Since Stuxnet and 9/11, the worst fears about catastrophic OT cyberattacks have not come true. Large-scale, long-lasting outages and destructive incidents predicted by early warnings have largely been avoided. Improvements such as stronger segmentation between IT and OT networks, tighter controls on removable media, better resiliency planning, and advances in detection tools have all contributed to limiting damage and keeping operations more stable than once feared.

At the same time, many fundamental OT security problems remain unsolved. Industrial protocols still often lack authentication, systems continue to accept unauthenticated commands, and adoption of key practices like asset inventories, vulnerability management, and micro-segmentation is inconsistent. While some organizations have taken meaningful steps forward, widespread progress has fallen short of expectations. The field has achieved enough to avoid disaster, but not enough to close the core security gaps that persist in critical infrastructure.

‍

Source: https://dale-peterson.com/2025/09/02/we-won-we-lost-part-1/