Organizations do not determine for themselves whether they are a target; that depends on external geopolitical factors. What CISOs can influence is the level of preparedness and the resilience of systems. This starts with continuous situational awareness and the use of OT-focused threat intelligence to align security measures with sector and systems.
The events in the Middle East heighten concerns: analyses show that geopolitical crises often lead to more 'hacktivist' campaigns. From the perspective of Industrial Control Systems, the situation remains controlled for now. But such matters can change.
For security leaders, this distinction is important. Cyber attacks that disrupt industrial processes require extensive preparation, access to systems, and in-depth process knowledge. Historically, such operations take a lot of time to build up.
The first phase of geopolitical cyber escalation usually consists of a rapid reconnaissance, repeated intrusion attempts, and warning signs (instead of direct disruption of industrial processes). Attackers first try to gain access to corporate networks before approaching operational environments. So far, there have been (fortunately) no confirmed manipulations of industrial processes.
However, geopolitical tensions can cause indirect disruptions. For example, there is ongoing GPS and GNSS interference in the Middle East region that affects maritime traffic. This demonstrates how dependent industrial operations are on external services such as satellite navigation, telecom, and cloud systems.
For CISOs, the focus is therefore on disciplined risk management and operational readiness. The SANS Five ICS Cybersecurity Critical Controls provide clear priorities:
ICS-Specific Incident Response Plan
Incident response must take into account safe operations and process stability. Regular exercises help IT, OT, and management work together effectively.
Defensible Architecture
Segmentation between IT and OT networks, Industrial Demilitarized Zones, and controlled communication limit the maneuvering space of attackers and support monitoring.
ICS Network Visibility and Monitoring
Monitoring should focus on ICS protocols and be linked to threat intelligence to detect suspicious activities early.
Secured Remote Access
External access is a key attack point. Strict controls, strong authentication, and controlled access points are essential.
Risk-Based Vulnerability Management
Not every vulnerability can be patched immediately. The focus should be on vulnerabilities that provide access to operational systems or critical processes.
The current situation calls for vigilance, not panic. Organizations must evaluate their preventive, detection, and recovery measures. If an organization cannot answer whether systems have been compromised, that indicates insufficient OT monitoring.
Destructive cyber attacks on industrial systems require time and preparation. Organizations with good visibility, strong network boundaries, and solid recovery plans thus form a significantly more difficult target.
In short: preparation before a crisis is essential to remain resilient during geopolitical tensions. Strong monitoring, clear network boundaries, and effective response capabilities are at the core of good ICS security.
Michael Hoffman
Certified Instructor SANS Institute
