Their aim is quite clear: to be able to switch off or, even worse,  to mess with your infrastructure when the situation demands so geopolitically.

If you lead a cybersecurity strategy for a US critical infrastructure organization and you haven’t restructured your OT threat model around this reality, you are behind the curve.

The Pivot That Changed Everything

For the better part of two decades, the ICS/OT threat landscape was defined by a handful of landmark incidents.

Stuxnet in 2010. BlackEnergy in 2015. Industroyer in 2016.

These were surgical, state-level operations designed to demonstrate capability or cause targeted damage. They were also, crucially, exceptions.

That exception has become the rule.

The IBM X-Force 2025 Threat Intelligence Index found that 70% of all cyberattacks in 2024 involved critical infrastructure. That single number should stop every CISO in their tracks. This is not a niche problem anymore. It is the dominant attack surface of our era.

Cyberattacks threatening infrastructure increased 30% in a single year, according to KnowBe4’s research, while 2024 saw a 146% increase in sites suffering physical impairment of operations due to cyberattacks, rising from 412 sites in 2023 to 1,015 in 2024. ¹

Read that again. Sites with actual, physical operational impact more than doubled in twelve months. This is not threat escalation. It’s a threat transformation.

Volt Typhoon: The Blueprint for Pre-Positioned Destruction

No threat actor better illustrates this transformation than Volt Typhoon. In February 2024, a joint advisory from CISA, NSA, FBI, and international partners made one of the starkest assessments in the history of US cybersecurity policy.

The advisory confirmed that Volt Typhoon had been actively infiltrating the networks of US critical infrastructure organizations, a strategic move assessed as preparation to potentially disrupt or destroy critical services in the event of escalating geopolitical tensions or military conflict involving the United States and its allies.

US agencies confirmed that Volt Typhoon had compromised IT environments across multiple critical infrastructure sectors, primarily Communications, Energy, Transportation Systems, and Water and Wastewater, in the continental and non-continental United States, including Guam, assessing with high confidence that these actors were pre-positioning themselves on IT networks to enable lateral movement to OT assets and disrupt functions.

Volt Typhoon actors conducted extensive pre-exploitation reconnaissance to understand the target organization and its environment, tailoring their tactics to the victim’s specific infrastructure and dedicating ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise. ²

CISA Director Jen Easterly told Congress in January 2024: “This threat is not theoretical. CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg.” ³

FrostyGoop: When Pre-Positioning Becomes Active Disruption

If Volt Typhoon represents the preparation phase, FrostyGoop represents the execution phase, and it is a preview of what weaponized OT access looks like in practice.

In January 2024, novel malware dubbed FrostyGoop was used to disrupt heating services in approximately 600 apartment buildings in Lviv, Ukraine, during sub-zero temperatures, a dangerous and deliberate attack on civilian infrastructure. ⁴

Dragos described FrostyGoop as the first malware strain to directly use Modbus TCP communications to sabotage OT networks, a protocol embedded across legacy and modern industrial systems in virtually every sector.

Dragos’s investigation revealed over 46,000 internet-exposed ICS devices communicating over Modbus worldwide, underscoring the scale of potential exposure.

What makes FrostyGoop particularly relevant doctrinally is the timeframe during which the attack happened. During their investigation into the incident, investigators learned that attackers gained access to the network of the energy company as far back as April 2023, nine months prior to their actual attack, by exploiting a zero-day flaw in a MikroTik router.

Afterwards, the attackers used the period of nine months to establish persistence. In the months that followed, the attackers harvested credentials and built persistent access, before finally executing the disruptive payload when the time was operationally appropriate. ⁵

Reconnaissance. Persistence. Patience. Then disruption.

Researchers found that Sandworm, in particular, has coordinated the timing of cyberattacks with conventional military activity such as kinetic strikes or other forms of sabotage, a convergence of cyber and physical warfare that fundamentally changes what “impact” means in an OT security context. ⁶

The IT/OT Convergence Problem Is Now a National Security Problem

One of the most consequential structural vulnerabilities enabling this shift is the accelerating convergence of IT and OT environments, a trend driven by operational efficiency that has quietly become a strategic liability.

The Fortinet 2025 State of Operational Technology and Cybersecurity Report found that a favourite target for attackers is where IT and OT overlap, allowing lateral movement between systems that were once separate, where a single breach can have far-reaching consequences on finances, productivity, trust, regulations, and more.

The threat surface is also expanding well beyond the energy sector. Recent incidents include the Jaguar Land Rover manufacturing disruption in March 2025 that disabled operations and caused major production outages, US water and wastewater infrastructure exploitation in September 2024, and electrical substation attacks in California and North Carolina in 2023. ⁷

Iran-affiliated and pro-Russia cyber actors gained access to and in some cases manipulated critical US industrial control systems across the food and agriculture, healthcare, and water and wastewater sectors in late 2023 and 2024. The breadth of targeting here is the message: there is no sector that sits outside the threat perimeter.

The Organizational Response Gap

Against this backdrop, the industry’s progress, while real, remains insufficient.

In 2025, 52% of organizations placed OT security under the CISO, up from just 16% in 2022, a structural improvement, but one that means nearly half of critical infrastructure operators still lack unified cybersecurity governance over their most sensitive operational environments. ⁸

Half of all organizations reported one or more cybersecurity incidents in the past year, a slight increase from 2024, with OT visibility still a persistent challenge, as many organizations struggle to see their assets, leaving blind spots that attackers readily exploit.

Though down from 46% in 2024, malware still threatens a third of OT environments. ⁸

The core issue is that most organizations are still building defenses around a threat model calibrated for opportunistic attackers or financially motivated ransomware groups. Nation-state actors operating on five-year strategic timelines with military objectives require a fundamentally different intelligence posture, one built around continuous adversary tracking.

What This Means for Your Security Posture

The implications for US cybersecurity enterprises are direct. Passive monitoring is not enough when adversaries are already inside, dormant, and waiting. Threat intelligence in the OT context now needs to be operationalized, not just consumed as a report, but embedded into detection logic, network architecture decisions, and incident response playbooks.

Behavioral detection is paramount, because against LOTL-based attackers, what you are looking for is unexpected change, not malware signatures. IT/OT network segmentation, zero-trust access models, and OT-specific threat hunting capabilities are no longer aspirational, they are the baseline.

Most critically, OT security leadership needs to frame this to the board not as a technical risk but as a business continuity and national security risk with a defined adversarial timeline.

The threat has changed. The question is whether your defenses have changed with it.

Frequently Asked Questions

Here are the tightened FAQs — sharper, executive register throughout, no padding:

1. How is pre-positioned OT access different from a standard intrusion?

Standard intrusions have an immediate objective — data, ransom, resale. Pre-positioned access has no immediate objective; the access itself is the asset, held in reserve against a future geopolitical trigger.

2. Why do living-off-the-land techniques hit OT environments harder than IT?

In enterprise IT, LOTL activity is increasingly detectable through EDR tooling and user behavior analytics. OT environments have neither. Industrial systems run on operational continuity principles that make endpoint agents and aggressive patching genuinely disruptive, often vendor-unsupported.

3. What does the Modbus exposure problem mean practically for operators?

Modbus was designed in 1979 for closed serial networks. No authentication. No encryption. No way to distinguish a legitimate command from an adversarial one. With over 46,000 Modbus-communicating devices now internet-exposed globally, any attacker who achieves network adjacency can issue direct commands to industrial controllers.

4. How should boards recalibrate OT risk given this threat evolution?

Stop categorising it as a cybersecurity problem. OT threats at this level are a business continuity, supply chain, and in several sectors a public safety issue — with geopolitical dependencies your current risk models do not capture.

5. What should a US critical infrastructure operator prioritise in the next 90 days?

First, establish which OT systems are reachable from IT environments, most organisations do not actually know. Second, deploy behavioral monitoring on OT network traffic, Modbus, DNP3, remote access protocols, to build a baseline that makes anomalous activity visible. Third, engage threat intelligence that specifically tracks OT-capable nation-state groups with geopolitical context attached.

References

1. Cybersecurity and Infrastructure Security Agency (CISA) (2024) PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure, Advisory AA24-038a. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a (Accessed: 28 May 2026).
2. California Department of Financial Protection and Innovation (DFPI) (2024) ‘Volt Typhoon’ cybersecurity threat warning for financial institutions. Available at: https://dfpi.ca.gov/regulated-industries/important-notices/volt-typhoon-cybersecurity-threat-warning-for-financial-institutions/ (Accessed: 28 May 2026).
3. KnowBe4 (2024) KnowBe4 report reveals critical infrastructure under siege with cyber attacks increasing 30 percent in one year [Press release]. Available at: https://www.knowbe4.com/press/knowbe4-report-reveals-critical-infrastructure-under-siege-with-cyber-attacks-increasing-30-percent-in-one-year (Accessed: 28 May 2026).
4. Lakshmanan, R. (2024) ‘Novel ICS malware sabotaged water-heating services in Ukraine’, Dark Reading, 23 July. Available at: https://www.darkreading.com/ics-ot-security/novel-ics-malware-sabotaged-water-heating-services-in-ukraine (Accessed: 28 May 2026).
5. McMillan, R. (2024) ‘FrostyGoop malware used to shut down heat in Ukraine attack’, The Register, 23 July. Available at: https://www.theregister.com/2024/07/23/frostygoop_ics_malware/ (Accessed: 28 May 2026).
6. Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) (2024) FrostyGoop leverages Modbus TCP to exploit sensitive OT systems. Available at: https://rhisac.org/threat-intelligence/frostygoop/ (Accessed: 28 May 2026).
7. PwC (2025) Geopolitical shifts amplify OT security risks. Available at: https://www.pwc.com/gx/en/issues/cybersecurity/geopolitical-shifts-amplify-ot-risks.html (Accessed: 28 May 2026).
8. Fortinet (2025) 2025 state of operational technology and cybersecurity report. Available at: https://www.fortinet.com/resources/reports/state-ot-cybersecurity (Accessed: 28 May 2026).