With Critical Infrastructure in the Crosshairs, Government Focus Turns to OT Security

From potential Iran-affiliated cyber campaigns targeting American defense bases, to a Russian military hacking unit disrupting the Polish power grid, critical infrastructure is at the center of cyber warfare.

While these incidents reflect broader geopolitical tensions and evolving hostilities, they also reveal something more consequential: a national security blind spot. As these sectors digitize and interconnect, their expanding attack surface is outpacing the defenses designed to protect them.

From energy and agriculture to transportation and communications, critical infrastructure relies on a complex framework of systems, devices and networks called operational technology (OT). Because OT carries unique vulnerabilities, when deployed in critical infrastructure contexts, these systems can act as key fulcrums for disrupting entire economies and populations.

Recent guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) demonstrates that government leaders are on notice about this new reality, validating what we see every day at Bastazo: in today’s climate, critical infrastructure organizations cannot afford to leave their operational technology vulnerable to malicious actors. 

‍

Operational Technology: A Salient Target

Why does OT carry particular cyber risks, particularly in critical infrastructure settings? 

OT systems are extremely complex and contain low visibility assets, making it difficult to isolate and remediate threats. Moreover, since OT monitors and manages very precise, high-stakes physical processes, these systems are generally less tolerant of downtime, which limits the ability to make necessary fortifications. 

Beyond this, advancements like artificial intelligence, automation and remote monitoring are making OT more interconnected than ever. Once isolated from the internet, operational technologies now serve as key connective tissue between critical infrastructure and an entire network of cyber actors– some with distinctly malicious intent.  

Compounding this, since OT generally has a longer lifespan than modern IT systems, much of this smart technology runs on outdated software or hardware that is harder to patch, update, and fortify.

As OT becomes increasingly interconnected and exposed, the consequences of compromise extend far beyond networks, with real-world impacts on public safety, economic stability, and national resilience.

‍

CISA On Notice

A newly-released CISA directive takes aim at a critical OT axis of vulnerability: end-of-support edge devices. 

For many OT operators, the most significant cyber vulnerabilities lie with devices that reside on network boundaries, like firewalls, routers, VPNs and load balancers. Since these ‘edge’ devices are accessible by both internal actors and the wider connected environment, they are especially vulnerable to exploitation.

When a device’s manufacturer no longer monitors and pushes patches and updates to its software or firmware, the device is considered “End of Support” (EOS). When edge devices reach EOS status, it further erodes their defenses against malicious cyber activity. To this end, they widen the attack surface available for cyber malfeasance, acting as a key entry point for accessing and disrupting internal OT. 

CISA’s Binding Operational Directive (BOD) 26-02 tasks federal agencies, major purveyors of critical infrastructure in their own right, with decommissioning all end-of-support edge devices on a phased basis within eighteen months. 

‍

Bastazo: Bridging Policy and Practice

Policy developments on OT align with what we see in real environments day-to-day at Bastazo across a number of themes. 

1. OT threats are fast-moving– and response time is key. As the tight timeline for agencies to enact BOD 26-02 suggests, each minute that vulnerable devices are left in commission provides a new opening for malicious actors to access critical infrastructure and sensitive data. 

The importance of quick remediation motivates our work at Bastazo. Particularly in high-stakes critical infrastructure settings, manually checking for vulnerabilities across hundreds of interconnected systems costs valuable time and resources, and doesn’t always surface the most high-priority cases. In contrast, our platform uses automated vulnerability prioritization based on Stakeholder-Specific Vulnerability Categorization (SSVC) decision trees, a framework validated by CISA guidance. This allows users to discover the vulnerabilities with the greatest potential for impact– enabling more agile response capabilities. 

2. In critical contexts, threat discovery and remediation must be as unobtrusive as possible. A recommendation from CISA’s recent secure OT communication guidance is a call to deploy vendor solutions that “simplify secure workflows.” Bastazo’s intelligent, automated platform does just that, providing teams with prioritized threat assessments and clear, actionable remediation plans. This proactive, tailored defense does the hard work to keep your OT systems secure, freeing up your team to focus on strategic initiatives. 

3. Network asset mapping and organizational context matter. As CISA’s guidance on end-of-support edge devices makes clear, auditing your network for undocumented or less visible assets is critical to patching insecurities. A comprehensive audit inventory enables organizations to move from reactive to proactive defense by helping anticipate potential entry points into your systems. 

Bastazo’s platform supports CSV, JSON, XLS, or XML format asset imports to establish baselines for your organization and map your systems. This is paired with high-level data about your organization’s operating industry and region, which helps our machine learning program devise insights tailored to your needs. 

4. OT cybersecurity is about more than checking a compliance box. Faced with a complex regulatory environment and a myriad of cyber threats, many organizations tend to work backwards with a compliance checklist. Many cybersecurity solutions enable this mindset, making quick and surface-level patches that enable teams to check a compliance box without generating any real operational upsides, leaving their blind spots vulnerable.

As CISA has demonstrated, defending OT systems in critical infrastructure contexts is far more complicated, and the stakes for cyber failure are much higher than noncompliance. That’s why Bastazo does things differently, generating summaries for each cyber asset and contextual step-by-step guidance for remediating critical vulnerabilities. Compliance evidence is easily exportable, giving teams their time back to focus on keeping critical processes running smoothly.