Electricity, water, transport, and manufacturing—these are the pillars of our society, powered by complex operational technology (OT) systems that most people never see. For decades, these networks operated in isolation, their security assured by physical separation and obscurity. But as digital transformation sweeps through the industrial world, the boundaries between IT and OT have blurred, exposing critical infrastructure to a new wave of cyber threats.

In 2025, attacks on OT environments have moved from theoretical to real, with adversaries targeting everything from power grids to food processing plants. The consequences are no longer limited to data loss or financial harm; they threaten public safety, economic stability, and national security. This article explores the anatomy of OT cyber attacks, the unique challenges of defending these environments, and the urgent steps required to safeguard the systems that keep New Zealand—and the world—running.

The OT Landscape: Old Tech, New Risks

What is Operational Technology?

OT encompasses the hardware and software that monitor and control physical processes—industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and more. These systems manage everything from water treatment to rail signalling, and are often decades old, designed for reliability rather than security.

The Convergence with IT

Driven by efficiency and the need for real-time data, OT networks are increasingly connected to corporate IT systems and even the public internet. This convergence brings benefits—remote monitoring, predictive maintenance, and integration with business systems—but also introduces new vulnerabilities and attack vectors.

Anatomy of an OT Cyber Attack

Step 1: Reconnaissance

Attackers begin by mapping the target environment, often using compromised IT networks as a stepping stone. They identify key assets, connections, and weak points—sometimes aided by information found in public documentation or supplier portals.

Step 2: Initial Access

Common entry points include:

Phishing attacks targeting IT staff with access to OT networks.
Exploiting vulnerabilities in remote access tools or third-party vendor connections.
Leveraging misconfigured firewalls or exposed devices.

Step 3: Lateral Movement

Once inside, attackers pivot from IT to OT, bypassing poorly segmented networks. They may exploit legacy protocols, default credentials, or unpatched systems to move deeper into the environment.

Step 4: Impact

The final stage depends on the attacker’s motive:

Disruption: Shutting down or sabotaging critical processes, causing outages or safety incidents.
Ransom: Encrypting OT systems and demanding payment to restore operations.
Espionage: Stealing intellectual property, operational data, or sensitive blueprints.

Case Study: Sabotage at a Water Treatment Plant

In mid-2025, a regional water utility in New Zealand experienced a targeted cyber attack. Adversaries gained access through a compromised contractor VPN, bypassing weak network segmentation to reach the SCADA system. The attackers attempted to alter chemical dosing levels, risking water quality and public health. Quick action by operations staff, who noticed unusual readings and manually intervened, prevented a disaster.

The incident prompted a nationwide review of OT security, highlighting the critical need for monitoring, segmentation, and incident response capabilities tailored to industrial environments.

The Unique Challenges of OT Security

Legacy Systems

Many OT devices run on outdated operating systems and cannot be easily patched or replaced. Security features common in IT—such as endpoint protection and regular updates—are often absent or impractical.

Availability Over Confidentiality

In OT, uptime and safety take precedence over data privacy. Security controls must be carefully balanced to avoid disrupting essential services or causing unintended consequences.

Limited Visibility

Traditional security tools may not work in OT environments, leaving blind spots in monitoring and detection. Many organisations lack real-time insight into what is happening on their industrial networks.

Supply Chain Risk

Vendors and contractors often have remote access to OT systems, creating additional pathways for attackers. A compromise anywhere in the supply chain can have cascading effects.

Defending Critical Infrastructure: Strategies for Resilience

Segmentation and Access Control

Network Segmentation: Strictly separate IT and OT networks, using firewalls and demilitarised zones (DMZs).
Least Privilege Access: Limit user and system permissions to only what is necessary for operations.
Multi-Factor Authentication: Require strong authentication for all remote and privileged access.

Monitoring and Detection

Industrial Intrusion Detection: Deploy OT-specific monitoring tools to detect anomalies and unauthorised activity.
Continuous Logging: Collect and retain logs from OT systems for forensic analysis and real-time alerting.
Threat Intelligence: Stay informed about emerging threats and vulnerabilities affecting industrial systems.

Incident Response and Recovery

Tailored Response Plans: Develop incident response procedures specific to OT, including coordination with operations and safety teams.
Regular Drills: Conduct tabletop exercises and simulations to test readiness for cyber-physical incidents.
Backup and Restore: Ensure critical configurations and software can be quickly restored in the event of an attack.

Vendor and Supply Chain Management

Assess Third Parties: Evaluate the security posture of all suppliers and contractors with access to OT systems.
Remote Access Controls: Restrict and monitor remote connections, disabling them when not in use.
Contractual Security Requirements: Include clear security expectations and incident notification clauses in supplier agreements.

The Human Factor: Training and Culture

Cross-Disciplinary Training: Educate both IT and OT staff on the unique risks and responsibilities of securing industrial environments.
Security Champions: Appoint OT security leads within operational teams to bridge the gap between IT and engineering.
Reporting and Communication: Foster a culture where anomalies and potential incidents are reported promptly and investigated thoroughly.

Looking Ahead: The Path to Secure Critical Infrastructure

As the digital and physical worlds become ever more entwined, the security of operational technology is no longer a niche concern—it is a matter of national resilience. Defending critical infrastructure requires collaboration across government, industry, and the security community. Investment in modernisation, visibility, and workforce development is essential.

The threats are real, but so too are the opportunities. By embracing a proactive, risk-based approach to OT security, New Zealand can protect the foundations of modern life and set an example for others to follow.

Next in the Series: The forthcoming article will examine the intersection of quantum computing and cybersecurity, exploring both the risks posed by quantum attacks and the race to develop quantum-resistant defences.

This article is part of the ongoing “Cyber Chronicles” series, providing in-depth analysis of the vulnerabilities shaping the security landscape in 2025.