Subscribe at Spotify

Subscribe at Apple Podcasts

Subscribe at YouTube

          Guest:

        

      

Chris Sistrunk, Technical Leader, OT Consulting, Mandiant

Topics covered:

Resources:

Video version

Cybersecurity Forecast 2026 report by Google

Complex, hybrid manufacturing needs strong security. Here’s how CISOs can get it done blog

“Security Guidance for Cloud-Enabled Hybrid Operational Technology Networks” paper by Google Cloud Office of the CISO

DEF CON 23 - Chris Sistrunk - NSM 101 for ICS

MITRE ATT&CK for ICS

Our reflections on our podcast in 2025

Do you have something cool to share? Some questions? Let us know:

Web: 

            cloud.withgoogle.com/cloudsecurity/podcast

          

        

Mail: 

            cloudsecuritypodcast@google.com

          

        

Twitter: 

            @CloudSecPodcast

EP257 Beyond the ‘Kaboom’: What Actually Breaks When OT Meets the Cloud?

January 5, 2026

Guest: Chris Sistrunk – Technical Leader, OT Consulting, Mandiant

---

Topics Covered

• When we hear “attacks on Operational Technology (OT)” some think of Stuxnet targeting PLCs or even back‑doored pipeline control software plots in the 1980s. Is this space always so spectacular or are there less “kaboom” style attacks we are more concerned about in practice?

• Given the old “air‑gapped” mindset of many OT environments, what are the most common security gaps or blind spots you see when organizations start to integrate cloud services for things like data analytics or remote monitoring?

• How is the shift to cloud connectivity— for things like data analytics, centralized management, and remote access—changing the security posture of these systems? What’s a real‑world example of a positive security outcome you’ve seen as a direct result of this cloud adoption?

• How do the Tactics, Techniques, and Procedures outlined in the MITRE ATT&CK for ICS framework change or evolve when attackers can leverage cloud‑based reconnaissance and command‑and‑control infrastructure to target OT networks? Can you provide an example?

• OT environments are generating vast amounts of operational data. What is interesting for OT Detection and Response (D & R)?

---

Resources

• Video version: https://www.youtube.com/watch?v=mrqF62DgOFc

• Cybersecurity Forecast 2026 report (Google): https://cloud.google.com/security/resources/cybersecurity-forecast

• “Complex, hybrid manufacturing needs strong security. Here’s how CISOs can get it done” (blog): https://cloud.google.com/transform/complex-hybrid-manufacturing-needs-strong-security-how-cisos-get-it-done

• “Security Guidance for Cloud‑Enabled Hybrid Operational Technology Networks” (paper): https://services.google.com/fh/files/misc/ot_security_blueprint_ociso2025.pdf

• DEF CON 23 – Chris Sistrunk – NSM 101 for ICS: https://www.youtube.com/watch?v=H6AWRziR028

• MITRE ATT&CK for ICS: https://attack.mitre.org/matrices/ics/

• Reflections on the podcast in 2025: https://security.googlecloudcommunity.com/ciso-blog-77/five-years-of-the-cloud-security-podcast-by-google-6452

---

Transcript

The discussion centered on the evolving landscape of Operational Technology (OT) security and its increasing convergence with cloud environments. While Hollywood portrays OT threats as spectacular “explosions,” the reality is more nuanced—relying heavily on “Living off the Land” (LotL) tactics and the exploitation of increasingly connected industrial control systems (ICS). The core takeaway is that while OT security historically lagged IT by 15 years, the gap is closing as hybrid cloud architectures become the standard for modern manufacturing and utilities.

Key Discussion Points

The Myth of the “Kaboom” vs. Reality

While high‑profile incidents like Stuxnet or the legendary (if perhaps apocryphal) Siberian pipeline explosion capture headlines, the daily reality of OT risk is less cinematic but more pervasive. OT is defined as anything with both a cyber and a physical component (elevators, power grids, water systems). The primary driver of risk today isn’t just specialized malware; it’s the business requirement for data. CEOs want real‑time manufacturing telemetry, which leads to connecting once‑isolated networks to IT environments and the cloud.

The “Air Gap” is a Ghost

Sistrunk noted that true air gaps rarely exist in modern infrastructure. Even systems that claim to be isolated often have maintenance backdoors or are connected via “serial‑to‑cloud” converters. We are moving toward a hybrid model where OT is hosted in the cloud for data crunching and AI‑driven quality control, while keeping on‑premises controls for low‑latency safety requirements.

Attack Vectors and the 99 % Rule

A critical insight from the session: 99 % of OT attacks target the same “boring” infrastructure as IT—Windows and Linux workstations. If an attacker compromises an engineering workstation, they don’t need fancy OT malware. They can simply use the existing tools on that machine to manipulate the physical process. This makes the Enterprise MITRE ATT&CK framework just as relevant to OT as the ICS‑specific framework.

Red Teaming a Locomotive

The Mandiant OT red team successfully demonstrated a “God Mode” hijack of a physical locomotive in a test yard. By gaining access to the control systems, they were able to manipulate speed readings, move the train, and even honk the horn remotely. This highlights the importance of having “industry‑fluent” security professionals—people who understand the physics of the system, not just the packets.

Detection, Visibility, and the “Homer Simpson” Problem

OT monitoring isn’t just about dumping logs into a SIEM. It requires “engineering tuning.” In the same way a nuclear plant operator (or Homer Simpson) might reflexively acknowledge an alarm, security alerts in OT must be tied to physical outcomes. The challenge is moving from “noise” to “context,” using cloud‑scale analytics to boil down billions of events into meaningful physical impacts.

Topic Timeline

• Introduction to Season 6 and the OT Shift – Hosts transition from typical AI‑centric cloud security topics to the “physical” world of OT.

• Defining OT Beyond the Hype – Chris Sistrunk dispels the “Die Hard 4” myths and defines OT as the intersection of cyber and physical systems.

• The Drivers of Connectivity – Discussion on why industrial systems are being connected to the cloud (telemetry, AI quality control, executive reporting).

• The Death of the Air Gap – Why “serial‑to‑cloud” converters and hybrid architectures have made the traditional air gap obsolete.

• Attacker Goals and Frameworks – Comparing MITRE ATT&CK for Enterprise vs. ICS and the prevalence of “Living off the Land” tactics.

• The Locomotive Hijack – A deep dive into a Mandiant red‑team engagement involving the remote control of a train.

• Safety vs. Security – Why physical safety valves and mechanical fail‑safes are the last line of defense against cyber‑induced “kaboom” scenarios.

• The “Redneck” Threat and Squirrels – A lighthearted but serious look at non‑cyber threats to the grid, including physical tampering and wildlife.

• Cloud as a Security Accelerator – How the inherent security of modern cloud providers can improve the resilience of legacy industrial systems.

• Operational Visibility – The history of industrial monitoring (from the 1800s to today) and the need for engineering‑aware detection in the SOC.

• Closing Advice and Resources – Recommendations for getting into the field, including “donut diplomacy” with engineers and key standards like ISA/IEC 62443.

---

End of transcript.