Internet-exposed ICS remain a prime cyber target

In October 2025, the Canadian Centre for Cyber Security issued an Alert warning CISO and decision makers of increasing cyber-attacks exploiting internet-accessible industrial control systems (ICS). Reported incidents included tampering with water pressure values, triggering false alarms in an oil & gas facility, and manipulating temperature and humidity levels in a grain drying silo. These individual companies may not be direct targets of adversaries but have become victims of opportunity to gain media attention and undermine public trust.

Why are ICS being attacked?

While the advisory labels the actors as hacktivists, the underlying issue extends beyond political protest hacking. Weak OT exposure attracts a wide range of threat actors.  At least 100,000 ICS devices around the world are exposed to the internet, many of which are relatively easy to hack. Unclear division of roles and responsibilities often creates gaps leaving critical systems unprotected. Poor cyber hygiene, such as unpatched, publicly known vulnerabilities, weak security configurations, or the use of default credentials, provide easy entry points.

What are the risks of ICS cyber-attacks?

The reported incidents had limited impact, but potential consequences could have been severe if not detected and mitigated in time. This reflects one of the key risks in OT environments: a simple configuration change, not drastic errors or leaks, can be enough to degrade system compliance or safety. In manufacturing, quality compromise may lead to loss of revenue and damage to brand image. For utilities, public services and health are at stake. With the right OT access, a malicious actor could wreak havoc through a single tweak.

Measures to secure ICS

First and foremost, the Cyber Centre advises VPNs with multi-factor authentication. A VPN protects ICS by removing direct internet exposure, enforcing authenticated access, encrypting traffic, and enabling basic segmentation. However, VPNs do not understand OT processes or prevent dangerous actions by authorized users. Mature OT security architectures pair VPNs with strong network segmentation, secure or unidirectional gateways, and continuous monitoring and logging.

Network segmentation divides a network into isolated zones with controlled connections between them. In OT environments, it limits how far an attacker or malfunction can spread, protects critical systems from less trusted networks, and enforces least-privilege communication, reducing both cyber risk and the impact of operational errors.

 A unidirectional gateway is a strong tool for blocking external cyber threats, ensuring that attacks from the internet have no path to reach critical ICS. This does not mean that OT is inaccessible to those who do need to give commands. A separate, secure unidirectional gateway can manage reverse communications, not only filtering access but also recognizing which commands and values are appropriate for a given context, for example, the acceptable output range of a generator at midnight. This prevents issues where either erroneous or malicious commands become dangerous due to wrong timing or sequencing.

Monitoring practices, including active threat detection measures, change management, and continuous oversight, are another important aspect of OT cybersecurity. Employ secure, purpose-built management tools that allow ICS security teams to maintain visibility, enforce discipline, and reduce the risk of latent errors escalating into real-world consequences.

Technical measures should thoroughly be tested for compatibility issues and to prevent service degradation, particularly in legacy environments or systems composed of products from multiple suppliers. Compliance with regulations is not merely about avoiding fines. It’s a direct route to strengthening system resilience against both accidental failures and deliberate attacks.

The Cyber Centre provides a Cyber Security Readiness Goals Toolkit, translating high-level cybersecurity principles into clear, outcome-focused goals that organizations can use to assess maturity, prioritize improvements, and align security efforts across IT and OT environments. For critical infrastructure operators, it offers a practical reference to benchmark current practices and guide incremental, risk-based enhancements.