Executive Summary

This report provides an assessment of confirmed cyber activity targeting US critical infrastructure operational technology (OT) environments. It outlines current threat actor behaviour, key vulnerabilities, and specific defensive actions recommended by both government agencies and private sector specialists.

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) have jointly warned that malicious actors are exploiting publicly exposed OT systems.

The report examines how attackers gain access, what they target, and why the industry remains vulnerable despite repeated alerts.

Key Takeaways

1. Threat actors are exploiting exposed OT systems in US critical infrastructure using basic, low-cost methods.
2. Poor segmentation, default credentials, and unsecured remote access remain the primary enablers of compromise.
3. These intrusions present immediate operational and geopolitical security risks with potential for physical disruption.

Background and Context

On May 6, 2025, the CISA, FBI, EPA, and DOE issued a joint cybersecurity advisory urging immediate action across critical infrastructure sectors. The advisory described numerous cyberattacks targeting operational technology (OT) and industrial control systems (ICS), which exploited vulnerabilities in internet-connected devices lacking current authentication, segmentation, and monitoring. These systems comprise HMIs, PLCs, and other devices that control critical physical processes.

Many of these environments remain vulnerable because of poor cyber hygiene, exposure through public IP ranges, unchanged default passwords, and unvetted third-party integrations. Agencies recommended organisations disconnect operational technology (OT) assets from the internet, strictly control access, and maintain the option of manual system operation in the event of a security breach.

In April 2024, a joint exercise at CISA’s Control Environment Laboratory Resource (CELR) involving Louisiana State University and key energy stakeholders showed simulated cyberattacks on OT systems, further highlighting the gap between adversary capabilities and defender readiness.

Intelligence Assessment

Sophisticated tools are unnecessary for threat actors. They rely on simple, scalable methods to exploit OT systems that remain exposed and poorly secured. Standard search engines can reveal their publicly accessible control interfaces. They then use default or weak credentials to access control logic and system configurations. These methods are repeatable, low-cost, and effective because defenders have left the attack surface wide open.

We reached Nic Adams, Co-Founder and CEO of 0rcus, to deeply investigate the current geopolitical and security risk coming from this cyber threat. He stressed that:

“Security teams should treat every alert as confirmation of active exploitation, not a hypothetical risk… If your control layer can be accessed without physical proximity, isolated network design, and verified authentication, it is functionally compromised.”

His position reflects current threat activity, where attackers bypass traditional detection by avoiding malware and instead operate through open interfaces and misconfiguration. Adams also warns:

“Hacktivist-branded activity is often a proxy layer because if you’ve successfully done it, you already know. Initial access is achieved through search engine indexing of exposed control devices, vendor software abuse, or credential spraying. Attribution is obfuscated by using unsophisticated methods as camouflage, while the actual objective may involve reconnaissance, repositioning, control mapping for future escalation. Claims made on public channels are frequently exaggerated, but the access itself is real. In some cases, state-aligned actors mimic low-tier intrusion patterns to operate under the radar. These operations use free tools, default passwords, open-source PLC IDEs, because the exposed infrastructure requires nothing more.”

Observed behaviour suggests a mix of opportunistic actors and more strategic, state-linked groups. The latter often pose as low-skill attackers to avoid scrutiny while conducting mapping and persistent access operations.

Analysis and Implications

The operational impact of these intrusions is immediate and significant. Attackers could alter configurations without authorisation, access critical logic controls, and even interfere with physical operations. Weak segmentation between IT and OT layers enables lateral movement, while shared credentials and default passwords remain widespread.

Organisations must:

• Identify and remove all public-facing OT assets.
• Implement robust password policies and remove default credentials.
• Use phishing-resistant multi-factor authentication (MFA) to enhance securing remote access.
• Establish strict segmentation and unidirectional data flows.
• Keep offline backups operational and verify manual control capabilities.

Nic Adams advises embedding continuous adversarial simulation within OT environments and running internal red team operations as a standard practice: “If you haven’t tested under adversarial pressure, it won’t even come close to holding.” His advice underscores the difference between current defences and real-world threats.

Reliance on third-party vendors, without validating their configurations, continues to expose critical systems. Various integrators and manufacturers leave unsafe defaults in place, creating long-term vulnerabilities that attackers exploit routinely.

Conclusion

Cyber attackers are breaching US industrial control systems (ICS) by exploiting accessible tools and widespread vulnerabilities, rather than employing sophisticated methods. Operator mistakes and systemic weaknesses in critical infrastructure are the root causes of these security breaches. Public and private sectors urge immediate action to fix vulnerabilities.

Critical infrastructure operators must address vulnerabilities like exposed OT systems, weak authentication, and misconfigured remote access. In addition, penetration testing and red teaming, using OSINT, might mitigate organisational risks. Open-source intelligence helps organisations defend against cyberattacks. This intelligence-driven approach will help build a more resilient infrastructure, capable of withstanding developing cyber threats in the future.

Contact us at info@specialeurasia.com for further tailored reports or consulting service about the impact of cyber threats on a country’s geopolitical risk.