The following is a contributed commentary by Shane Barney, Chief Information Security Officer at Keeper Security. The views expressed are those of the author.
Recent reports of nation-state activity targeting Industrial Control Systems (ICS) highlight a structural reality that security teams have been grappling with for years: the convergence of IT and operational technology has eliminated any meaningful separation between digital access and physical impact.
These attacks are not defined by novel exploitation techniques, but by the systematic identification and abuse of exposed systems, weak identity controls, and persistent access pathways. Internet-facing management tools — particularly those tied to legacy or poorly segmented environments — create a predictable attack surface. When combined with automated scanning and AI-assisted reconnaissance, threat actors can continuously probe global infrastructure at scale, identifying misconfigurations in minutes rather than months.
The more significant issue is what happens after gaining initial access. Once a foothold is established, lateral movement becomes the primary objective. Attackers harvest credentials, escalate privileges, and move toward core systems where operational disruption becomes possible. In environments where privileged access is poorly governed or insufficiently monitored, this activity can remain undetected long enough to create material impact.
This reinforces a critical shift in defensive strategy, where identity is now the primary control plane. Hardware-level protections and network segmentation remain important, but they are insufficient if identity systems allow unauthorized or persistent access. If an attacker can authenticate, they can often operate as a legitimate user, bypassing traditional security controls entirely.
Organizations must respond by eliminating standing privilege and enforcing strict access governance across both IT and OT environments. Zero standing privilege models — where access is granted just-in-time and revoked immediately after use — significantly reduce the risk of credential reuse. Privileged access must be continuously verified, fully audited, and tightly scoped to specific tasks.
Equally important is the ability to monitor and intervene in real time. Unified visibility across privileged sessions allows security teams to detect anomalous behavior and terminate sessions before changes are made to critical systems. Without this level of control, attackers can operate with persistence and precision inside trusted environments.
Organizations must adopt a mindset that assumes compromise is inevitable. The focus must shift from prevention alone to containment. Enforcing least-privilege access, segmenting identity domains, rotating and vaulting credentials, and applying continuous validation across all users and devices are essential steps in limiting the blast radius of any intrusion.
Threat actors will continue to test adjacent systems, vendors, and supply chain partners to identify the most efficient path to access. Security strategies must therefore extend beyond the enterprise perimeter to include third-party identities — both machine and human — and access pathways. The organizations best positioned to withstand this evolving threat landscape will be those that treat identity as the modern perimeter, enforce disciplined access controls, and design systems that can contain and recover from compromise without cascading operational impact.
Shane Barney is the Chief Information Security Officer at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity solutions.
