Malik Haidar has spent years navigating the high-stakes world of industrial cybersecurity, where a single misstep can mean the difference between steady operations and a national blackout. As a specialist who has defended multinational corporations against some of the most sophisticated state-sponsored actors, Haidar brings a unique perspective that blends technical rigor with a deep understanding of business risk. In an era where physical infrastructure is increasingly tethered to the digital realm, his insights into the vulnerabilities of the systems that power our lives are more critical than ever. This conversation delves into the alarming persistence of unauthenticated legacy protocols, the evolving tactics of cyber proxies in geopolitical conflict zones, and the critical visibility gaps that leave the vast majority of industrial networks operating in the dark.
The following discussion explores the current state of operational technology security, moving from the technical vulnerabilities of internet-exposed controllers to the strategic challenges of identifying and mitigating state-sponsored threats. We examine why traditional perimeter defenses are no longer sufficient and how organizations can bridge the gap between IT and OT to ensure long-term resilience.
Recent scans identified numerous industrial controllers exposing the Modbus protocol on port 502 without authentication. What specific physical risks do these exposed controllers pose to national power grids, and can you provide a step-by-step technical plan for engineers to secure these legacy ports?
When you see 179 devices exposing the Modbus protocol on port 502 without a single layer of authentication, you aren’t just looking at a digital vulnerability; you are looking at an open door to physical chaos. In a power grid environment, an attacker can use this access to send “write” commands that trip circuit breakers or alter voltage regulations, potentially causing transformers to overheat or leading to a cascading blackout. We have seen these controllers tied directly to national railways and power grids, where the physical consequences of a hijacked command can lead to derailed trains or the sudden, silent failure of a city’s lights. To secure these, engineers must first perform an exhaustive scan using tools like Masscan to identify every device that shouldn’t be public-facing, then immediately pull these assets behind a robust firewall or a VPN. From there, the plan involves implementing strict access control lists, disabling port 502 on the external perimeter, and transitioning to more secure, encrypted communication protocols that require multi-factor authentication for any administrative change.
State-sponsored actors are increasingly bypassing traditional IT entry points to directly target programmable logic controllers in water and energy sectors. How does this shift change the threat landscape for critical infrastructure, and how should operators differentiate between state-led operations and opportunistic proxy groups?
The shift toward direct targeting of programmable logic controllers represents a move from mere espionage to “pre-operational intent,” where the goal is to establish a foothold for future physical impact. When groups linked to Iran or Russia-aligned actors target Polish wind farms or American water treatment plants, they are bypasses the messy IT layer to grab the levers of the physical world directly. For an operator, the air in the control room gets heavy when you realize an intruder isn’t looking for credit card numbers, but is instead mapping out the logic of your solar energy distribution. Differentiating between a state actor and a proxy is becoming nearly impossible because the lines are so blurred; proxies often treat political ceasefires as mere technicalities, continuing their “cyber jihad” against private firms even when kinetic fighting stops. Operators should focus less on the “who” and more on the “how,” treating any direct interaction with a PLC as a high-severity state-level threat that requires immediate isolation and forensic analysis.
With fewer than 10% of global industrial networks having adequate monitoring, many incidents start as unexplained operational issues rather than detected anomalies. How can organizations close this visibility gap, and what specific metrics should they use to measure the effectiveness of their internal segmentation?
It is a sobering reality that 90% of industrial networks are essentially operating in a blackout, with 30% of actual security incidents being initially dismissed as “unexplained operational issues” or mechanical glitches. To close this gap, organizations must move beyond the perimeter and deploy ICS-aware monitoring that can actually decode industrial protocols and flag suspicious commands in real-time. We found that 46% of architecture reviews failed specifically because of this lack of visibility, meaning engineers are flying blind while an adversary might be slowly turning a valve or changing a setpoint. Organizations should measure their segmentation effectiveness by tracking “lateral movement attempts”—basically, how many times a signal from a low-security zone is successfully blocked from reaching a high-criticality zone. Another vital metric is the time it takes to identify a non-authorized device on the network, aiming for minutes rather than the weeks or months it currently takes in most unmonitored environments.
External scans often fail to capture operational technology assets hidden behind cellular connections or NAT devices. What unique vulnerabilities do these “invisible” edge devices introduce, and how can a facility build a monitoring strategy that captures internal telemetry without relying solely on perimeter defenses?
The “invisible” edge is perhaps the most dangerous frontier in OT because devices behind cellular connections or NAT devices often bypass the main corporate firewall entirely, creating a “shadow OT” landscape. These devices are frequently left with default credentials and outdated firmware, sitting like ticking time bombs in remote pumping stations or wind turbines where no one is looking. Because external scans can’t see them, an attacker who finds their way into a cellular gateway can operate with total impunity, far away from the prying eyes of central security teams. A modern monitoring strategy must involve placing sensors directly at the local level of these edge sites to capture internal telemetry and send it back to a central hub via an encrypted tunnel. You cannot rely on the perimeter when there effectively isn’t one; you need to treat every remote node as its own mini-network that requires its own set of detection and response capabilities.
Cyber proxies often ignore political ceasefires, maintaining pressure on private-sector infrastructure even when kinetic conflicts subside. What long-term strategies should industrial firms implement to stay resilient during these periods of persistent targeting, and what anecdotes can you share regarding the impact of these blurred actor lines?
Industrial firms need to accept that they are now permanent participants in a theater of “perpetual grey-zone conflict,” where the traditional rules of war and peace do not apply. I’ve seen cases where, during a lull in physical hostilities, cyber proxies actually ramped up their scans and “knock-on-door” attempts against energy firms just to maintain political leverage. The most resilient firms are those that stop linking their security posture to the morning headlines and instead maintain a “cold-war” level of vigilance year-round. This means conducting regular tabletop exercises—which currently have an 88% failure rate regarding visibility—to ensure that even the most junior operator knows how to react when a PLC starts behaving strangely. Resilience isn’t just about better firewalls; it’s about creating a culture where a technician feels the hair stand up on their neck when a screen flickers, and they have the authority to pull the plug before a minor anomaly becomes a national headline.
What is your forecast for operational technology security?
I foresee a significant collision between aging, legacy infrastructure and the rapid democratization of high-level hacking tools, which will force a radical shift in how we build industrial systems. Within the next few years, the “air gap” myth will finally be retired for good as the industry moves toward a “Zero Trust” model for OT, where even a sensor inside the most secure zone must constantly prove its identity. We are going to see a surge in the use of AI-driven security platforms to manage the massive influx of telemetry from previously “dark” networks, finally pushing that 10% visibility metric much higher. However, the threat from proxies will likely intensify as they become more adept at hiding behind legitimate traffic, making the detection of “pre-operational intent” the single most important skill for the next generation of cybersecurity professionals. Ultimately, the winners will be the organizations that stop treating OT security as a technical checkbox and start treating it as a core component of their physical safety and survival.
