The Convergence Problem
Critical infrastructure — energy grids, water systems, transportation networks, and communications — increasingly runs on networked digital systems. Operational technology (OT) that once operated in isolated, air-gapped environments is now connected to enterprise IT networks for monitoring, management, and efficiency optimization. This convergence delivers real operational benefits. It also creates pathways that adversaries can traverse from an initial compromise of an email server to the control systems that manage physical processes.
The threat actors targeting these systems are not opportunistic criminals. Groups like Volt Typhoon, attributed to the People's Republic of China, have been discovered pre-positioning in U.S. critical infrastructure networks — not to steal data, but to establish persistent access that could be activated during a future conflict. The intent is strategic: degrade the infrastructure that supports military mobilization, power projection, and economic resilience during a crisis.
For defense contractors and the defense industrial base (DIB), this threat is immediate and direct. The DIB is itself designated as one of the 16 critical infrastructure sectors. The intellectual property, controlled unclassified information (CUI), and operational data that flows through defense contractor networks are high-value targets that adversaries pursue with well-resourced, patient campaigns.
The Attack Surface Extends Beyond Your Network
Traditional cybersecurity focuses on defending an organization's own network perimeter. But modern supply chains mean that a defense contractor's risk extends to every vendor, subcontractor, and service provider with access to its systems or data. A Tier 3 supplier with inadequate security practices can become the entry point for an adversary targeting a prime contractor's most sensitive programs.
Supply chain compromise takes multiple forms. It can be as sophisticated as the SolarWinds attack, where malicious code was inserted into a trusted software update, or as straightforward as compromising the email account of a subcontractor to conduct targeted phishing against the prime contractor's program managers. The common thread is that the attacker exploits trust relationships — between organizations, between systems, and between people.
The defense community's response to supply chain risk has been slow relative to the threat. NIST SP 800-171 established security requirements for contractors handling CUI, and CMMC (Cybersecurity Maturity Model Certification) aims to verify compliance through third-party assessment. But the gap between policy requirements and actual security posture across the DIB remains significant, particularly among small and mid-size contractors that lack dedicated cybersecurity teams.
OT Security in Defense Environments
Defense contractors operate manufacturing facilities, test ranges, and laboratories that rely on operational technology — industrial control systems, SCADA networks, and specialized test equipment. These OT environments often run legacy software that cannot be easily patched, use proprietary protocols that commercial security tools do not understand, and were designed for reliability and safety rather than security.
Securing OT in defense environments requires specialized expertise that bridges the gap between IT cybersecurity and industrial control systems engineering. The security controls that work for enterprise networks — endpoint detection and response, frequent patching, behavioral analytics — must be adapted for environments where a misconfigured security tool can halt production or create safety hazards.
Network segmentation between IT and OT environments is the foundational control, but it must be implemented with an understanding of the legitimate data flows that cross the boundary. Monitoring OT networks for anomalous behavior requires baselines built on an understanding of normal industrial processes, not just network traffic patterns.
Building Resilience, Not Just Defense
The sophistication and persistence of nation-state cyber threats to critical infrastructure and the DIB mean that prevention alone is insufficient. Organizations must assume that determined adversaries will eventually gain initial access and plan accordingly. Resilience — the ability to detect compromise quickly, contain its impact, maintain essential operations during an incident, and recover rapidly — is the more achievable and more important objective.
This requires investment in detection capabilities that go beyond signature-based tools, incident response planning that accounts for OT environments, and regular exercises that test organizational response under realistic conditions. It also requires a cultural shift away from treating cybersecurity as an IT department responsibility and toward recognizing it as an operational risk that warrants executive attention and resource allocation commensurate with the threat.
The adversaries targeting defense industrial base networks are patient, well-funded, and strategic in their objectives. The organizations that survive in this environment will be those that match that seriousness with sustained investment in both defense and resilience.
