Subscribe to The Audit Brief, where we break down the latest episode of The Audit Podcast.
The Real Talk:
- Why the “air gap” protecting critical infrastructure is mostly a lie—and what’s actually connected to your power plants and water treatment facilities
- How threat actors can now ask ChatGPT for the exact chemical levels needed to poison a water supply (and get working code to do it)
- The reality that most industrial environments are still running Windows 95—and why updating them could literally kill people
A Closer Look:
The Vulnerability You Can’t Patch Lesley Carhart, technical director of incident response at Dragos, delivers an uncomfortable truth: Industrial control systems are designed to be vulnerable. When someone hits the emergency stop button because an arm is getting chopped off, you don’t want encryption adding latency. These environments prioritize life safety over cybersecurity—and adversaries know it.
The Asymmetric War While corporate security teams juggle meetings, CAB approvals, and two-week reboot windows, nation-state attackers work 24/7 with zero bureaucracy. They’re not just exploiting technical vulnerabilities—they’re targeting the chemical engineers and electrical engineers who understand exactly how to cause catastrophic failures. Or they’re just asking LLMs to write the ladder logic for them.
The Five Critical Controls Reality Check Forget AI-powered next-gen whatever. Most industrial facilities don’t even have network maps or asset inventories. The industry’s current rallying cry? “Hey, maybe we should start segmenting these environments.” That’s where we’re at. Not because people are incompetent—because these systems were tested for years before deployment and shutting down a power plant to patch Windows isn’t exactly a casual Tuesday activity.
Bottom Line:
While IT teams debate how to safely trial ChatGPT for document translation, adversaries are using LLMs to calculate lethal chemical dosages and generate custom malware for industrial control systems. The gap isn’t just technical—it’s philosophical. One side can’t update a workstation without a year of planning. The other side doesn’t attend meetings and isn’t constrained by business hours.
Your critical infrastructure is more connected, more vulnerable, and more targeted than ever. And if Leslie shows up at your facility, you’ve already had a very, very bad day.
Tune into the full episode to hear why ransomware groups are increasingly targeting industrial verticals, what happens when commodity malware takes out the systems that keep oil platforms safe, and why the best security advice for these environments sounds alarmingly basic—because that’s honestly where most organizations still need to start.
🔗 Ep 77 – Industrial Cybersecurity Reality Check with Lesley Carhart
Listen wherever you get your podcasts – Subscribe to our YouTube channel to stay up to date on breaking cybersecurity news.
Learn more at www.itauditlabs.com
