When Public Systems Go Dark, Even Air Gaps Are Not Enough

In late October 2025, the Canadian Centre for Cyber Security issued an unusual public alert. Several of the country’s water, oil and gas, and agricultural facilities had been compromised by hacktivist groups. Attackers had remotely accessed industrial control systems (ICS), manipulating water pressure valves, falsifying tank level alarms, and even changing the temperature and humidity inside grain silos.

For many observers, this was just another headline about “cyberattacks abroad.” But for anyone managing operational technology (OT), the message was clear — critical infrastructure can no longer afford to see cyber risk as someone else’s problem.

A Familiar Pattern

This new wave of hacktivist activity reflects a pattern already identified in ENISA’s Threat Landscape 2025. Across Europe, the public sector topped the list of targets for cyberattacks on critical infrastructure — surpassing energy, manufacturing, and transport.

Why public institutions first? There are several reasons. Attacking public utilities guarantees visibility. When water systems, transport networks, or city services fail, social impact is immediate, and the attacker’s message spreads fast.

Public organisations also face slower procurement cycles and smaller cybersecurity budgets compared to private enterprises. Security investments rely on taxpayer funding, annual approvals, and lengthy audits — all of which delay implementation.

And behind it all lies the weight of legacy technology. Public infrastructure often operates on long-lived, vendor-specific systems that are difficult to patch or replace. Many were never designed with cybersecurity in mind. The result is an uneven defence landscape where the systems most essential to public safety are often the least protected.

Hacktivism Meets Industrial Control

Unlike espionage or ransomware campaigns, hacktivist attacks are rarely selective. According to the Cyber Centre’s October 2025 advisory (AL25-016), attackers did not choose victims by name; they scanned the internet for exposed ICS devices and exploited weak or missing authentication.

This represents a dangerous evolution. Hacktivists once defaced websites or launched DDoS attacks to draw attention. Now they are interacting directly with control logic — changing values, issuing commands, and causing physical effects.

The Canadian incidents were contained before catastrophic damage occurred, but the implications are sobering. If attackers could alter water pressure in one region, what stops a similar actor from opening valves in a chemical plant, or silencing alarms in a wastewater facility? These events underline a truth long known but often ignored — air gaps are no longer absolute. Every remote connection, VPN tunnel, and monitoring dashboard introduces potential exposure.

The Most Dangerous Assumption

Many organisations still believe their environments are safe because they operate within “closed” networks. In practice, few OT systems remain isolated. Remote maintenance, telemetry integration, and cloud-based analytics have blurred boundaries that once felt secure.

What happened in Canada could happen anywhere with weak identity control — not because of negligence, but because the attack surface has grown faster than traditional defences can adapt.

And the longer organisations postpone investment, the higher the cost of recovery. As explored in our previous guide The Hidden Cost of Delaying OT Security, downtime and disruption quickly outweigh any savings from deferred action. Security is no longer a supporting function; it is the foundation of operational continuity.

From Compliance to Real Resilience

Global frameworks such as IEC 62443 and NIS2 have moved OT security from recommendation to requirement. Yet compliance alone cannot guarantee protection. True resilience depends on architectural change — ensuring that authentication, monitoring, and response mechanisms continue to function even when connectivity is lost or when legacy systems cannot be replaced.

In this context, one-way dynamic authentication is emerging as a practical defence model. By generating and validating credentials that never repeat and do not rely on continuous network exchange, such structures block unauthorised access at the source.

OTAC (One-Time Authentication Code) technology follows this principle, enabling secure identity verification even in air-gapped or intermittently connected environments. These approaches demonstrate that security and operational availability no longer need to compete — they can coexist by design.

Building Shared Trust

When public systems go dark, it’s not just a technical outage — it’s a breakdown of collective trust. Governments, regulators, and technology providers must treat OT security as a pillar of national resilience. Information-sharing frameworks, joint incident response exercises, and coordinated standards can bridge the gap between policy and practice.

Equally, organisations themselves must embrace cybersecurity as a shared responsibility, not a delegated one. Security cannot depend on a single vendor, budget cycle, or regulation. It must be continuous, embedded, and measurable — part of the same trust framework that allows societies to function even when networks fail.

The Moment to Act

As nations finalise their 2026 budgets, there is a narrow but crucial window to act. The incidents in Canada — and the trends observed across Europe — underline a simple reality: delaying OT security is not cost avoidance, it’s risk accumulation.

For many operators, the question is no longer if they will modernise, but how quickly they can build resilient, identity-first control systems.

Security is not a wall; it’s a framework of trust. And as 2026 approaches, that trust must become part of every infrastructure plan — before the next public system goes dark.