be monitored, what needs to be funded, and what constitutes material risk. Critical infrastructure entities need to plan for the future based on this premise:

Future attacks will be stealthy and informed. The most dangerous activity may not be the loudest. It may be the access that persists silently until the moment of disruption becomes useful.

The real issue here is not whether OT systems will increasingly come under attack; that has already happened. The real issue is whether defensive solutions have developed fast enough to keep pace with the resolve, endurance, and strategic mindset of today’s attackers.

How Cyber Tech Intelligence Can Help

Cyber Tech Intelligence provides research-led cybersecurity insights for security leaders, technology decision-makers, and enterprise teams. Our work covers emerging threats, operational technology security, cloud risk, identity protection, Zero Trust, artificial intelligence security, third-party exposure, compliance, and cyber resilience.

We help organizations turn complex cyber developments into clear, practical guidance for better decision-making. For enterprises facing OT risk, nation-state threats, or critical infrastructure exposure, CyberTech Intelligence helps connect technical realities with business impact, operational continuity, and executive-level risk priorities.

Learn more or connect with our team.


References

 

  1. IBM X-Force, X-Force Threat Intelligence Index 2025, 2025

  2. KnowBe4, Critical Infrastructure Under Siege with Cyber Attacks Increasing 30 Percent in One Year, 2024

  3. Cybersecurity and Infrastructure Security Agency, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Advisory AA24-038A, 2024

  4. Cybersecurity and Infrastructure Security Agency, Opening Statement by CISA Director Jen Easterly, January 31, 2024

  5. Dragos, Impact of FrostyGoop ICS Malware on Connected OT Systems, 2024

  6. Dragos, Protect Against FrostyGoop ICS Malware Targeting Operational Technology, 2024

  7. Fortinet, 2025 State of Operational Technology and Cybersecurity Report, 2025