The cyberattack on Ukraine’s power grid by Russian nation-state cyber actors was the first publicly-acknowledged incident to demonstrate that a cyberattack could cause a real world power outage.
While the possibility of an attack that could lead to a widespread outage was theoretical, this was the first incident that brought those fears to life. It was a deliberate, well-planned operation carried out by a nation-state actor against operational technology systems that were previously assumed too specialized or isolated to target.
But now, here we are, 10 years later and it’s clear that the attack was an early signal of how cyber operations against critical infrastructure would evolve.
The same basic tactics that were used in the Ukraine attack now show up — again and again — in incidents that target critical infrastructure.
For example, the 2021 ransomware attack on the Colonial Pipeline, which led to a shutdown of a major fuel distribution system after attackers exploited a compromised password, demonstrated how access abuse and credential compromise remain powerful techniques.
Attackers now rely on familiar methods like misused remote access and stolen credentials. Bad actors carefully study how industrial systems operate, often with the goal of disrupting physical processes.
The fragility of access
Ten years down the road, we now know that access has become the soft underbelly of critical infrastructure security. That’s because operational environments rely heavily on remote connectivity and vendors need to get in to maintain systems.
Engineers need to troubleshoot issues as they arise and integrators need to deploy updates. In many cases, that access gets granted through broad VPN connections that offer little visibility into who’s connecting, what they are doing once they get in, or whether that access even makes sense.
The VPN approach remains because it’s familiar. VPNs feel safe, but they give remote devices direct access to internal systems. Yet, if a remote computer gets compromised, that problem can move straight into environments that were never built to handle a hostile interaction. They function like long network cables that extend trust beyond the perimeter of the facility and once that connection exists, the line between inside and outside disappears.
The very nature of OT devices presents a challenge when it comes to designing defense. Many industrial controllers were built without strong authentication or meaningful logging, and some are unstable when exposed to scanning tools designed for IT networks. In certain cases, default credentials are still used, and that’s at the very least frightening, and at the very worst, the keys to pulling off a widespread outage.
When something goes wrong in these environments, recovery takes time — it’s not quick. Fixing the problem often means sending someone into the field to reach the equipment itself. That can involve a long drive, a locked cabinet, and hands-on work before anything comes back online. In critical infrastructure, that kind of delay affects far more than internal operations.
It’s unfair to say nothing has changed in 10 years. Many operators now recognize that the old assumptions about critical infrastructure no longer hold. There’s growing awareness that OT environments cannot remain uninspected opaque black boxes, and that visibility into systems and access have become a basic requirement.
However, progress still remains uneven in the industry as a whole, often held back by vendor relationships that make patching or upgrades difficult. Many critical systems run on hardware and software that are frozen in time because changing them would require years of reengineering, while others continue to rely on long-standing practices simply because they have not yet resulted in a visible incident.
Over time, that kind of inertia increases exposure, because security does not reward complacency. Attackers only need to succeed once.
For critical infrastructure owners and operators, defense should focus on three critical areas:
- Understand what exists: Asset inventories and access mapping are prerequisites for any meaningful security effort.
- Reduce the company’s exposure: Remote connectivity should exist only where it’s necessary and justified,
- Engage with vendors differently: Make security expectations explicit, even when technology lifecycles are long and upgrades slow.
Ten years of hindsight after the event in Ukraine point to a simple reality: critical infrastructure security unfolds over time, shaped by technology, policy, human behavior, and operational constraints.
The Ukraine attack, while exposing the vulnerabilities of one grid at the time, also exposed assumptions that many of us shared 10 years ago. We now know those assumptions no longer apply and that our OT security programs must change.