Threat informed defence for critical OT

The operational technology (OT) environments that underpin critical infrastructure face an urgent, evolving risk landscape driven by increasingly targeted, persistent, and automated cyberthreats. Drawing on the 2025 Fortinet Global Threat Landscape Report, Manky outlined a sobering picture: OT systems are not just collateral damage; they’re becoming primary targets. Cybercriminals are using advanced persistent threats (APTs) to home in on industrial networks not just to steal data but to disrupt critical services, demand ransoms, or embed themselves for future exploitation.

“Attackers are working smarter, not harder,” Manky explained. Rather than indiscriminate campaigns, threat actors are investing in reconnaissance, scanning networks at a rate of 36,000 attempts per second. They’re pinpointing vulnerable services, such as Modbus TCP—a largely unsecured network protocol used to communicate with industrial devices widely employed in industrial environments—and weaponizing that intelligence with AI-enabled tools to automate the path from intrusion to exploitation.

This shift has made OT networks especially attractive to ransomware groups. “We’re seeing a pivot from data ransom to service ransom,” said Manky. In manufacturing, now the most targeted vertical for the second consecutive year, attackers are calculating how much financial damage a halted production line will cause and incorporating that into their extortion playbooks.

Industrial organizations can’t afford downtime, and attackers know it.

While the cybersecurity community often fixates on zero-day exploits, Manky warned that “living off the land” techniques—abusing legitimate tools and credentials already in place—are far more common in OT breaches.

In one case study involving a critical infrastructure target in the Middle East, attackers spent over a year conducting reconnaissance, using stolen credentials and standard Windows tools, such as scheduled tasks, to maintain stealthy access across four segmented network layers. Only after two years of undetected access did they deploy custom malware, demonstrating patience and precision.

Their point of entry? A credential purchased on the dark web for under $150.

This underscores a critical reality: The weakest links are often unpatched systems, poor password hygiene, and remote access paths with inadequate control.

AI is reshaping the threat landscape. On offence, attackers are using custom AI tools like FraudGPT and WormGPT to generate phishing emails, map attack surfaces, and automate realistic social engineering campaigns.

On defence, organizations are embedding discriminative AI for detecting novel malware and GenAI for summarizing and prioritizing alerts. “GenAI isn’t a silver bullet,” Manky cautioned, “but it can elevate analysts, reduce burnout, and help reduce mean time to respond.”

In OT, where skilled personnel are often limited, AI-driven threat intelligence, when paired with domain-specific context can significantly improve detection and response.

A central theme is that intelligence alone isn’t enough. To be effective, data about threats must also be actionable. Threat-informed defence models help organizations defend industrial systems, such as manufacturing lines, power grids, and refineries, by mapping their security operations to how real attackers actually behave, using frameworks like MITRE ATT&CK for ICS, which catalogues known tactics and techniques used against industrial control systems.

This enables defenders to:

Industrial modernization is compounding industrial cyber risk. With the continued growth of industrial IoT, 5G, private cellular networks, and direct-to-cloud management models, more devices are online than ever—and they are increasingly exposed.

OT networks, once isolated, are now deeply integrated with IT systems, creating opportunities for attackers to pivot laterally between domains. And as operators continue connecting legacy OT equipment that was never designed with security in mind to IT networks and directly to the internet, compensating controls such as segmentation, multi-factor authentication (MFA), and virtual patching are no longer optional.

What organizations must do now: Three priorities

“OT security is no longer optional,” Manky concluded. “You don’t just need visibility—you need context, speed, and actionability. That’s the only way to stay ahead.”

As threat actors become faster, stealthier, and more resourceful, defending critical OT infrastructures requires more than traditional security measures. It demands situational awareness, active threat hunting, and the operational maturity to turn intelligence into action.