Skip to content
BriefingsRSS · DSI
The Inverted Field
Critical InfrastructureMay 20, 202617 min read

The Inverted Field

Air gaps. No budget. Asset inventory first. One template across sectors. Information as the crown jewel. The five widely held OT security misconceptions share a common origin in the unconscious inheritance of IT security defaults by environments where the threat model is structurally inverted. In IT, information is the asset. In OT, information is the threat vector — and the operational integrity of the physical process is the crown jewel. The FrostyGoop incident of January 2024 took the heating off six hundred apartment buildings in Lviv during subzero wartime conditions because the OT environment was defended on IT defaults that the documented incident record had already invalidated. This piece walks the five misconceptions, names the inversion, and proposes the threat-driven architecture that NIS2 supervisory authorities have started to indicate produces the better enforcement outcomes — and the better operational ones.

~28 min

This briefing engages five widely held misconceptions about operational technology security — air gaps, the “no budget” framing, asset-inventory-first sequencing, one-size-fits-all sector defaults, and the treatment of information as the crown jewel. The misconceptions share a common origin in the unconscious inheritance of IT security defaults by OT environments where the threat model is structurally inverted. The piece names the inversion, walks the five misconceptions in order, and proposes the threat-driven architecture that a serious OT security investment programme actually requires.

The Apartment Block in Lviv

At approximately 02:30 local time on 22 January 2024, the heating systems in roughly six hundred apartment buildings across the Lvivteploenergo district of Lviv, Western Ukraine, began behaving in a way that should not have been possible. The Modbus TCP commands that the heating controllers were receiving were valid, well-formed, and authenticated to the operating temperature ranges the controllers had been configured to accept. The commands instructed the boilers to reduce output and the circulation pumps to slow their flow. By the time the operators understood what was happening, outdoor temperatures had fallen below minus twenty degrees Celsius and approximately six hundred residential buildings — somewhere near 100,000 people — had no heat for two days during the coldest part of a wartime winter. The malware that produced the outcome was subsequently designated FrostyGoop by Dragos. It was the first publicly documented instance of malware operating against industrial control systems by communicating in the native Modbus TCP protocol the controllers were designed to speak.

The FrostyGoop incident is the operational reference case that organises this piece. It produced no data exfiltration, no extortion demand, no ransomware encryption, no intellectual property loss. By the metrics that information technology security teams have been trained for thirty years to measure, the incident produced no significant security impact at all. By the metrics that operational technology security needs to measure, the incident took the heating off a regional population in subzero temperatures during an active war. The gap between those two assessments is the gap this piece exists to close.

The Inheritance That Was Never Audited

The operational technology security profession exists in 2026 because the population of organisations operating industrial control systems has, across the past fifteen years, recognised that those systems are exposed to cyber threats and require dedicated defensive capability. The recognition was, in most organisations, accompanied by the practical decision to staff the new function from the only adjacent talent pool the organisation already had: the information technology security team. The IT-to-OT migration produced the bulk of the practitioners now working in industrial cybersecurity, the bulk of the analytical frameworks the discipline applies, and the bulk of the architectural defaults that OT environments now operate under.

The migration was the right organisational response to an immediate capability requirement. It was not accompanied by a deliberate audit of which IT security defaults transferred to OT environments and which did not. The defaults that did not transfer were transferred anyway, because they were the defaults the new practitioners had been trained in, and because the OT environments did not have the conceptual vocabulary in place to push back on them. The result is the body of OT security architecture that now operates across critical infrastructure in Europe, North America, and the broader industrialised economy — an architecture in which the IT defaults are still load-bearing despite a documented record of operational failure when the defaults encounter the actual threat profile of the OT environment.

The five misconceptions this piece engages are the most consequential of those untransferred defaults. They share a common diagnostic feature: each operates as practitioner common sense in the OT discourse, each survives because it once worked in IT, and each is producing operational outcomes that the documented record of recent OT incidents has begun to make visible. The piece is not arguing that the misconceptions are universally wrong. It is arguing that they are universally insufficient, and that the organisations whose OT security investment programmes are built on top of them are paying for architectural debt the budget allocation does not capture.

The Five OT Security Misconceptions — a table mapping each misconception (air gaps, no budget, asset inventory first, sector-agnostic template, information as asset) to why it fails in OT, its operational consequence, and the practitioner alternative. Bottom: the four-step threat-driven architecture methodology.
The five misconceptions mapped against why each fails in OT, the operational consequence, and the practitioner move. The four-step threat-driven architecture sits underneath as the methodology that ties the alternatives together.

Misconception 1: Air Gaps Provide Security

The air gap is the foundational claim of the OT security architecture inherited from the early 2000s. The claim is that operational technology environments, by being physically and logically disconnected from the broader corporate network and the internet, are protected from the threat actors that operate across IT environments. The claim was operationally defensible in the period from approximately 1990 to 2005 when OT environments were genuinely isolated from IT, when the protocols used in OT were not exposed to internet-routable infrastructure, and when the threat actors with OT-relevant capability were limited to a small number of state intelligence services with no general operational interest in commercial industrial systems.

The claim is not operationally defensible in 2026. The documented record of OT incidents across the past fifteen years has comprehensively undermined the air gap as a load-bearing security control. The 2010 Stuxnet operation reached an air-gapped Iranian uranium enrichment facility through removable media propagation. The 2017 NotPetya outbreak crossed the air gap into Maersk’s shipping terminal control systems through compromised tax software in Ukraine. The 2019 Norsk Hydro ransomware crossed the boundary into smelter operations through engineering laptops that bridged corporate and OT networks for legitimate operational purposes. The 2022 Industroyer 2 attack on Ukrainian power infrastructure operated within OT networks that had been air-gapped by design. The 2024 FrostyGoop operation against Lvivteploenergo reached the heating controllers through a network architecture that municipal documentation had described as isolated.

The pattern across these incidents is not that the air gap is sometimes breached and sometimes holds. The pattern is that the air gap is consistently breached because the operational requirements of modern industrial systems require regular crossing of the air gap by engineers, vendors, contractors, removable media, software updates, remote access tooling, and the cumulative integration that contemporary plant operations now depend on. The air gap is, in practical terms, the architectural assumption that the operational environment will remain in a configuration that operational environments have not been in for at least a decade. The assumption has been falsified empirically. The architecture built on top of it has not been substantially reconfigured.

DSI Advisory

Assessing supply chain or infrastructure risk for a decision ahead?

DSI Advisory Services helps boards, business leaders, defence institutions, and security leaders understand threats before they reach the horizon — where cyber, geopolitics, and business risk converge.

Commission a supply chain assessmentExplore advisory