Why cyberattacks on OT are more dangerous than data breaches

Piracy in the 21st century looks much different than it does in movies. Nowadays, attackers try to gain access to the control panel and replace commands in the system instead of using weapons and boarding. Cyberattacks on SCADA and OT systems shift the threat from the data to the physical control plane, making it easy to hide a cyberattack under the guise of "malfunction".

This was reported by Louis Saillans, founder of Askalon Industries and a retired officer of the French Navy, for a Novyny.LIVE column.

Why hackers are becoming more dangerous 

Modern cyberattacks are increasingly less focused on stealing information. Once an attacker gains access to Supervisory Control and Data Acquisition (SCADA) or other operational technologies, the objective shifts from stealing files to controlling real processes. For example, a ship's navigation, engines, pumps, or security systems could be compromised. Due to outside interference, technical failures can easily be mistaken for a regular issue rather than cyberattacks.

This scenario led to an investigation in France after malware was detected on a passenger ferry in the port of Sète. The remote access program allowed the attacker to control some onboard systems.

Law enforcement officers detained two crew members. One of them remains in custody for interfering with the interests of a foreign state. Authorities are not ruling out an external trail, but the motives are still being established.

As Louis Saillans explains, this case is indicative of the fact that the focus of attacks has long since shifted from information systems to operational systems, where the main concern is not confidentiality, but rather continuous and safe operation.

The human factor poses an additional danger. Sophisticated hacking is often unnecessary to intervene.

"For decades, the defense has thought in terms of a perimeter, with "us" inside and "them" outside. However, in hybrid logic, the attack vector is often already on the payroll. This could be someone in the crew, the service team, a contractor, or someone with access to the bridge or control cabinet. Even the best firewall becomes meaningless the moment a "trusted" employee introduces infected media or plugs in a "convenient" maintenance tool," explains Louis Saillans.

As a result, attacks on critical infrastructure can linger in the gray area for a long time because it is not always possible to immediately determine whether an incident is a cyberattack or a normal failure. This uncertainty gives attackers time to act.

Therefore, it is crucial not only to protect systems, but also to swiftly identify signs of intentional interference, preserve evidence, and promptly escalate the incident from the technical to the security realm.

"The regulator needs criteria for investigation and quick response, as well as the requirement to have cyber defense. This includes segmentation of technological networks, access and role control, reliable event logging, and predefined procedures for safe shutdown and recovery. Training is a separate topic where the legal unit and technical teams develop scenarios for both "data leaks" and "suspicious accidents" with evidentiary outlines," said Louis Saillans.

Read more:

• Chinese hackers step up attacks against Russia
• Google confirms Android hacked — what users should do