ICS/OT Cybersecurity

At 03:58 AM on February 24, 2022, Russian tanks rolled across the Ukrainian border.

Within the same hour, a cyberattack hit the Viasat KA-SAT satellite network. Within minutes – not hours, minutes – 5,800 wind turbines across Germany went dark, losing all remote monitoring capability. Their operators were helpless. The turbines weren't the target. Germany was simply in the way.

That is the world your Industrial Control System (ICS) operates in today.

So, what exactly is ICS/OT Cybersecurity?

Industrial Control Systems include every hardware and software component used to monitor and control physical industrial processes – SCADA systems, PLCs, DCS platforms, HMIs, RTUs. Operational Technology (OT) refers to the broader category of computing systems that manage physical operations, as opposed to IT systems that manage data.

ICS/OT cybersecurity is the discipline of protecting those systems from unauthorised access, manipulation, disruption, and destruction.

For decades, these systems operated in isolation – air-gapped from the internet, invisible to the outside world. That era is long over.

The convergence of IT and OT networks, the rise of remote access, and the adoption of connected technologies have opened these once-closed environments to the same cyber threats that have plagued the digital world – and far worse.

The consequences are physical, not just digital.

An attack on ICS/OT is not a data breach. It is a physical event. It can shut down a power grid. Contaminate a water supply. Halt fuel distribution across an entire region. Destroy industrial equipment. Endanger lives – and trigger cascading failures with national security implications.

Four nations are actively doing this. Right now.

• Russia runs multiple state-sponsored groups with a proven track record of physically disruptive ICS/OT attacks. 
  • Sandworm caused real power blackouts in Ukraine using purpose-built ICS malware, hit European satellite communications on the opening day of the invasion, and coordinated simultaneous wiper attacks on over 30 energy sites across Poland in December 2025. 
  • Berserk Bear (Energetic Bear) has persistently targeted energy grid infrastructure across the US and Europe for over a decade – staging for disruption rather than data theft. 
  • Gamaredon maintains long-term persistent access inside critical infrastructure networks across Ukraine and NATO-adjacent countries. These are not opportunistic attacks. They are a deliberate, sustained campaign against the infrastructure of adversary nations.
• Iran runs an expanding ecosystem of IRGC-linked groups targeting energy, water, and industrial infrastructure globally. 
  • CyberAv3ngers deployed IOCONTROL – a purpose-built ICS cyberweapon – against water treatment PLCs and fuel management systems across the US and Israel, compromising devices from 8+ vendors. 
  • Handala and Nasir Security are actively targeting Gulf energy operators – including reconnaissance against LNG facilities – with drone strikes and cyberattacks increasingly coordinated.

Following military strikes on Iran in early 2026, these groups have explicitly threatened to destroy energy and water infrastructure across Western and Gulf nations.

• China operates a coordinated portfolio of state-directed groups, each targeting a different layer of critical infrastructure. 
  • Volt Typhoon has been confirmed pre-positioned inside energy, water, and communications networks across the US, UK, Canada, and Australia for up to five years – silently waiting. 
  • Salt Typhoon compromised telecommunications backbone infrastructure across more than 80 countries in 2024, harvesting credentials and configurations from energy, transport, and military-adjacent networks. 
  • Flax Typhoon targets manufacturing and logistics supply chains.

Together, they represent a state-directed programme to hold a hand on the switch of every potential adversary's critical infrastructure – before a shot is fired.

• North Korea deploys multiple groups under its Reconnaissance General Bureau, each with distinct but overlapping missions. 
  • Lazarus Group has targeted energy providers across the US, Canada, and Japan and has expanded to European industrial and defence manufacturers linked to military supply chains. 
  • Andariel (APT45) specifically targets nuclear, defence, and energy sectors to steal Western technology – funding operations through ransomware attacks on critical services, with US federal charges filed against its operators. 
  • Kimsuky conducts long-term credential and data harvesting from energy and grid operators across South Korea, Japan, Europe, and the US.

And in 2025, confirmed command-and-control infrastructure overlap was found between Lazarus and Russia's Gamaredon – a sign these threats are no longer entirely separate.

The numbers confirm the trend.

ICS vulnerabilities disclosed globally nearly doubled in 2025. Cyberattacks on utilities rose 70% year-over-year in 2024. Over 50% of industrial organisations have reported at least one security incident in their OT environment. This is not a distant risk. It is an active, escalating campaign.

The good news: there is a clear, structured path forward.

Over the next nine emails, we'll walk you through the essential pillars of ICS/OT cybersecurity – one critical topic at a time. Each one is a layer in the defence. Each one is a step toward genuinely resilient operations.

Next up: Asset Management – because every single attack above started with one thing: finding a target the victim didn't know was exposed. 

Warm regards,
Petr Roupec
CEO, Bohemia Market

Here is how the IRGC-linked CyberAv3ngers compromised water treatment facilities and fuel management systems across the United States and Israel.

They didn't use a zero-day exploit. They didn't penetrate a corporate network. They opened Shodan – a publicly available internet scanner – and searched for internet-facing Unitronics PLCs running factory-default passwords.

Devices that had been forgotten. Devices nobody had inventoried. Devices no one knew were exposed.

At the Municipal Water Authority of Aliquippa, Pennsylvania, operators arrived to find their PLC displaying a message: "You have been hacked, down with Israel." The device had been reconfigured by remote attackers who had found it, identified it, and accessed it – using nothing more than a public search engine and a default password.

What is ICS/OT Asset Management?

ICS/OT Asset Management is the process of discovering, cataloguing, and continuously monitoring every hardware and software component in your industrial network – from PLCs and HMIs to switches, sensors, field devices, and the firmware version running on each of them.

A complete asset inventory tells you what you have, where it is, what it's connected to, how it's configured, and what software version it's running.

Why it matters.

You cannot protect, patch, monitor, or respond to incidents involving assets you don't know exist.

Asset visibility is the foundation on which every other security control is built. It enables risk assessment, vulnerability management, network segmentation, and incident response – none of which are possible without an accurate, current picture of your ICS/OT environment.

The CyberAv3ngers campaign ultimately compromised at least 75 devices across the United States – in water, wastewater, and energy sectors.

Not one of those incidents required sophisticated hacking capability. Every single one exploited the gap between what the organisation thought its asset inventory contained and what was actually exposed.

Organisations with comprehensive ICS/OT asset visibility are significantly more likely to detect threats early, respond effectively, and maintain operational continuity.

In industrial security programmes, asset visibility is consistently the number one foundational investment.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service starts exactly here – with a structured, thorough understanding of what your ICS/OT environment contains. No subsequent security measure has any value if it's built on a blank map.

👉 Book a chat with Bohemia Market about your ICS/OT asset visibility

In our next email: Once you know what assets you have, the next question is – which ones are most at risk? We'll cover Asset Risks and Vulnerabilities, and why the number of known ICS vulnerabilities nearly doubled in a single year.

Warm regards,
Petr Roupec
CEO, Bohemia Market

In late 2024, Claroty's research team extracted a sample of a piece of malware called IOCONTROL.

It had been developed and deployed by Iran's IRGC-linked CyberAv3ngers – and it was unlike anything the ICS/OT security community had seen before. Not because it was sophisticated in the traditional sense. But because of its breadth.

IOCONTROL was designed to run on devices from at least 8 different vendors: Baicells, D-Link, Hikvision, Red Lion, Phoenix Contact, Teltonika, Unitronics, and Orpak/Gasboy fuel management systems – across IP cameras, routers, PLCs, HMIs, firewalls, and fuel pumps.

One cyberweapon. Dozens of device types. Deployed against water treatment, energy infrastructure, and fuel distribution in both Israel and the United States.

The IOCONTROL malware gave attackers the ability to shut down fuel services and execute arbitrary commands on compromised systems – from a command-and-control server hidden behind encrypted DNS and MQTT channels, making it nearly invisible to traditional monitoring.

The US Department of the Treasury sanctioned six IRGC officials linked to CyberAv3ngers and placed a $10 million bounty on information leading to their identification.

What is ICS/OT Asset Risks and Vulnerabilities?

A vulnerability is a weakness in a system – hardware, software, or configuration – that a threat actor could exploit.

In ICS/OT environments, vulnerabilities are everywhere: outdated firmware on PLCs, unpatched SCADA software, devices with default passwords, legacy protocols with no authentication, and systems never designed to be internet-connected – but now are.

Risk is the combination of that vulnerability and the likelihood and impact of exploitation.

The scale of exposure.

In 2025 alone, 2,451 ICS vulnerabilities were disclosed – nearly double the previous year's figure. Siemens alone reported over 1,175 ICS vulnerabilities in a single year; Schneider Electric disclosed 163, with 70% rated high or critical. (source)

The challenge is compounded by the nature of OT environments: you can't simply patch an industrial controller the way you patch a laptop. Taking a PLC offline to apply a firmware update may require a planned shutdown, regulatory approval, and weeks of coordination.

In the meantime, that device remains exposed – and Iranian, Russian, Chinese, and North Korean threat groups are actively scanning for exactly these devices.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service incorporates a risk and vulnerability awareness process – helping you understand where your exposure lies and how to prioritise your response, without disrupting operations.

👉 Talk to Bohemia Market about your ICS/OT vulnerability posture

Up next: Even with full asset visibility and risk awareness, your ICS/OT environment has doors – remote access points that, if left unsecured, invite attackers right in. Next email: Secure Remote Access.

Warm regards,
Petr Roupec
CEO, Bohemia Market

In May 2021, a ransomware group called DarkSide gained access to Colonial Pipeline – which carries 45% of the US East Coast's fuel supply.

Their entry point wasn't a sophisticated zero-day. It was a single legacy VPN account with no multi-factor authentication – likely compromised in a previous, unrelated data breach and never deactivated.

The OT systems were never directly breached. But operators couldn't confirm whether they were safe while the IT network was on fire. So, they shut the pipeline down proactively.

Six days offline. Fuel shortages across 17 states. A $4.4 million ransom paid because keeping the fuel flowing couldn't wait.

One unused VPN account. No multi-factor authentication. That's all it took to cause a national emergency.

A year later, regulators proposed a $986,000 fine for pre-existing security violations – including failures in remote access controls – that had left the pipeline perpetually at risk.

What is Secure Remote Access?

Secure Remote Access is a structured set of controls, technologies, and policies governing how external users connect to industrial networks – ensuring every connection is authenticated, authorised, monitored, and time-limited.

Why it remains the most exploited entry point.

More than 50% of ransomware incidents are traced back to compromised remote access services – unpatched VPN appliances and misconfigured RDP servers.

Many OT environments were connected remotely using IT-focused tools never designed for industrial environments, creating direct paths into control networks with minimal authentication and no session monitoring.

North Korea's Lazarus Group exploited exactly this approach in their 2022 energy sector campaign – using compromised VMware Horizon remote access servers as their initial foothold, before deploying multiple backdoors for persistent, long-term access to energy sector OT networks in the US, Canada, and Japan.

Iran's threat groups, meanwhile, are now leveraging AI-powered spear phishing to steal remote access credentials at scale – targeting operational technology environments specifically.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service addresses remote access as a critical control point – ensuring that connectivity is structured, monitored, and governed so that the access you need doesn't become the vulnerability you can't afford.

👉 Speak with Bohemia Market about securing your remote access

Next time: Even with controlled remote access, an attacker who gets inside can move freely through an unsegmented network. We'll cover Network Segmentation – your structural defense against lateral movement.

Warm regards,
Petr Roupec
CEO, Bohemia Market

On December 29, 2025, someone tried to shut off the heat for nearly half a million people in Poland.

Mid-winter. Blizzard conditions.

A coordinated cyberattack – attributed to Russia's FSB-linked group, known to researchers as Static Tundra, Berserk Bear, or Sandworm – simultaneously hit over 30 facilities: wind farms, solar parks, a manufacturing company, and combined heat and power plants.

The attackers entered through internet-facing edge devices, moved laterally across the network to RTU controllers, HMIs, and protection relays, and deployed firmware-destroying wiper malware designed to prevent recovery.

CERT Polska confirmed the attacks targeted communications systems first – blinding operators before moving against control systems.

The attack was timed for maximum civilian harm. And it worked – in part – because network boundaries between the edge and the control layer weren't strong enough to stop lateral movement.

What is Network Segmentation?

Network segmentation is the practice of dividing an industrial network into distinct zones, each with controlled, monitored boundaries – so that a compromise in one zone does not automatically grant access to another.

In ICS/OT, this is typically built around the Purdue Enterprise Reference Architecture – separating the physical process layer (sensors, PLCs, actuators) from supervisory systems (SCADA, DCS), from operations networks, from the corporate IT layer – with a Demilitarised Zone (DMZ) between IT and OT.

A flat, unsegmented network is the cyber equivalent of a building with no interior doors: get through the front door, and every room is accessible.

The historical precedent: NotPetya.

When Russia's NotPetya malware was unleashed in 2017 – beginning in Ukraine before spreading globally – it moved freely across flat OT networks at energy companies, manufacturers, and logistics firms worldwide.

Shipping giant Maersk lost its entire global IT infrastructure, including OT-connected systems, in minutes. Estimated damage: over $10 billion globally.

Poland, 2025, was a direct architectural echo of the same failure. The lesson hasn't always been learned.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service helps organisations assess and strengthen their network architecture – ensuring that zone boundaries are meaningful, enforced, and maintained over time.

👉 Talk to Bohemia Market about network architecture for your ICS/OT environment

In our next email: You've built strong technical defences. But are they compliant – and does compliance itself make you more secure? We'll explore Standards Compliance and why frameworks like IEC 62443 and NIST SP 800-82 are your global roadmap.

Warm regards,
Petr Roupec
CEO, Bohemia Market

After the Poland attack in December 2025, CISA issued a formal advisory detailing exactly how the attackers operated – the techniques, the entry points, the lateral movement, the wiper malware.

That advisory wasn't issued to be alarming. It was issued because governments know that every operator reading it could cross-reference their own ICS/OT environment against a known attack pattern – and identify gaps before the next attack arrives.

That is what standards compliance makes possible: a common language, a shared framework, and a defensible, auditable programme that goes far beyond good intentions.

What is Standards Compliance in ICS/OT?

Standards compliance is the formal alignment of an organisation's cybersecurity programme with recognised international frameworks designed specifically for industrial and operational technology environments. The two most widely adopted globally are:

• IEC 62443 (ISA/IEC 62443): A comprehensive, internationally recognised series of standards for industrial automation and control system security.
  
  It defines security levels, zone-and-conduit architecture, security lifecycle processes, and requirements for both asset owners and system integrators – applicable to a power station in Norway, a water treatment facility in Singapore, or a refinery in the Gulf.

• NIST SP 800-82: The US National Institute of Standards and Technology's guide for securing industrial control systems – covering risk management, defence-in-depth, access control, and incident response.
  
  Referenced globally, not only in the United States.

Why compliance matters – especially now.

These are not bureaucratic documents. They are the distilled experience of governments, industrial engineers, and security practitioners who have studied real-world ICS/OT attacks and codified what works.

Every attacker technique deployed in Poland – lateral movement through uncontrolled network zones, exploitation of internet-facing devices, destruction of controller firmware – maps directly to vulnerabilities that IEC 62443 and NIST SP 800-82 specifically address.

Organisations implementing these frameworks in good faith narrow the exact attack surface that Sandworm, CyberAv3ngers, Volt Typhoon, and Lazarus rely on.

Regulatory pressure is also intensifying.

The EU's NIS2 Directive, effective from October 2024, extends mandatory cybersecurity obligations to energy, transport, water, and digital infrastructure operators – with fines reaching €10 million or 2% of global annual turnover for non-compliance.

Similar frameworks are advancing across North America, Asia-Pacific, and the Gulf states.

Compliance is becoming a legal requirement with personal liability for executives, not just a best-practice recommendation.

The organisation that had a policy – but not a programme.

A regional power distribution company had a cybersecurity policy document referencing IEC 62443.

Written three years earlier, it sat on a shared drive that most of the engineering team had never read. When a regulatory audit arrived following a sector-wide advisory, auditors found no security zones formally defined, no asset register, no documented incident response procedure.

The policy had created a false sense of assurance – while the underlying posture remained genuinely insecure.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service is grounded in internationally recognised standards, helping you move from policy to implementation – building a programme that is defensible, auditable, and genuinely effective.

👉 Talk to Bohemia Market about aligning your security with ICS/OT standards

Coming up next: You've built strong policies and frameworks. But what happens when the people who know how your systems actually work – leave? Next, we tackle one of the most underestimated risks: Retention of Knowledge.

Warm regards,
Petr Roupec
CEO, Bohemia Market

The US, UK, Canada, Australia, and New Zealand issued a joint advisory in 2024 confirming what intelligence agencies had been tracking for years: China's Volt Typhoon group had been pre-positioned inside US critical infrastructure networks for up to five years.

Five years! Undetected!

They used no custom malware. No flashy zero-days. They used living-off-the-land techniques – operating entirely through the system's own legitimate tools, blending into normal operational traffic.

Their method was designed to be invisible to anyone who didn't have deep, granular institutional knowledge of what their own ICS/OT environment looked like at baseline.

CISA Director Jen Easterly described it directly: "The PRC cyber threat is not theoretical – and what we've discovered is probably the tip of the iceberg."

Here's the uncomfortable question: if your most experienced engineer retired tomorrow, would your team know what "normal" looked like well enough to detect Volt Typhoon's approach?

What is Retention of Knowledge in the ICS/OT context?

Retention of knowledge is the systematic capture, documentation, and transfer of operational and cybersecurity knowledge relating to industrial systems – configurations, maintenance procedures, known anomalies, historical incidents, and the reasoning behind critical design decisions.

In most ICS/OT environments, this knowledge lives in people's heads, not in documentation systems.

It is what practitioners call tribal knowledge – and its loss is a serious, underappreciated security vulnerability.

Why this is a security problem.

When institutional knowledge is lost – through retirement, resignation, or organisational change – the organisation loses the ability to fully understand its own systems. An organisation that doesn't understand its systems cannot properly defend them.

The ICS/OT skills gap is already severe and worsening.

Demand for qualified ICS/OT security professionals vastly exceeds supply.

When the few experts who exist in an organisation depart without transferring their knowledge, the gap that remains is not just operational – it is a security vulnerability that nation-state actors are specifically trained to exploit.

North Korea's Lazarus Group, in their 2022 energy sector campaign, specifically harvested Active Directory credentials and conducted deep network reconnaissance – mapping the environment over months before escalating activity.

They counted on operational teams not noticing the subtle signs of reconnaissance in ICS/OT environments where no one had documented what "normal" looked like.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service recognises the human dimension of security – helping organisations structure knowledge retention as a core element of their resilience strategy, not an afterthought.

👉 Discuss the human side of ICS/OT security with Bohemia Market

Next up: Knowledge needs to be embedded in structure. In our next email, we cover Processes and Procedures – the backbone that turns good intentions into reliable, repeatable security practice.

Warm regards,
Petr Roupec
CEO, Bohemia Market

In April 2022, Russia's Sandworm group deployed Industroyer2 – malware purpose-built to speak the native IEC-104 protocol of industrial high-voltage substations – against a Ukrainian energy operator serving approximately two million people.

The malware was sophisticated. Designed to issue commands directly to protection relays, trigger false trips, and cause a blackout – with companion tools to destroy ICS hosts before defenders could respond.

The lights stayed on.

Not because the malware failed technically. It didn't.

The attack was stopped because Ukraine's energy operators had pre-planned, documented, tested ICS-specific incident response procedures – and coordination with CERT-UA that allowed the attack to be identified and neutralised before the scheduled 04:00 AM trigger.

Procedures saved the grid.

What are Processes and Procedures in ICS/OT Cybersecurity?

Processes and procedures are the documented, structured workflows that govern how security activities are performed – from change management and patch approval to incident detection, response, escalation, and recovery.

In ICS/OT, they also cover operational procedures: how systems are accessed, how configurations are changed, how vendors are granted access, how anomalies are investigated, and how backups are verified and restored.

Why they matter.

The absence of documented processes is consistently cited as the top cybersecurity concern among industrial operators – more frequently than insufficient funding or evolving threats.

When processes don't exist, security depends entirely on individual judgment under pressure.

That is a fragile foundation.

Industroyer2 proves the inverse: even against nation-state adversaries deploying ICS-specific cyberweapons, documented procedures and practised response capabilities can prevent the worst outcome.

Contrast that with Colonial Pipeline in 2021: the OT systems were never directly breached, but in the absence of a tested, documented procedure for assessing OT safety during an IT incident, operators had no option but to shut the pipeline down entirely – causing more economic disruption than the malware itself.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service emphasises the importance of clear, documented, ICS/OT-aware processes – helping your organisation build the procedural backbone that security and resilience depend on.

👉 Talk to Bohemia Market about building robust ICS/OT processes

Coming up: For the most sensitive data flows – from field devices to enterprise systems – there's a hardware-enforced solution that provides air-gap level security with operational connectivity. Next: Data Diode Architecture.

Warm regards,
Petr Roupec
CEO, Bohemia Market

The Viasat KA-SAT attack in February 2022 – the one that took down 5,800 German wind turbines in the opening hours of the Ukraine invasion – was elegant in its simplicity.

The attackers didn't need to break encryption. They didn't need to compromise the satellite itself.

They accessed the satellite modem management plane – a remote administration channel designed for legitimate two-way communication – and used it to push AcidRain wiper malware to tens of thousands of modems across Europe simultaneously.

The attack was only possible because the management channel was bidirectional. Data flowed out – and commands, and malware, could flow back in.

A data diode would have made that attack physically impossible.

What is a Data Diode?

A data diode (also called a unidirectional security gateway) is a hardware device that physically enforces one-way data flow between networks.

It uses optical technology – literally, light passing through a fibre in one direction – to ensure data can be transmitted out of an ICS/OT network, but that nothing – no commands, no malware, no reverse communication – can travel back in through that same path.

This is not a software rule that can be misconfigured or bypassed.

It is a physical constraint, enforced at the hardware level.

Why data diodes are critical for ICS/OT.

For the most sensitive ICS/OT environments – nuclear facilities, power generation, water treatment, oil and gas – the data diode provides what is widely described as "air-gap level security with operational connectivity".

It allows real-time operational data (from historians, OPC servers, sensors) to flow into IT networks or enterprise systems for monitoring and analytics – without creating a bidirectional attack path back into the ICS/OT environment.

This is precisely the architecture that nation-state attackers – Sandworm, CyberAv3ngers, Volt Typhoon, and Lazarus alike – rely on not existing.

Iran's IOCONTROL malware used MQTT – an IoT communication protocol – to maintain a covert two-way channel between compromised OT devices and its command-and-control infrastructure.

A data diode eliminates that channel architecturally. There is no software patch, firewall rule, or configuration change that achieves the same guarantee.

IEC 62443 specifically recommends unidirectional gateways for securing conduits between high-security ICS/OT zones and lower-trust network segments.

How Bohemia Market can help.

Bohemia Market's ICS/OT Business Continuity service incorporates data diode architecture as a key element of a secure data transfer strategy – helping organisations achieve the highest levels of OT/IT boundary security without sacrificing operational data visibility.

👉 Talk to Bohemia Market about data diode solutions for your ICS/OT environment

In our final email: We bring everything together under the single most important concept of all: Business Continuity. Because the goal isn't just to be secure. It's to keep running – no matter what.

Warm regards,
Petr Roupec
CEO, Bohemia Market

Over the past nine emails, we've covered a lot of ground.

Asset Management. Vulnerability Awareness. Secure Remote Access. Network Segmentation. Standards Compliance. Knowledge Retention. Processes and Procedures. Data Diode Architecture.

Each one is a critical layer in a comprehensive ICS/OT security programme.

But they all serve one ultimate purpose: keeping your operations running – safely, reliably, and continuously – even when everything around you are under attack.

I'm talking about Business Continuity.

What is ICS/OT Business Continuity?

Business continuity in the ICS/OT context is the organisational capability to maintain – or rapidly restore – essential industrial operations in the face of a cyber incident, physical disruption, equipment failure, or any event that threatens operational integrity.

It encompasses resilient system architecture, backup and recovery capabilities, tested incident response procedures, continuity of operational knowledge, and the organisational structures needed to make decisions under pressure.

The threat environment in 2026.

Let's be direct about where we stand.

• Russia'sSandworm, Berserk Bear, and Gamaredon have demonstrated the ability to deploy ICS/OT-specific malware capable of causing real blackouts and have repeatedly targeted European energy infrastructure as a strategic weapon of war.
  
  The Poland attack in December 2025 was not an outlier; it was a continuation of a documented, sustained campaign – timed for mid-winter, targeting 30+ energy sites simultaneously.

• Iran'sIRGC-linked groups – CyberAv3ngers, Handala, Nasir Security – have deployed IOCONTROL, a purpose-built cyberweapon targeting PLCs, HMIs, and fuel management systems across Western and Israeli infrastructure.
  
  In March 2026, following military strikes on Iran, these groups explicitly threatened to destroy energy and water infrastructure across Western and Gulf nations – and coordinated drone strikes against Qatar's Ras Laffan LNG facility in the same week.

• China's Typhoon groupsrepresent a coordinated, state-directed programme spanning multiple teams. 
  • Volt Typhoonpre-positioned silently inside energy, water, and communications networks across the US, UK, and allied nations for up to five years – waiting. 
  • Salt Typhooncompromised telecommunications backbone infrastructure across more than 80 countries in 2024, harvesting credentials and network configurations from energy, transport, and military-adjacent systems.

These are not isolated incidents. They are a deliberate strategy to have a hand on the switch of every potential adversary's critical infrastructure – before any shot is fired.

• North Korea'sLazarus, Andariel, and Kimsuky are running sustained campaigns against energy providers, nuclear facilities, and industrial manufacturers – for espionage, for regime revenue via ransomware, and as strategic leverage.
  
  In 2025, confirmed infrastructure overlap was found between Lazarus and Russia's Gamaredon – a sign these four national threat programmes are beginning to converge.

Every ICS/OT operator on the planet now sits within the potential reach of these campaigns – regardless of location, industry, or size.

The cost of not being prepared.

Colonial Pipeline didn't lose its OT systems – it shut them down voluntarily because it had no confidence in their safety during a crisis. That absence of a tested, operational business continuity capability caused six days of shutdown, 17 states in fuel shortages, and $4.4 million in ransom.

Ukraine kept its lights on against Industroyer2 because it had the procedures, the coordination, and the resilience architecture to detect and neutralise the attack before it fired.

The difference, in both cases, was not technology. It was preparedness.

The question for every ICS/OT operator today is not whether a disruptive event will occur. It is: when it does – can you keep your business running?

How Bohemia Market can help.

This is precisely what Bohemia Market's ICS/OT Business Continuity service is designed to deliver.

Not just technology. Not just compliance checklists.

But a holistic, structured approach to ensuring that your organisation can continue operating – safely and with confidence – in the face of the cyber threats that define our era.

If you've found value in this email series, the natural next step is to book a conversation.

Tell us where you are. Tell us what keeps you up at night. Let us show you how Business Continuity is built in your company, one layer at a time.

👉 Book your ICS/OT cybersecurity conversation with Bohemia Market

The world's critical infrastructure is now more connected – and more exposed – than at any point in history.

Russia. Iran. China. North Korea.

The threat actors are real, their campaigns are documented, and their targets include infrastructure exactly like yours.

The organisations that invest in resilience today are the ones that will keep the lights on tomorrow.

We'd be honoured to help you be one of them.

Warm regards,
Petr Roupec
CEO, Bohemia Market