Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Thu, 02 Jul 2026 13:24:13 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png Waterfall Security Solutions https://waterfall-security.com 32 32 How Should OT Security Be Stronger Than IT? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-how-should-ot-security-be-stronger-than-it/ Thu, 02 Jul 2026 10:31:03 +0000 https://waterfall-security.com/?p=41831 In this webinar we connect first principles to modern practice: Biba, SEC-OT, CIE mitigations, UK NCSC connectivity guidance and modern "islanding" requirements all lead to OT designs whose security materially exceeds that of conventional IT networks.

The post How Should OT Security Be Stronger Than IT? appeared first on Waterfall Security Solutions.

]]>

How Should OT Security Be Stronger Than IT?

If our OT security strategy looks like our IT security strategy... we may have a problem

Join us on July 29th
10am NY | 3pm London

Should OT security be stronger than IT

Worst credible consequences mean OT security programs must be materially stronger than IT programs, but the most frequent differences between OT and IT programs – difficulty patching, encrypting, anti-virusing – make OT programs weaker, not stronger. And – a lot of people encourage Zero Trust, encryption and patch programs on OT – but this is what we do on IT isn’t it? These tools make OT networks as strong as IT networks, but not stronger. 

In this webinar we connect first principles to modern practice: Biba, SEC-OT, CIE mitigations, UK NCSC connectivity guidance and modern “islanding” requirements all lead to OT designs whose security materially exceeds that of conventional IT networks. 

Webinar Key Takeaways:

arrow red right Why & how OT security must be materially stronger than IT security  

arrow red right Where traditional IT security approaches fall short in OT environments  

arrow red right How first principles like Biba, SEC-OT, and CIE mitigations shape stronger OT security  

arrow red right How to design OT architectures that better protect critical infrastructure 

Who Should Attend?

arrow red right OT and ICS cybersecurity professionals   

arrow red right OT, ICS, and SCADA engineers  

arrow red right IT security teams responsible for OT environments    

arrow red right Security architects designing industrial networks  

arrow red right CISOs and cybersecurity leaders responsible for critical infrastructure 

arrow red right Plant managers and operations leaders evaluating OT security investments 

About the Speaker

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Register Now

Share

The post How Should OT Security Be Stronger Than IT? appeared first on Waterfall Security Solutions.

]]>
Big OT Security, Smaller Footprint – Meet DiodeCore! https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/big-ot-security-smaller-footprint-meet-diodecore/ Wed, 24 Jun 2026 07:50:40 +0000 https://waterfall-security.com/?p=41650 Two decades ago, we founded Waterfall with one purpose: to defeat nation-state attacks impacting OT environments and critical infrastructure.

The post Big OT Security, Smaller Footprint – Meet DiodeCore! appeared first on Waterfall Security Solutions.

]]>

Big OT Security, Smaller Footprint – Meet DiodeCore!

Picture of Lior Frenkel

Lior Frenkel

CEO and Co-Founder, Waterfall Security

DiodeCore Launch
Two decades ago, we founded Waterfall with one purpose: to defeat nation-state attacks impacting OT environments and critical infrastructure. We benchmarked our technology against so-called Advanced Persistent Threats (APTs) and other nation-state classes of attacks, then refined our technology, and then did it again. From our first Unidirectional Gateway to the WF-600 Performance, the Flip, and HERA Hardware-Enforced Remote Access™ - this is what we do.

And now, DiodeCore™

New, Advanced Cyber Threats

The fact that AI found hundreds of vulnerabilities in the Firefox open-source browser is really alarming. Firefox is a veteran, relatively highly secured open-source product that has been pen tested and code reviewed by governments, cyber companies and experts, multiple times. The Mythos AI found 250+ zero days in Firefox despite all this. 

What about products that are not open source, not as widely used, and not as seasoned. AI tools will find thousands of vulnerabilities, develop exploits, and chain those exploits together in ways that would have taken years for humans to figure out, code and test.

AI is taking nation-state grade tools and techniques and democratizing them, making nation-state grade attack capabilities available to a much wider audience, a much wider set of potential attackers. Within 12 or 24 months, I believe we are going to see fully automated and autonomous attacks on OT networks.

What is DiodeCore?

What can be done about this? The answer to these threats is not more software, but stronger hardware. Today we are officially launching the WF-600 DiodeCore, our newest addition to the WF-600 family. DiodeCore is a modern Unidirectional Gateway designed for simpler deployment scenarios: entry-level or simpler needs, smaller sites, and larger numbers of sites.

DiodeCore’s level of security, cybersecurity concepts, and unidirectionality are at the same hardware-enforced standard of protection Waterfall has always provided. And DiodeCore is a product that fits a different use case. I am very proud to introduce this to the market.

How DiodeCore Works

The hardware is a small, half-depth 1U rack-mount device. Open it up and there is a transmit circuit board, a receive circuit board, and a fiber between them. That fiber is the only physical connection between the two sides. The hardware is physically able to send information in only one direction. There is no laser in the receiving circuit board, and no photocell on the sending. It does not matter how clever the enemy is, and it does not matter if they are a human or an AI or a nation state. All cyber sabotage is based on information passing. The only way a control system can change from a normal state to a compromised state is if attack information enters the system. Interrupt the flow of attack information and you interrupt the attack.

The DiodeCore uses the same software as is used in the WF-600 Performance series, with the DiodeCore software delivered as a closed virtual machine image. This image can run on any standard customer virtualization infrastructure, from a VM server to a workstation, running Windows, Linux, ESXi and similar platforms. There is one virtual image for the OT network side, and another for the external network side. There’s no need for any dedicated wiring any more, directly connected servers or hosts. A lot of modern automation systems use virtualization – this is the modern method of deploying this technology.

The hardware in DiodeCore is the smallest amount of hardware you can have to still get the ultimate security value of a Unidirectional Gateway. DiodeCore has a small footprint, half the depth of a standard 1U appliance. DiodeCore is easy to deploy, easy to install and manage, and easy to purchase.

Hardware-Enforced Protection Anywhere You Need It

Today, customers can use our flagship WF-600 Performance where they need high-end performance, resilience, throughput, scale, and capability, while DiodeCore is designed to support:

  • Smaller and simpler sites
  • Distributed facilities
  • Large scale rollouts across many locations


We already have customers saying: “Okay, okay, launch it already. We want these!” And so, I am pleased to say today, DiodeCore is available now!

Talk to an OT Security Expert

If you are securing a smaller site, scaling protection across distributed facilities, or modernizing a virtualized OT environment, and you are wondering where a Unidirectional Gateway can fit in your architecture, please reach out to Waterfall.

There is no cost for a consultation – let our experts surprise you with strong unidirectional designs.

About the author
Picture of Lior Frenkel

Lior Frenkel

CEO and Co-Founder, Waterfall Security

Lior Frenkel is a cybersecurity entrepreneur, author, and global expert in OT and critical infrastructure security with more than 25 years of industry experience. As the CEO and co-founder of Waterfall Security Solutions, he has led the deployment of innovative unidirectional security technologies protecting critical infrastructure worldwide. Lior is a recognized thought leader who contributes to international cybersecurity policy, regulatory initiatives, and industry strategy. He also serves in leadership roles across major Israeli technology and manufacturing organizations, helping advance the global cybersecurity industry.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Big OT Security, Smaller Footprint – Meet DiodeCore! appeared first on Waterfall Security Solutions.

]]>
Mythos, Zero Days and OT Cybersecurity https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/mythos-zero-days-and-ot-cybersecurity/ Mon, 15 Jun 2026 14:09:11 +0000 https://waterfall-security.com/?p=40467 Anthropic’s Claude Mythos is the latest example of a trend many of us in industrial cybersecurity have been warning about for years.

The post Mythos, Zero Days and OT Cybersecurity appeared first on Waterfall Security Solutions.

]]>

Mythos, Zero Days and OT Cybersecurity

Picture of Lior Frenkel

Lior Frenkel

CEO and Co-Founder, Waterfall Security

Mythos, Zero Days and OT Cybersecurity
The advent of Anthropic’s Claude Mythos is the latest example of a trend many of us in industrial cybersecurity have been warning about for years. Sophisticated offensive cyber capabilities are no longer confined to elite nation-state teams with enormous budgets and years of specialized expertise. AI is “democratizing” cyber attacks, including attacks on operational technology (OT) systems.

Public reports describe Mythos as capable of discovering zero-day vulnerabilities, chaining together exploits of otherwise low-severity vulnerabilities into powerful attacks, reverse engineering proprietary systems, and automating large portions of advanced attack workflows.

Whether every public claim proves accurate is almost beside the point. The trajectory is unmistakable. Frontier AI models are reducing the cost, time, and expertise needed to conduct sophisticated cyber operations.

Watch our webinar on-demand
as we explore the impact of AI-driven cyber threats on OT security
and introduce Waterfall’s newest Unidirectional Gateway.

OT Targets

For OT environments, this matters enormously.

OT systems are intrinsically vulnerable. Rapid patching of OT systems is extraordinarily expensive and difficult. In safety-critical and reliability-critical environments, patches cannot simply be deployed overnight. Engineering change control processes that minimize safety and reliability risks require testing, validation, outage coordination, safety review, and operational acceptance. 

In many facilities, those processes take months or years. Worse, patching (hopefully) remediates only known defects, and again, AI’s have proven adept at finding previously unknown vulnerabilities. Even with a patching “magic wand,” IT and OT systems would still be intrinsically vulnerable.

Remember Fuzzing?

That said, the discovery of large numbers of zero-day vulnerabilities is not entirely new. A decade+ ago, fuzzing technologies dramatically increased the rate of discovering vulnerabilities in both IT and OT systems. Automated fuzzing campaigns uncovered large numbers of latent defects in industrial protocols, embedded devices, operating systems, and applications.

What is different today is the scale, exploitability and sophistication of zero-day attacks. Again:

  • The volume of vulnerabilities being discovered is increasing dramatically,
  • Systems like Mythos are able to chain together low-severity vulnerabilities into much more dangerous attacks, and
  • Perhaps most important, AI systems are increasingly capable of automating sophisticated offensive workflows.


Today those workflows still involve human oversight. Tomorrow they will not!

The Perimeter Is Dead? No…

All this means OT perimeter protection becomes increasingly important – hardening the interior to zero-day attacks was and is simply not achievable – not for IT systems and not for OT systems. This problem is precisely why Waterfall’s Unidirectional Gateways were invented almost 20 years ago. Waterfall’s gateways were designed from the beginning to withstand nation-state-grade attacks against OT targets, including sophisticated attacks exploiting zero-day vulnerabilities.

In contrast, conventional firewalls depend on software correctness. Even “next generation” firewalls ultimately rely on operating systems, protocol stacks, parsing engines, authentication systems, and millions of lines of software behaving perfectly correctly under hostile conditions. Zero-day vulnerabilities undermine all of these assumptions – exploit a zero-day, or a sequence of zero-days, and completely take over the CPU / software in an ultra-sophisticated next-gen firewall, and the device does the attackers’ bidding, not the defenders’.

Waterfall’s Unidirectional Gateways – “Immune” to Zero-Days

Waterfall’s gateways are a combination of hardware and software. The hardware is physically able to send information in only one direction – usually from the OT network out to the IT network, so that the business can profit from access to OT information. The hardware, however, is not physically able to send any information nor cyber-sabotage attack information back into OT networks. There is no return path, physically.

This is why Waterfall’s Gateways are fundamentally immune to network-based zero-day exploits aimed at crossing the protection boundary. Even if the gateways’ IT-exposed software is compromised, there is physically no way for that software to send attack information back into the OT network.

As a side note, yes, comprehensive OT security programs are still important in unidirectionally-protected networks. Intrusion detection, security monitoring, asset inventory, vulnerability management, and capable incident response are all needed to address residual risks. But detection and response take time. Human investigation takes time. Escalation takes time. Remediation takes time. In a future of highly automated AI-driven attacks, we will not have that time – we urgently need to block AI’s from simply reaching across networks and into critical OT systems.

Looking Forward

Over the next 2-3 years, we are entering one of the most dangerous periods OT security has faced. In that environment, deterministic protection is essential. Unidirectional gateways are not the only control we need, but they are one of the few technologies specifically engineered from the beginning to remain effective, even when sophisticated attackers possess zero-days, advanced malware, and increasingly powerful AI assistance.

Waterfall’s The gateways are exactly the kind of deterministic, engineering-grade protections we need for the difficult years ahead.

About the author
Picture of Lior Frenkel

Lior Frenkel

CEO and Co-Founder, Waterfall Security

Lior Frenkel is a cybersecurity entrepreneur, author, and global expert in OT and critical infrastructure security with more than 25 years of industry experience. As the CEO and co-founder of Waterfall Security Solutions, he has led the deployment of innovative unidirectional security technologies protecting critical infrastructure worldwide. Lior is a recognized thought leader who contributes to international cybersecurity policy, regulatory initiatives, and industry strategy. He also serves in leadership roles across major Israeli technology and manufacturing organizations, helping advance the global cybersecurity industry.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Mythos, Zero Days and OT Cybersecurity appeared first on Waterfall Security Solutions.

]]>
Webinar: AI Is Democratizing Nation-State Cyber Attacks. How Do We Defend OT? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-ai-is-democratizing-nation-state-cyber-attacks-how-do-we-defend-ot/ Sun, 31 May 2026 09:45:09 +0000 https://waterfall-security.com/?p=40441 Introducing a new, 'entry-level' unidirectional solution

The post Webinar: AI Is Democratizing Nation-State Cyber Attacks. How Do We Defend OT? appeared first on Waterfall Security Solutions.

]]>

Webinar: AI Is Democratizing Nation-State Cyber Attacks. How Do We Defend OT?

Now available to watch on demand

How is AI Impacting Operational Technology (OT) Security?

With the advent of Anthropic’s Claude Mythos, sophisticated offensive cyber capabilities are no longer confined to elite nation-state teams. AI’s are bringing powerful cyber attacks into the hands of a wide array of adversaries: automatically finding zero-days, chaining low-severity vulnerabilities into high-severity exploits, and outright automating part or all of sophisticated attacks themselves. In this webinar, Lior Frenkel, CEO and Co-Founder of Waterfall Security and an expert on the global threat environment joins us to discuss modern threats and how to address them. 

Securing OT Environments Against AI and Modern Threats

In the context of these nation-state-grade threats, Lior will introduce the newest addition to Waterfall’s family of OT security offering: an entry-level Unidirectional Gateway. The new gateway extends Waterfall’s long-standing hardware-enforced foundation to a broader range of budgets and operational environments. 
 
Waterfall’s family of hardware-enforced unidirectional solutions has expanded over the years to include use cases that once seemed impossible: sending anti-virus and production order updates into OT systems, continuous remote control and even hardware-enforced remote access. The new Waterfall gateway is simpler and smaller, while supporting the family’s powerful Unidirectional Gateway operating system and software connectors.

Democratizing Nation-State-Grade Defenses, as AI's Democratize Nation-State-Grade Attacks

The threat: the next 3 years will be very challenging – AI’s are democratizing nation-state-grade cyber attacks – in a real sense, every industrial operation is now the target of such attacks.  
 
Waterfall’s response: Waterfall Security is democratizing nation-state-grade cyber defenses. Today, every target of nation-state-grade attacks can deploy nation-state-grade defenses.

Webinar Key Takeaways:

  • How Unidirectional Gateways prevent remote cyberattacks, including AI-automated zero-day attacks, from reaching protected OT networks
  • How Unidirectional Gateways address “surprising” use cases, such as anti-virus updates and secure remote access
  • How the gateway product family enables safe OT data sharing with enterprise, cloud, analytics, and even cloud-based AI systems
  • Waterfall’s newest and most flexible entry-level Unidirectional Gateway. 

Who Should Attend?

  • OT/ICS engineers
  • IT security teams taking on OT security
  • CISOs with critical infrastructure assets in their portfolio
  • Plant managers evaluating security and investment

 

About the Speakers

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Picture of Lior Frenkel

Lior Frenkel

Lior Frenkel is a cybersecurity entrepreneur, author, and global expert in OT and critical infrastructure security with more than 25 years of industry experience. As the CEO and co-founder of Waterfall Security Solutions, he has led the deployment of innovative unidirectional security technologies protecting critical infrastructure worldwide. Lior is a recognized thought leader who contributes to international cybersecurity policy, regulatory initiatives, and industry strategy. He also serves in leadership roles across major Israeli technology and manufacturing organizations, helping advance the global cybersecurity industry.

Watch Now

Share

The post Webinar: AI Is Democratizing Nation-State Cyber Attacks. How Do We Defend OT? appeared first on Waterfall Security Solutions.

]]>
3 OT Security Myths https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/3-ot-security-myths/ Sun, 10 May 2026 06:50:46 +0000 https://waterfall-security.com/?p=39498 If only we could wave a magic wand and patch everything and zero-trust everything, just like with our IT networks, then our OT networks would be “secure”

The post 3 OT Security Myths appeared first on Waterfall Security Solutions.

]]>

3 OT Security Myths

There are many misconceptions and myths in operational technology (OT) security. This is a problem, because when we start with the wrong premises, then we most often draw incorrect conclusions – this is how logic works. Let's look at some OT security myths and misconceptions and see how they lead us astray.
Picture of Andrew Ginter

Andrew Ginter

Everything you Know About OT Security is wrong

1) Information is the asset we protect – protect the confidentiality, integrity and availability (CIA) of the information, in that order, or maybe in AIC order, or IAC, or something.

Information is the asset we protect in most IT networks. In OT networks, in contrast, we most often protect safe, reliable and efficient physical operations. Take a metro for example: safety is first – nobody wants to die on the way to work. Reliability next – the metro needs to get hundreds of thousands of people to work every day, and passengers want their trains to be on time. And then efficiency – it does no good to have the world’s safest, most reliable metro, if the population cannot afford to use it.

So what? Can we not stand on our heads and say there must be information somewhere in the metro’s automation system that we can protect? Well, we can stand on our heads, yes, a lot of people do, but why bother? 50-year-old cybersecurity theory (Bell / La Padula) teaches us how to prevent theft or leakage of important information. Many of us learned this theory in school. What we did not learn is that 2 years after Bell & La Padula came out with their theory, Biba came out with a complementary theory.

Bell / La Padula teach us how to prevent espionage – theft or leakage of important information (eg: how to make a Nuclear Bomb – these researchers were funded by the US DoD in their day). Biba teaches us how to prevent sabotage (eg: changing the targeting coordinates for the missiles delivering The Bomb).

Biba’s theory used exactly the same concepts and terminology as Bell / La Padula but applied the concepts differently. In Biba’s theory, information is not the asset we protect, but the threat. All cyber-sabotage is defined (mathematically) as information. The only way a targeting system or an OT control system can change from a normal state to a compromised state is if attack information enters the system – somehow. The goal with OT systems is not to “protect the information” – the CIA, or IAC, or AIC of the information. The goal is to protect control systems from information – to keep attack information from affecting critical functions, such as safe, reliable and efficient physical operations.

Get this wrong and we fixate on information as the asset, when attack information entering the system is in fact the threat we must defeat.

2) Asset inventory is one of the first steps towards OT security – we cannot protect what we don’t know we have.

Here is an example of how misinterpreting the asset bites us. If we are to prevent theft or leakage of that information, it is vital that we know what and where that information is. We cannot prevent theft or leakage of information if (a) we do not know it exists or (b) we do not know where it is. An asset / information inventory is therefore one of the very first steps we must carry out if we are to design mechanisms to protect our information assets.

Biba, however, teaches us that information is the threat. This means that one of the very first things we must do is not inventory where our information lives, but rather inventory all of the ways attack information can reach our vulnerable OT systems. We need an inventory of data flows, most importantly those data flows that enter our OT systems from the “outside” – from potentially compromised sources. Understanding our perimeter and data flows that cross the perimeter is much more important than enumerating all of the countless “information assets” inside that perimeter.

Technical note: these perimeter-crossing data flows can be online or offline. Offline means the attack information lives in physical media, like USB thumb drives, laptops, or new computers arriving from our suppliers. We physically carry offline information into contact with our OT systems. Online information is more ephemeral – it is communicated into our systems with the movement of electrons, photons, electric or magnetic fields, or event sound waves – vibrations and quantum “things” rather than the movement of macroscopic physical objects.

Yes, eventually we will probably also benefit from an inventory of computer & information assets, but for most of us, our first priority is to prevent or control the movement of attack information into our systems – not protect that information, for example by encrypting that attack information.

 

3) If only we could wave a magic wand and patch everything and zero-trust everything, just like we do our IT networks, then our OT networks would be “secure.”

In most OT networks, the worst credible consequences of compromise are completely unacceptable: things blow up and people die. Or long-lead-time physical equipment is destroyed, and production / infrastructure is down for months or years, not hours or days. In most IT networks, the worst credible consequences are undesirable, and sometimes material, but will not put us out of business. This is the essential difference between most IT and OT networks: we cannot “restore” human lives nor damaged equipment from backups.

This means that even if we could wave our magic wand and secure OT networks exactly as we secure our IT networks, then our OT security program would still be woefully inadequate. The worst credible consequences (credible = reasonable to expect) define the required strength of our security program. When consequences are unacceptable, we need to protect our OT networks much more thoroughly than we protect our IT networks. Our postulated “magic wand” is not nearly enough.

Summing Up

Don’t get me wrong – I’m not saying information is never an asset (robotic programs in discrete manufacturing can be very valuable), nor that asset inventory is useless, nor that IT-style security mechanisms, where we can manage to apply them in OT, are pointless. What we’re talking about here is priorities. If we apply the world’s very best “protect the information assets” IT security program to OT systems, we might, accidentally, prevent material sabotage of physical operations. And we’ll probably spend an enormous amount of money doing that.

Moreover, no security program is complete until it has all the pillars of the NIST CSF: govern, identify, protect, detect, respond and recover. I’m not saying to ignore any of those pillars. To one extent or another, we most often need to “do it all,” but in which order, and where should the funding / implementation priorities lie?

What I am saying is that if we understand our priorities and constraints more accurately, then we can do a much more effective job of all of the above, for far less money.

About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post 3 OT Security Myths appeared first on Waterfall Security Solutions.

]]>
Webinar: Everything You Know About OT Security Is Wrong https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-everything-you-know-about-ot-security-is-wrong/ Tue, 05 May 2026 11:42:52 +0000 https://waterfall-security.com/?p=39442 Discover why common OT security assumptions are wrong

The post Webinar: Everything You Know About OT Security Is Wrong appeared first on Waterfall Security Solutions.

]]>

Webinar: Everything You Know About OT Security Is Wrong

Misconceptions about OT security run deep and some of them sound reasonable until you test them against how industrial environments actually work.

Why Common OT Security Assumptions Are Wrong

Now available to watch on demand

Common wisdom in OT security is uncommonly mistaken. What’s really going on? Shoe factories are very different from passenger rail switching. Dramatically different worst-case consequences drive important differences between IT and OT security.

IT protection is preoccupied with espionage, while sabotage is the bigger threat in OT. Intrusion detection takes time, depends on human judgment, and by the time a human responds, the physical damage in an OT environment may already done.

Encryption and patching add complexity, uncertainty and cost enormously more in OT than they do in IT.

In this webinar we look at widespread misconceptions about OT security, at their root causes, and at more sensible approaches for teams making architecture and investment decisions today.

Webinar Key Takeaways:

• Why common OT security assumptions break down in practice
• How to present OT security to drive better results across your teams
• How consequence changes the way OT threats should be assessed
• Where IT security approaches fall short in industrial environments
• More defensible approaches to OT security decisions and designs

Who Should Attend?

• OT/ICS engineers
• IT security teams taking on OT security
• CISOs with critical infrastructure assets in their portfolio
• Plant managers evaluating security and investment

About the Speaker

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Watch Now

Share

The post Webinar: Everything You Know About OT Security Is Wrong appeared first on Waterfall Security Solutions.

]]>
8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/8-and-a-half-questions-for-your-ot-secure-remote-access-vendors/ Wed, 01 Apr 2026 05:26:23 +0000 https://waterfall-security.com/?p=39051 Ask different questions, get different answers. What should you be asking your OT “secure” remote access (SRA) vendor?

The post 8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors appeared first on Waterfall Security Solutions.

]]>

8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors

Ask different questions, get different answers: What should you be asking your OT “secure” remote access (SRA) vendor?
Picture of Waterfall team

Waterfall team

Terminology first. The word “secure” is in quotes, because cybersecurity (like safety) is a continuum, not a pair of discrete yes/no states. We can always be safer, or less safe. We can always be more secure, or less. The question “Are we secure?” is meaningless. The question “How secure are we?” has an answer. The question “How secure should we be?” is even more important. Anyone who uses “secure” as an adjective is selling something – “secure” communications (really: encrypted and/or authenticated), “secure” boot (really: cryptographically authenticated firmware), “secure” by design (really: better security by designing security in), and so on.

There is no such thing as “secure” remote access.

Want to learn more about OT remote access? Watch our webinar: “13 Ways To Break “Secure” OT Remote Access Systems”

Question 1: For SRA into OT systems, does your vendor provide IT-grade protection we HOPE can detect attacks in time, or do they provide hardware-enforced, engineering-grade protection?

What is IT-grade protection? Imagine a long suspension bridge has dangerous harmonic frequencies – people simply walking over the bridge risk setting up oscillations that build up, eventually to the point of tearing the bridge apart. See the 1940 Tacoma Narrows disaster for an example. Imagine that a bridge you cross every day on the way to work has this problem, and so is stabilized by hydraulic dampers – multiply redundant dampers, redundant power supplies and “secure” control systems. How happy would you be driving across that bridge every day if you knew the design engineer HOPED that, if there was a cyber attack on the control system, HOPED we could detect the attack before the bridge tore itself apart. How happy would you be knowing the design engineer HOPED that, if we detected the attack in time, HOPED we could scramble an incident response team fast enough to prevent disaster?

Hope is not what we expect of design engineers. we expect bridges to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error. Engineering-grade solutions, like over-pressure relief valves and unidirectional gateways, behave deterministically, no matter how sophisticated a cyber attack is launched at them.

Question 2: If someone phishes an SRA credential, can they exploit a vulnerability in the Multi-Factor Authentication (MFA) to get into the protected OT systems?

“Secure” Remote Access vendors boast about their MFA, but MFA is software. Yes, the little dongle on our keychain looks like hardware, but the “secure” SRA system we are logging into with the dongle is software. All software has defects, and some defects are security vulnerabilities. Some of those vulnerabilities are known to the SRA product developers, who are madly trying to develop patches / security updates for the vulnerabilities. Others are known only to our enemies, who are using these zero-day vulnerabilities against us without our knowledge. Our attackers phish our “secure” password, ignore our RSA dongle or cell phone authentication app, and exploit a zero-day in the “secure” system to break in with our credentials and work their will upon our OT networks. Is this possible in the “secure” system we are using or considering using?

Question 3: Is that SRA a H2M solution, or an M2M solution?

Terminology:

  • H2M = human-to-machine = sends keystroke & mouse movements in / receives screen images back out.
  • M2M = machine-to-machine = software talking to software – for example: an HMI running on our remote laptop, talking through a VPN to PLCs or OPC servers in the OT network, or a PLC programming tool on our remote laptop, talking through a VPN to update firmware in our safety-instrumented systems (SIS).


When “secure” remote access supports M2M, then any malware that might be present on our laptops can reach across the M2M/VPN and connecting to any vulnerable, out-of-date (eg: XP) OT systems in our OT network. Such systems are a bonanza to common malware that relies on exploiting known vulnerabilities.

Question 4: Can users override SRA encryption / certificate warnings?

Many “secure” OT solutions use industry standard Transport Layer Security (TLS) to protect their connections across the Internet. This is the same technology used by web browsers, M2M applications, and the vast majority of Internet and IT applications. TLS uses certificates. If an attacker intercepts our communications, they can substitute their certificates. Our software – eg: our web browsers – are supposed to diagnose the substitution. A lot of these applications, like many web browsers, caution their users when they see an unexpected certificate and ask if the user really wants to proceed. Most users answer, “yes of course – override the warning / force the connection to complete / finally I’m connected through this nonsense!” And they successfully use their MFA and other credentials to log into the “secure” remote access system in a way that lets the bad guys take over their session.

Question 5: Can you paste or file-transfer arbitrarily complex files into OT equipment remotely?

A lot of OT equipment is sensitive – it malfunctions if anti-virus is running on it, so we do not run AV on it. It costs a lot of money to re-certify for safety if anything changes, so we have not applied any security updates, nor upgrade the operating system. These systems are often found still running obsolete versions of Windows XP. What risk is there in downloading a PDF file to this device? Or a software update executable? Or a clever new OT tool we just found on the Internet that claims it can “clean the hard drive” on this very old, very vulnerable, very important OT system? If people can transfer files that can contain malware, sooner or later they will do so. Does our “secure” remote access permit this very dangerous operation?

Question 6: Is there a session timeout?

Many users find session timeouts to be really annoying. Users must log in repeatedly when they get distracted by other emergencies during OT SRA sessions. But what happens if there is no session timeout? We log in and finish a job in the evening on our home computer. We go to work the next day. Our kids log into the home computer to do their homework. They find our session still open, still connected. What harm could that cause? Or – we put no password on our cell phones, because constantly entering PINs is annoying. Now open a “secure” remote access session, set the phone down and forget it. A stranger picks it up. There is no PIN. The remote session is still active into our critical infrastructure operations. What harm could be done?

Question 7: Do you require deny-by-default on firewalls protecting OT networks?

Many “secure” remote access vendors claim we can install their software on the OT computer of your choice, and the software will connect straight out to the Internet through IT/OT and IT firewalls, without needing to do anything to reconfigure the firewalls. This design assumes that OT firewalls are configured like most IT firewalls are configured – they allow any outbound connection by default, disallowing only inbound connections and outbound connections to known-dangerous destinations.

Such configuration means the “secure” remote access solution counts on a firewall configuration that any well-meaning technician on the OT network can use to install their own rogue remote access solution, among other things. For example: open a persistent SSH connection to a home Linux computer that is able to forward connections back into OT systems or download a “free” remote access / support solution, connect it out to the cloud and at home, rendezvous with this solution from a home computer. Well-meaning technicians imagine that there is no need to “bother” IT or engineering with matters like this when anyone with the most modest of computer skills can download and install whatever “secure” remote access software they wish, using their XP admin credentials.

Question 8: Does your OT SRA need a firewall?

Most SRA vendors assume there is a firewall between the IT and OT networks, and their SRA software relies on establishing connections through this firewall. Firewalls, however, are vulnerable to many attacks. For examples, see Thirteen Ways to Break a Firewall. In contrast, Hardware-Enforced Remote Access™ (HERA), for example, is compatible with, but does not require a vulnerable firewall at the IT/OT interface.

Question 8 1/2: Does your SRA support MFA?

We count this as only half a question, because all commercial-grade OT SRA supports MFA. The only SRA without MFA is the “roll your own” kind, where you are hard-pressed to find any vendor to ask these questions of in the first place. Internet-exposed, and even IT-exposed OT facilities should all support MFA and we must enable that MFA without fail.

Digging Deeper

To better understand why these questions are important, or to dig deeper into the simple attack scenarios that lie behind these questions, watch our webinar 13 Ways To Break “Secure” OT Remote Access Systems – And questions you should be asking your OT SRA vendor about these attacks.

About the author
Picture of Waterfall team

Waterfall team

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post 8 (and a Half) Questions for Your OT “Secure” Remote Access Vendors appeared first on Waterfall Security Solutions.

]]>
Webinar: 13 Ways To Break “Secure” OT Remote Access Systems https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-13-ways-to-break-secure-ot-remote-access-systems/ Sun, 29 Mar 2026 10:58:06 +0000 https://waterfall-security.com/?p=39061 Explore 13 ways attackers can break OT remote access systems, show which SRAs are most vulnerable and which are most deserving of the “secure” title

The post Webinar: 13 Ways To Break “Secure” OT Remote Access Systems appeared first on Waterfall Security Solutions.

]]>

Webinar: 13 Ways To Break “Secure” OT Remote Access Systems

and the questions you should be asking your OT SRA vendor...

 

AVAILABLE NOW – STREAM THE RECORDING

How much security do “secure” remote access solutions really provide? We’re laying all the cards on the table.

In this webinar, we’ll explore 13 ways attackers can break OT remote access systems, show which SRAs are most vulnerable & which are most deserving of the “secure” title.

We’ll finish with the questions you should be asking vendors to understand how exposed their solutions are.

13 Ways to break secure OT reote access systems

Understanding attacks is essential to designing robust defenses. One way to compare the strength of competing OT SRA solutions is to compare the attacks those solutions defeat reliably, vs the attacks they do not defeat. 

In this webinar, we cover a lucky 13 ways to break “secure” remote access systems, and look at which kinds of systems are vulnerable to each kind of attack.

We finish with questions to ask “secure” OT remote access vendors to understand how exposed their solutions are to these kinds of attacks. 

In this session we cover VPNs, jump hosts and DMZ’s, and we look at the more modern cloud / broker / rendezvous architectures, as well as more deterministic, hardware-enforced solutions. 

The 13 Attacks We’ll Be Covering: 

1) Shoulder surfing attacks – how attackers capture credentials without hacking

2) Social engineering users – exploiting human behavior to gain access

3) Password guessing & brute-force attacks – why weak credentials still succeed

4) Help desk social engineering – bypassing security through support teams

5) Rogue OT remote access (SRA) – unauthorized remote connections into OT networks

6) Exploiting outdated encryption – breaking legacy crypto protocols still supported

7) Malware passing through VPNs – how threats propagate inside trusted remote connections

8) Malware hiding in file transfer & clipboards – hidden risks in everyday remote workflows

9) Session hijacking & stealing logged-in cell phones – taking over active authenticated sessions

10) Exploiting known vulnerabilities – patching gaps and N-days lead to breaches

11) Stealing cookies to hijack browser sessions – compromising web-based remote access and password vaults

12) Zero-day exploitation in OT remote access – how unknown vulnerabilities are weaponized

13) Bypassing remote access entirely – when attackers go straight through the firewall

Access our deep dive into modern attack vectors and discover the critical questions you should be asking your OT 'Secure' Remote Access vendors.

About the Speaker

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Register Now

Share

The post Webinar: 13 Ways To Break “Secure” OT Remote Access Systems appeared first on Waterfall Security Solutions.

]]>
Webinar: 2026 OT Cyber Threat Report https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/webinar-2026-ot-cyber-threat-report-2/ Wed, 25 Mar 2026 15:30:57 +0000 https://waterfall-security.com/?p=39009 We'll cover the record-breaking costs of consequences, what's behind the drop in ransomware attacks, and the key defensive developments of 2025 in light of these threats

The post Webinar: 2026 OT Cyber Threat Report appeared first on Waterfall Security Solutions.

]]>

Webinar: 2026 OT Cyber Threat Report

Watch now - on demand!​

2026 OT threat report webinar

In 2025, 57 cyber attacks caused real-world damage in heavy industry, world-wide. This is a 25% drop from 2024, but that’s the tip of the iceberg

Most of this reduction is because of temporary factors affecting ransomware attacks. Nation-state and hacktivist attacks doubled, with most attacks targeting critical infrastructures. 

This is the only industry report focused exclusively on verified cyber incidents with physical consequences. The data set is public, all the incidents we use are included in the report’s appendix with links to public news reports

Highlighted attacks include:

  • Jaguar / LandRover – the most costly production shutdown in a decade,
  • Colins Aerospace – a crippled software system caused flight cancellations and delays for weeks – highlighting the need for rapid recovery or manual fall-backs for critical systems operated and managed by third parties,
  • Grounded and mis-directed ships – again highlighted the need for multiple independent checks on important external inputs, such as GPS signals, and
  • Polish distributed generation – a near miss because the lights stayed on, an example of the Russian nation state targeting European critical infrastructures, and a cautionary tale about “bricking” control equipment. 

Join Greg Hale of ICS Strive and Andrew Ginter of Waterfall Security as they explore what lies beneath all of 2025's OT breaches with physical consequences.

Key Takeaways:

arrow red right Record-breaking costs of consequences

arrow red right What is behind the drop in ransomware attacks

arrow red right Key defensive developments of 2025, in light of these threats 

About the Speaker

Picture of Waterfall team

Waterfall team

Stream it Now

Share

The post Webinar: 2026 OT Cyber Threat Report appeared first on Waterfall Security Solutions.

]]>
80K Stryker Devices Wiped Following Iran-Attributed Attack https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/stryker-devices-wiped/ Tue, 24 Mar 2026 17:21:31 +0000 https://waterfall-security.com/?p=38977 Stryker produces medical devices. An Iran-attributed attack erased 80K devices as a result of an intrusion into the Microsoft Cloud and an instruction to erase/reset the devices

The post 80K Stryker Devices Wiped Following Iran-Attributed Attack appeared first on Waterfall Security Solutions.

]]>

80K Stryker Devices Wiped Following Iran-Attributed Attack

Stryker produces medical devices. An Iran-attributed attack erased 80,000 corporate and personal devices (cell phones? laptops?) as a result of an intrusion into the Microsoft cloud and an instruction from that cloud to erase / reset the devices.
Picture of Andrew Ginter

Andrew Ginter

https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/

Stryker’s product shipping has stopped for now, but it is not clear yet whether manufacturing was also impaired. This is the kind of attack I’ve worried about for years – bad guys who get into IT or industrial cloud systems can wind up with the ability to affect thousands of devices via their encrypted cloud connections, in what might otherwise be heavily-defended sites. 

Given the data available today, we will probably count this incident in next year’s OT Cyber Threat Report – we count incidents in the public record in manufacturing, heavy industry, critical industrial infrastructure and large building automation systems (eg: data centers). This year’s report is about to release – you can request your copy here.

About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 35,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post 80K Stryker Devices Wiped Following Iran-Attributed Attack appeared first on Waterfall Security Solutions.

]]>