Sustainability Atlas
Cybersecurity & Digital Trust·12 min read··...

Myth-busting Critical infrastructure cybersecurity: 10 misconceptions holding teams back

Myths vs. realities, backed by recent evidence and practitioner experience. Focus on attack paths, detection/response, and how to harden real-world systems.

Cyberattacks on critical infrastructure surged 67% in 2024 compared to 2023, according to Dragos's annual industrial control system (ICS) threat assessment. Yet despite this escalation, the response from infrastructure operators often reflects mythology rather than evidence. A survey by the SANS Institute found that 58% of operational technology (OT) security budgets in 2024 addressed threats that represented less than 15% of actual attack volume, while high-frequency attack vectors remained under-resourced.

For policy and compliance professionals in Asia-Pacific—a region experiencing the fastest growth in both infrastructure digitalization and cyber threats—distinguishing evidence-based security from security theater is essential. The misconceptions that dominate boardroom discussions and compliance frameworks often create expensive false confidence while leaving genuine vulnerabilities unaddressed.

Why It Matters

Critical infrastructure—energy grids, water treatment, transportation networks, healthcare systems—forms the backbone of modern society. The convergence of operational technology with information technology has created attack surfaces that didn't exist a decade ago. Legacy industrial systems designed for isolated operation now connect to enterprise networks, cloud services, and supply chain management platforms.

The Asia-Pacific region faces particular exposure. Rapid infrastructure development has deployed modern, connected systems at unprecedented scale. China's smart grid investment reached $82 billion in 2024; India's digital infrastructure push connected 15,000 additional substations to centralized management; Southeast Asian nations are modernizing water and transportation systems with IoT integration. Each connection creates potential vulnerability.

Meanwhile, threat actors have industrialized. The Mandiant 2024 threat report documented 12 distinct nation-state groups actively targeting Asia-Pacific infrastructure, alongside criminal ransomware operations increasingly willing to attack hospitals, utilities, and transportation. The Colonial Pipeline attack in the US demonstrated that infrastructure attacks generate policy response; the 2024 attack on Port of Nagoya showed that critical logistics nodes remain vulnerable despite awareness.

Key Concepts

Myth 1: Air Gaps Protect Industrial Control Systems

The Myth: Operational technology networks isolated from the internet and corporate IT are safe from cyber threats.

The Reality: True air gaps are rare and becoming rarer. The Claroty 2024 survey of 500 industrial facilities found that 89% had at least one connection between IT and OT networks, and 71% had direct or indirect internet connectivity for remote monitoring, vendor support, or cloud analytics. Even facilities believing themselves air-gapped often have undocumented connections.

Moreover, air gaps don't prevent all attack vectors. Stuxnet demonstrated that removable media can bridge physical isolation. Insider threats operate regardless of network architecture. Supply chain compromises—malicious code in vendor-provided software updates—affect systems regardless of isolation.

Myth 2: Compliance Equals Security

The Myth: Meeting regulatory requirements (NIST CSF, IEC 62443, NERC CIP, AESCSF) ensures adequate protection against cyber threats.

The Reality: Compliance frameworks establish minimum baselines that sophisticated attackers study and circumvent. The CISA advisory on Volt Typhoon (2024) documented that Chinese state actors specifically targeted the gaps between compliance requirements and actual security, exploiting legitimate tools and living-off-the-land techniques that compliance audits don't detect.

Compliance is necessary but insufficient. The 2024 Verizon Data Breach Investigations Report found that 83% of breached organizations had passed their most recent compliance audit. Compliance measures what's documented; security addresses what's vulnerable. Effective programs use compliance as a floor, not a ceiling.

Myth 3: Attackers Target Obvious Vulnerabilities

The Myth: Critical infrastructure attacks exploit unpatched systems, weak passwords, and known vulnerabilities.

The Reality: While opportunistic attackers use automated scanning for known vulnerabilities, sophisticated infrastructure-focused threats increasingly exploit zero-day vulnerabilities, supply chain compromises, and legitimate access credentials. The Dragos 2024 report documented that 67% of targeted infrastructure attacks used valid credentials obtained through phishing, credential stuffing, or third-party compromise.

The practical implication: patching and password policies, while essential, address only part of the threat surface. Detection capabilities must assume that perimeter defenses will be breached and focus on identifying anomalous behavior within networks, not just blocking known-bad signatures.

Myth 4: OT Security Requires OT-Specific Solutions

The Myth: Industrial control systems need specialized security tools that understand OT protocols; IT security tools are irrelevant or dangerous.

The Reality: The boundary between IT and OT security is artificial and increasingly unhelpful. Modern OT environments run standard operating systems (Windows, Linux), use TCP/IP networking, and face threats that don't distinguish between IT and OT contexts. Endpoint detection and response (EDR), network monitoring, and identity management solutions designed for enterprise environments are often applicable to OT with appropriate configuration.

What OT environments do require is understanding of operational constraints: availability requirements that preclude aggressive active scanning, safety systems that must fail predictably, and legacy equipment that can't support modern agents. These constraints require IT security tools to be adapted, not replaced.

Myth 5: Security Is an IT Department Responsibility

The Myth: Cybersecurity belongs to the IT security team, with operations providing access when needed.

The Reality: Effective OT security requires collaboration between IT security (understanding threats, tools, and techniques), OT operations (understanding systems, processes, and criticality), and engineering (understanding safety implications and design intent). Organizations that assign security responsibility to IT alone consistently underperform.

The 2024 Gartner survey of industrial cybersecurity found that organizations with integrated IT-OT security teams achieved 43% faster incident detection and 62% faster response compared to organizations with separate teams. Integration enables threat detection tuned to operational context and response procedures that preserve safety.

Critical Infrastructure Cybersecurity KPIs

MetricInsufficientDevelopingProficientAdvanced
Mean time to detect (MTTD)>90 days30-90 days7-30 days<7 days
Mean time to respond (MTTR)>72 hours24-72 hours4-24 hours<4 hours
OT asset visibility<60%60-80%80-95%>95%
Network segmentation maturityFlat networkBasic zonesDefined segmentsZero trust
SBOM coverageNonePartialComprehensiveVerified
Incident response testingNeverAnnualQuarterlyContinuous
Third-party risk assessmentAd hocOn onboardingPeriodicContinuous

What's Working

Continuous Asset Discovery

Singapore's Cyber Security Agency (CSA) mandated continuous OT asset discovery for critical infrastructure operators in 2024, requiring automated identification of all connected devices rather than reliance on manual inventories. Early results show that operators discovered an average of 34% more connected devices than previously documented, with discovered devices including both legitimate but undocumented connections and unauthorized equipment.

Continuous discovery works because it acknowledges that OT environments change faster than documentation. Vendor technicians connect service laptops; engineering projects add monitoring equipment; shadow IT proliferates. Point-in-time assessments miss this evolution; continuous discovery catches it.

Network Detection and Response (NDR) for OT

Deployment of network-based detection in OT environments—monitoring traffic patterns, protocol anomalies, and behavioral deviations—has proven more effective than signature-based detection for sophisticated threats. Australian Water Corporation's 2024 implementation detected two targeted intrusion attempts that endpoint protection missed, both involving legitimate credentials and standard tools.

NDR works in OT because it doesn't require agents on legacy devices, operates passively without affecting operations, and focuses on behavior rather than signatures. The approach is particularly effective for detecting reconnaissance and lateral movement phases of attacks.

Supply Chain Security Through SBOMs

Taiwan's semiconductor industry adopted mandatory Software Bill of Materials (SBOM) requirements for industrial control system vendors in 2024, extending the US Executive Order 14028 approach to critical manufacturing supply chains. The SBOM requirement enables rapid vulnerability assessment when new CVEs are published—TSMC reported reducing vulnerability assessment time from 14 days to 6 hours for systems with complete SBOMs.

SBOMs work because they shift vulnerability identification from reactive (waiting for vendor notification) to proactive (organizations can assess their own exposure). The transparency also creates accountability pressure on vendors to maintain component hygiene.

What's Not Working

Perimeter-Focused Investment

Despite evidence that perimeter breaches are routine, infrastructure operators continue to allocate disproportionate resources to firewalls and access controls while under-investing in detection, response, and resilience capabilities. The 2024 ICS-CERT analysis found that 68% of successful attacks involved valid credentials or trusted connections—vectors that perimeter defenses by design allow.

Checkbox Vulnerability Management

Many infrastructure operators maintain vulnerability management programs that focus on counting patches rather than reducing risk. High-CVSS vulnerabilities receive attention regardless of exploitability or exposure; low-CVSS vulnerabilities with public exploits are deprioritized. The disconnect between vulnerability management metrics and actual security outcomes wastes resources while leaving exploitable vulnerabilities unaddressed.

Siloed Incident Response

Organizations frequently maintain separate incident response plans for IT and OT environments, with unclear handoffs and incompatible procedures. When attacks span both environments—the common pattern—response coordination fails. The 2024 Port of Nagoya incident review identified IT-OT coordination gaps as a primary factor in delayed recovery.

Key Players

Established Leaders

  • Claroty — Industrial cybersecurity platform with deep OT protocol visibility
  • Dragos — ICS threat intelligence and detection platform focused on industrial environments
  • Nozomi Networks — OT and IoT security monitoring with strong Asia-Pacific presence
  • Fortinet — Network security vendor with dedicated OT security product line

Emerging Startups

  • Armis — Agentless device security platform for IT and OT environments
  • Xage Security — Zero-trust security fabric for industrial and operational environments
  • Mission Secure — OT cybersecurity focused on process industries and utilities
  • SCADAfence — Industrial cybersecurity with strong detection capabilities

Key Investors & Funders

  • Temasek Holdings — Singapore sovereign wealth fund with infrastructure security investments
  • SoftBank Vision Fund — Backing industrial cybersecurity platforms
  • Andreessen Horowitz — Growth investments in enterprise security including OT focus

Examples

1. Singapore Power Grid Cybersecurity Program: Following the 2018 SingHealth breach, Singapore's energy sector implemented a comprehensive OT security program completed in 2024. The program deployed network detection across all substations, established a dedicated OT security operations center, and created an information-sharing framework with regional peers. Reported incidents dropped 78% between 2022-2024, though practitioners acknowledge this may reflect improved detection rather than fewer attacks. Key success factor: treating cybersecurity as operational safety rather than IT compliance.

2. Japan Railway Companies Consortium: JR East, JR West, and JR Central formed a cybersecurity consortium in 2023, sharing threat intelligence and coordinating response capabilities for rail infrastructure. The collaboration enabled rapid assessment and mitigation of the 2024 ransomware attack on European rail systems—Japanese operators had implemented preventive controls within 48 hours of threat intelligence sharing. The consortium model works because individual companies lack visibility into threats across the broader rail ecosystem.

3. Australian Water Sector Security Uplift: The Australian Cyber Security Centre led a coordinated security improvement program for water utilities 2023-2024, providing threat intelligence, assessment tools, and implementation support. Participating utilities improved mean detection time from 127 days to 23 days—still concerning, but dramatically improved. The government-supported approach works because small utilities lack resources for independent security programs; coordinated investment achieves economies of scale.

Action Checklist

  • Implement continuous OT asset discovery to identify all connected devices
  • Deploy network detection and response capabilities in OT environments
  • Establish integrated IT-OT security operations with shared visibility
  • Require SBOMs from all industrial control system vendors
  • Test incident response procedures across IT-OT boundaries quarterly
  • Assess third-party access and remote maintenance security
  • Develop detection use cases for living-off-the-land techniques
  • Participate in sector-specific information sharing communities

FAQ

Q: How do we secure legacy OT systems that can't support modern security controls? A: Compensating controls are essential: network segmentation to limit exposure, network monitoring to detect anomalies, application allowlisting on engineering workstations that access legacy systems, and strict access controls for maintenance connections. Prioritize replacement for systems that are both critical and unsecurable, accepting that full replacement may require multi-year capital planning. Document residual risk formally so leadership understands accepted exposure.

Q: What's the right organizational model for OT security? A: Avoid both extremes: pure IT ownership (lacks operational context) and pure OT ownership (lacks security expertise). Successful models include: joint IT-OT security teams with reporting to a unified CISO; dedicated OT security roles within operations with dotted-line reporting to IT security; or matrixed structures where IT security provides tools and threat intelligence while operations provides context and access. The specific structure matters less than ensuring both competencies are involved in decisions.

Q: How should we approach SBOM requirements for operational technology? A: Start with new procurements—require SBOMs as part of vendor contracts. For existing systems, work with vendors to obtain SBOMs where available; for legacy or unsupported systems, consider commercial tools that can derive approximate inventories through traffic analysis or firmware extraction. Establish internal SBOM management capability before mandating external requirements. The goal is vulnerability visibility, not bureaucratic compliance—design processes accordingly.

Q: What role do standards like IEC 62443 play in OT security programs? A: Standards provide useful frameworks for structuring security programs and common vocabulary for discussing requirements with vendors. However, standards describe minimum baselines that sophisticated attackers study and circumvent. Use standards as starting points for program design and as benchmarks for maturity assessment, but don't treat certification as security assurance. The most valuable standards element is often the risk assessment methodology rather than the specific controls.

Q: How do we measure OT security effectiveness when attacks are rare? A: Process metrics (detection coverage, response time in exercises, vulnerability remediation speed) matter more than outcome metrics when attacks are infrequent. Track detection capability through red team exercises and hunting operations. Measure resilience through tabletop exercises and recovery testing. Benchmark against sector peers through information sharing communities. The absence of detected incidents is not evidence of security—it may indicate insufficient detection capability.

Sources

  • Dragos, "2024 ICS/OT Cybersecurity Year in Review," January 2025
  • SANS Institute, "2024 ICS Security Survey," October 2024
  • Mandiant, "APT Threat Groups Targeting Critical Infrastructure," 2024
  • Claroty, "State of XIoT Security Report 2024," November 2024
  • CISA, "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure," February 2024
  • Verizon, "2024 Data Breach Investigations Report," May 2024
  • Gartner, "Critical Infrastructure Protection Survey 2024," August 2024
  • Cyber Security Agency of Singapore, "OT Cybersecurity Masterplan Update," 2024

Topics

criticalinfrastructureMRVunit economicsLCAstandardsSBOM

Related Articles