When the Lights Go Out: What ICS Ransomware Teaches Us About Today’s Critical Infrastructure Threats

Retired Air Force General Tim Haugh appeared on 60 Minutes a few weeks ago with an eye-opening warning: Chinese hackers are inside power grids, water systems, transportation networks, and other critical U.S. infrastructure. The goal is not to steal data, but to hide in these systems until the day they’re needed. These aren’t cybercriminals conducting ransomware for profit operations. They’re conducting sustained persistent access operations secretly embedded into the systems that keep our country running.

For anyone working in industrial cybersecurity, this confirmed long-held concerns and highlighted the need to accelerate defender capabilities. For state sponsored adversaries and criminal financially motivated actors, some of the initial steps of an attack campaign look similar to the tactics that make these compromises possible are the same ones that have been reshaping how ransomware is used. What began as extorting files can evolve into manipulating critical infrastructure functions that keep the lights on and the water safe to drink.

From Extortion to Disruption

Ransomware used to consist of encrypting files and demanding payment. The IT world learned and adapted. That’s when attackers began shifting from targeting data to targeting critical operations.

For years, operational technology (OT) systems were thought to be too isolated or too specialized to attack. But that assumption faded in a similar fashion as the concept of established air gaps did across many process environments. Manufacturing plants, energy utilities, and transportation systems are now connected in many of the same ways that modern IT networks are, making them just as exploitable.

The Colonial Pipeline cyberattack and resulting pipeline operational impact, the ransomware strike on JBS Foods, and the production freeze at Jaguar Land Rover, to name a few, have shown us exactly what happens when that connection and trusted communication across systems is targeted. Each of these incidents began as an IT breach, but an escalated effect occurred in OT, where every minute offline equals significant loss. In some cases, that loss wasn’t just financial; it was physical, affecting supply chains and cities.

The Cyber-Physical Pressure Point

The SANS white paper ICS Ransomware and Attacks: Extortion and Sabotage in Critical Infrastructure lays out these attacks in striking detail. The takeaway is simple: while IT ransomware threatens financial loss and reputational damage, OT ransomware threatens how society operates. And the consequences are quite different.

When a company’s HR files are stolen, executives panic. When a power grid goes down or a pipeline stops, entire nations panic. And adversaries know it. Whether it’s a criminal group looking for a financial payoff or a state-sponsored team in search of physical leverage, the playbook is increasingly the same: infiltrate the IT layer, pivot into OT, and look for the control points that will affect the physical world.

That’s why the 60 Minutes story is so startling. What’s happening within America’s infrastructure isn’t just espionage, it’s a shift from extortion to potential sabotage.

How the Shift Happens

At a technical level, attackers exploit an IT system, often through a VPN, email server, vulnerable perimeter device, or third-party vendor connection. Once inside, they explore the internal network, escalate privileges, and establish long-term persistent footholds. They then map paths to OT environments, sometimes moving through shared credentials, unsegmented networks, or neglected remote access points.

Once inside, they can perform a number of tasks; in some cases, they may simply maintain access. Ultimately that access can be used for one of two primary things:

1. Disrupt operations: encrypt configuration files, corrupt firmware, or disable key applications with an objective to cause outages.
2. Manipulate processes: the more advanced goal, where attackers understand how a system works well enough to misuse it, with an objective to damage a process

The CRASHOVERRIDE malware, detailed in the white paper, was the first public example of process manipulation within the bulk electric transmission system. It didn’t just shut down systems; it operated them, opening breakers and erasing recovery files with an exploit utilized to attempt long term equipment damage.

That’s the bridge between criminal financially motivated attacks and the kind of infrastructure infiltration General Haugh described. One tests how to disable; the other prepares to destroy, and, in some cases, these various groups are working together and sharing information.

What Defenders Can Do Right Now

Defending against these threats takes more than good IT cyber hygiene. It takes a mindset shift from preventing data loss to preventing downtime and destruction.

The SANS Five ICS Cybersecurity Critical Controls offer a framework for doing just that:

1. ICS Incident Response: Build and test response plans that actually involve your operators.
2. Defensible Architecture: Segment IT and OT environments, log connections, and control where data flows.
3. ICS/OT Network Visibility and Monitoring: Watch what’s happening at the protocol level within the process control network.
4. Secure Remote Access: Eliminate “always-on” connections where possible and make them access time-bound and continuously monitor them.
5. Risk-Based Vulnerability Management: Prioritize based on consequence, implement mitigations where appropriate, and patch the highest impact items in coordination with operations personnel in a manner that reduces the risk to the process.

These controls can’t ensure critical infrastructure is never compromised, but they can promote resilience. They make it possible to recover operations safely and quickly, turning what could be a catastrophic failure into a more predictable managed event.

From Compliance to Consequence

Cybersecurity isn’t a checklist based on NIST, ISO, CIP, and IEC frameworks. As the white paper points out, the question that matters most when attempting to eliminate effects-based attacks isn’t Which framework are we following? It’s What can’t we afford to lose And how do we engineer solutions to prevent it.

That’s the foundation of Consequence-Driven Cyber-Informed Engineering (CCE). It’s a method that starts not with technology, but with outcomes.

• Identify what cannot fail.
• Map how it could be reached or misused.
• Anticipate the adversary’s most likely path.
• Mitigate those attack vectors before they’re tested.

This shift from compliance to consequence is how defenders start thinking like attackers. It’s how defenders remove the most dangerous pathways before someone else finds them.

The Human Factor

Technology helps us build structure, but people provide resilience. At the heart of every critical infrastructure facility are operators and engineers who know what “normal” looks like and who can sense when something is off even before the logs say so and how to act to operate the system through an attack. Those people are our most valuable security control. The task is to give them visibility, authority, and training to act before an incident becomes an outage. It's not ransomware, malware, or foreign infiltration that defines the future of critical infrastructure; it’s the operators and system defenders and how we prepare them for it.

Read the full RSAC white paper: ICS Ransomware and Attacks: Extortion and Sabotage in Critical Infrastructure