Mythos, Zero Days and OT Cybersecurity
Lior Frenkel
CEO and Co-Founder, Waterfall Security
Public reports describe Mythos as capable of discovering zero-day vulnerabilities, chaining together exploits of otherwise low-severity vulnerabilities into powerful attacks, reverse engineering proprietary systems, and automating large portions of advanced attack workflows.
Whether every public claim proves accurate is almost beside the point. The trajectory is unmistakable. Frontier AI models are reducing the cost, time, and expertise needed to conduct sophisticated cyber operations.
Join Andrew Ginter and me on June 17 for a live webinar
exploring the impact of AI-driven cyber threats on OT security
and introducing Waterfall’s newest Unidirectional Gateway.
OT Targets
For OT environments, this matters enormously.
OT systems are intrinsically vulnerable. Rapid patching of OT systems is extraordinarily expensive and difficult. In safety-critical and reliability-critical environments, patches cannot simply be deployed overnight. Engineering change control processes that minimize safety and reliability risks require testing, validation, outage coordination, safety review, and operational acceptance.
In many facilities, those processes take months or years. Worse, patching (hopefully) remediates only known defects, and again, AI’s have proven adept at finding previously unknown vulnerabilities. Even with a patching “magic wand,” IT and OT systems would still be intrinsically vulnerable.
Remember Fuzzing?
That said, the discovery of large numbers of zero-day vulnerabilities is not entirely new. A decade+ ago, fuzzing technologies dramatically increased the rate of discovering vulnerabilities in both IT and OT systems. Automated fuzzing campaigns uncovered large numbers of latent defects in industrial protocols, embedded devices, operating systems, and applications.
What is different today is the scale, exploitability and sophistication of zero-day attacks. Again:
- The volume of vulnerabilities being discovered is increasing dramatically,
- Systems like Mythos are able to chain together low-severity vulnerabilities into much more dangerous attacks, and
- Perhaps most important, AI systems are increasingly capable of automating sophisticated offensive workflows.
Today those workflows still involve human oversight. Tomorrow they will not!
The Perimeter Is Dead? No…
All this means OT perimeter protection becomes increasingly important – hardening the interior to zero-day attacks was and is simply not achievable – not for IT systems and not for OT systems. This problem is precisely why Waterfall’s Unidirectional Gateways were invented almost 20 years ago. Waterfall’s gateways were designed from the beginning to withstand nation-state-grade attacks against OT targets, including sophisticated attacks exploiting zero-day vulnerabilities.
In contrast, conventional firewalls depend on software correctness. Even “next generation” firewalls ultimately rely on operating systems, protocol stacks, parsing engines, authentication systems, and millions of lines of software behaving perfectly correctly under hostile conditions. Zero-day vulnerabilities undermine all of these assumptions – exploit a zero-day, or a sequence of zero-days, and completely take over the CPU / software in an ultra-sophisticated next-gen firewall, and the device does the attackers’ bidding, not the defenders’.
Waterfall’s Unidirectional Gateways – “Immune” to Zero-Days
Waterfall’s gateways are a combination of hardware and software. The hardware is physically able to send information in only one direction – usually from the OT network out to the IT network, so that the business can profit from access to OT information. The hardware, however, is not physically able to send any information nor cyber-sabotage attack information back into OT networks. There is no return path, physically.
This is why Waterfall’s Gateways are fundamentally immune to network-based zero-day exploits aimed at crossing the protection boundary. Even if the gateways’ IT-exposed software is compromised, there is physically no way for that software to send attack information back into the OT network.
As a side note, yes, comprehensive OT security programs are still important in unidirectionally-protected networks. Intrusion detection, security monitoring, asset inventory, vulnerability management, and capable incident response are all needed to address residual risks. But detection and response take time. Human investigation takes time. Escalation takes time. Remediation takes time. In a future of highly automated AI-driven attacks, we will not have that time – we urgently need to block AI’s from simply reaching across networks and into critical OT systems.
Looking Forward
Over the next 2-3 years, we are entering one of the most dangerous periods OT security has faced. In that environment, deterministic protection is essential. Unidirectional gateways are not the only control we need, but they are one of the few technologies specifically engineered from the beginning to remain effective, even when sophisticated attackers possess zero-days, advanced malware, and increasingly powerful AI assistance.
Waterfall’s The gateways are exactly the kind of deterministic, engineering-grade protections we need for the difficult years ahead.
About the author
Lior Frenkel
CEO and Co-Founder, Waterfall Security
Lior Frenkel is a cybersecurity entrepreneur, author, and global expert in OT and critical infrastructure security with more than 25 years of industry experience. As the CEO and co-founder of Waterfall Security Solutions, he has led the deployment of innovative unidirectional security technologies protecting critical infrastructure worldwide. Lior is a recognized thought leader who contributes to international cybersecurity policy, regulatory initiatives, and industry strategy. He also serves in leadership roles across major Israeli technology and manufacturing organizations, helping advance the global cybersecurity industry.
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
