Every documented OT breach in the past five years started at the same place: an internet-facing asset that operators believed was protected. Pro-Russia hacktivists brute-forced VNC connections on port 5900. Volt Typhoon exploited an unpatched FortiGate firewall. Ransomware affiliates authenticated through VPN portals using credentials from an infostealer. In each case, the perimeter control either permitted the connection or was itself the vulnerability. In 2025, 119 ransomware groups hit 3,300 industrial organizations, a 49 percent increase year-over-year, with an industry-wide average dwell time of 42 days before detection. Adversaries are no longer probing. They are mapping control loops, extracting alarm configurations, and identifying the conditions that trigger process shutdowns. This article examines the documented attack paths, the assets they reach, and why the architecture that was supposed to stop them keeps failing to do so.
Two Categories of Adversary, One Shared Attack Surface
Opportunistic attackers: simple tools, real operational consequences
Critical infrastructure operators face two categories of adversary whose methods diverge sharply. Their entry points do not.
Pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities compared to advanced persistent threat groups, using minimally secured, internet-facing VNC connections to infiltrate or gain access to OT control devices. Groups including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16 are exploiting the widespread availability of accessible VNC devices, resulting in varying degrees of impact including physical damage. Their methodology is not complex: scan port 5900 with Nmap, brute-force default or weak credentials, then manipulate GUIs to alter parameters, disable alarms, or rename devices. As recently as April 2025, CISA documented these TTPs being used against Water and Wastewater, Food and Agriculture, and Energy sectors.
These actors do not need zero-days. They need an open port and a weak password, both of which remain widely available across global industrial infrastructure. The operational impact is real regardless: loss of visibility into a process forces manual intervention, and manual intervention in a continuous process environment carries direct safety risk.
State-sponsored actors: patient, precise, and already inside
At the other end of the spectrum, Volt Typhoon represents a threat that no patch cycle can address reliably. U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable disruption of OT functions across multiple critical infrastructure sectors. Their initial access method is the perimeter control itself. In one confirmed intrusion, the attackers exploited CVE-2022-42475 in a FortiGate 300D firewall that had not been patched. The same campaign has leveraged zero-days in Ivanti Connect Secure VPN appliances and Cisco edge devices.
Volt Typhoon relies almost exclusively on living-off-the-land techniques, routing traffic through compromised SOHO routers and firewalls to blend into normal network activity. The strategic intent is explicit: pre-positioned access for disruptive effects in the event of geopolitical conflict. In other words, the infrastructure is already breached in some environments. The disruption is on hold.
The convergence: access brokers, APTs, and hacktivists as coordinated ecosystem
The Dragos 2026 Year in Review confirms that these two categories of actor no longer operate independently. SYLVANITE, a newly identified Dragos threat group, operates as an access broker: rapidly exploiting vulnerabilities in internet-facing systems including Ivanti, F5, SAP, and ConnectWise, then handing established footholds to VOLTZITE for deeper OT intrusions. A hacktivist group creates noise at the perimeter. A state-aligned actor uses the window to move further in. The analyst team responds to what appears to be an opportunistic attack. VOLTZITE has already reached Level 2.
What Happens Once They Are Inside
The entry point: remote access, valid credentials, and trusted connections
Ransomware affiliates in 2025 consistently used valid credentials, commodity infostealers, or initial access broker-provided access to authenticate into VPN portals, firewall interfaces, or vendor tunnels before pivoting into OT boundary networks. Once inside, they leveraged RDP, SMB/PsExec, WinRM, WMI, and SSH to move laterally toward VMware ESXi hypervisors and OT-support servers hosting SCADA, HMI, historian, and engineering workloads.
The firewall permitted the initial connection because the connection was, technically, legitimate. This is the structural gap that credential-based attacks exploit: the perimeter control validates the protocol, not the intent.
The targets: historians, HMIs, and engineering workstations
Once inside, adversaries move toward the systems that give them operational leverage or physical effect capability. Data historians sit at Purdue Level 3, exchanging data with enterprise IT systems, placing them at the high-risk junction between IT and OT networks. A recurring issue documented by Dragos is the systematic misclassification of ransomware events as IT-only incidents: engineering workstations and HMI systems running Windows are treated as standard endpoints, even when they support SCADA or other operational workloads. The operational disruption came through those boundary systems, and it was only after the fact that organizations understood the OT scope of what had occurred.
This misclassification has a direct consequence: systematic under-reporting of OT impact and under-investment in protecting the assets that matter most to operational continuity.
The dwell time problem: 42 days of undetected access
Industry-wide, the average dwell time for ransomware in OT environments was 42 days in 2025. Organizations with comprehensive OT visibility detected and contained incidents in an average of 5 days, against that 42-day industry average. Forty-two days is enough time for an adversary to map an entire control loop, identify the conditions that trigger shutdowns, and stage a destructive capability. KAMACITE demonstrated exactly this in 2025, manipulating engineering workstation software to extract configuration files and alarm data, specifically investigating what conditions would trigger process shutdowns.
The absence of immediate disruption is not a sign of safety. In many cases, the intrusion is complete and the disruption is deferred.
ICS malware: FrostyGoop and the physical dimension
The FrostyGoop incident in January 2024 establishes the physical stakes clearly. Attackers gained access to a municipal district heating company in Ukraine in April 2023 via an undetermined vulnerability in an externally facing router. Because of a lack of network segmentation, they moved laterally to management servers and then to the heating system controllers. Remediation took almost two days, during which 600 apartment buildings had no central heating in sub-zero temperatures. FrostyGoop is the first reported ICS malware to successfully abuse ModbusTCP for control system manipulation and achieve real-world physical impact. The attackers did not use an advanced exploit to reach those controllers. They used the absence of segmentation.
Why Perimeter Firewalls Cannot Solve This Problem
Against opportunistic attackers: the firewall is irrelevant
Hacktivists exploit remote access channels that organizations have deliberately opened: VNC, VPN, RDP, with legitimate credentials obtained through brute force or default passwords. The firewall permits the connection because the connection is technically valid. The attack does not bypass the perimeter. It walks through it.
Against state-sponsored actors: the firewall is the target
Volt Typhoon’s documented campaign has exploited zero-day and n-day vulnerabilities in FortiGate firewalls, Ivanti VPN appliances, and Cisco routers. Their preferred entry points are unpatched VPN appliances and firewalls, software-driven systems often built and maintained by third-party vendors and deployed at the edge of critical networks. When the security control is itself the vulnerability, patching is a race that defenders are structurally positioned to lose. A new CVE is disclosed before the previous one is mitigated across the installed base. This is not a resource problem. It is an architectural one.
The pattern across both scenarios
In 2025, the most common cause of network compromise was remote-access portals and virtualization services, including VPN portals, firewall interfaces, and vendor tunnels. Attackers often used legitimate login credentials to avoid detection. The structural weakness is consistent across both threat categories: a software-enforced perimeter boundary, reachable from the internet, relying on credentials and patch currency to hold the line. Neither holds reliably against adversaries who have months to probe and the patience to wait.
The Architectural Response: Hardware-Enforced Segmentation
What hardware enforcement changes
A hardware data diode enforces physics, not policy. There is no firmware to exploit, no credentials to compromise, no bidirectional session to hijack. Data flows in one direction because that is all the hardware can physically do. An adversary with valid VPN credentials and a known firewall CVE has no equivalent attack against a one-way hardware boundary. The attack path that worked in every documented incident above does not exist.
This is not a proprietary position. IEC 62443-3-3 recognizes unidirectional security gateways as a compliant control for zone separation at the highest security levels. NIST SP 800-82 and ANSSI’s industrial security guidance both reference hardware data diodes for environments where bidirectional IT-to-OT access is operationally unjustifiable.
Matching the architecture to the operational model
For continuous process environments, oil and gas, electricity generation, water treatment, district heating, chemical and fertilizer manufacturing, operational data flows outward for monitoring and reporting. A strict one-way data diode at the OT DMZ boundary makes the OT network physically unreachable from the IT side. Historian replication, alarm forwarding, and telemetry export all cross the hardware boundary outbound. Nothing returns.
For discrete manufacturing environments where some bidirectional exchange is operationally necessary, production orders, firmware updates, configuration pushes, a 1.5-way architecture using paired unidirectional gateways in each direction provides the required flexibility without creating a persistent bidirectional channel. Transfers are asynchronous and hardware-enforced. The continuous session that lateral movement requires does not exist.
The business case in plain terms
The documented cost of a multi-week production shutdown, liability for physical damage to third-party infrastructure, and reputational exposure from a publicly attributed breach against critical systems each exceed the capital cost of hardware segmentation. The Dragos data puts the operational consequence in concrete terms: 42 days average dwell time, multi-day OT outages requiring specialized recovery, and adversaries who already understand how to trigger process shutdowns. A one-time investment in hardware-enforced segmentation against weeks of production downtime is not a difficult calculation.
Conclusion
The 2025 OT threat landscape is not a collection of isolated incidents. It is a documented pattern: adversaries succeeded because the same structural weaknesses remained widespread across industrial environments, gaps in visibility, overexposed infrastructure, weak segmentation, and implicit trust providing reliable paths to impact. Hardware-enforced data diodes address the structural weakness directly. They do not reduce the skill of an attacker. They eliminate the attack path. In an environment where adversaries have demonstrated the patience to maintain access for months before triggering disruption, eliminating the path is the only reliable strategy.
Learn more about Cyberium unidirectional gateways and cross-domain architectures designed for OT segmentation and secure data transfer.
