Safe Mode Podcast – Episode Summary
Episode Title: Opportunistic by Default: How OT gets pulled into the blast radius
Air Date: January 29, 2026
Host: Greg Otto (Editor-in-Chief, Cyberscoop)
Guests:
- Tim Stark (Senior Reporter, Cyberscoop)
- Chris Grove (Director of Cybersecurity Strategy, Nozomi Networks)
Episode Overview
This episode of the Safe Mode Podcast explores the reality that not all cyberattacks on critical infrastructure are the work of determined, nation-state actors pursuing sophisticated, targeted outcomes. Rather, many are opportunistic in nature—taking advantage of unintended exposure, misconfigurations, or technological convergence between IT and OT (Operational Technology). Greg Otto is joined first by Tim Stark to break down recent federal policy shifts with implications for software supply chain security. The main interview features Chris Grove, who discusses how digitization, automation, and increased dependency on connected systems have expanded the OT attack surface, and what defenders can do to mitigate opportunistic threats.
Key Discussion Points and Insights
1. Federal Policy Rollback: OMB Memo 2218 ([00:40]–[08:08])
- Recent News: The Office of Management and Budget (OMB) issued a memo (2218) retracting a previous policy that required a universal self-attestation form for software vendors, originally enacted post-SolarWinds to standardize supply chain security.
- Expert Analysis:
- Tim Stark explains the rollback’s implications: "This was something… meant to be a streamlining… The 2021 executive order was a response to SolarWinds… and this was meant to make it so that software could be developed securely." ([03:04])
- Critics fear that ending this requirement may lead to weaker security, less accountability, and inconsistent rules across federal agencies.
- The memo does not ban the original form, leaving agencies to decide whether to continue using it.
- Marketplace Reaction: It’s unclear if agencies will develop new, distinct forms or stick with the old, potentially complicating vendor compliance.
- Long-term Implications: The rollback was unexpected, raising concerns about the administration’s future cybersecurity direction.
2. Opportunistic Attacks in OT: Trends and Tactics ([08:08]–[33:38])
Opportunistic Escalation in Critical Infrastructure ([09:19])
- Chris Grove discusses a real-life indictment: A Ukrainian national charged for OT-related attacks that escalated from DDoS to deep ICS (Industrial Control System) compromise.
- Key Takeaway: "A lot of this activity can be opportunistic... Reducing Internet-exposed OT remains a very high-leverage defense." – Greg Otto ([09:19])
Why OT is Increasingly Vulnerable ([10:21])
- Complex Dependencies: "We are so dependent… Without the water, we don't have power. Without the power, we don't have water… It's a very complex bulb of spaghetti." – Chris Grove ([10:21])
- Digitization and automation create more entry points and a sprawling landscape defenders must cover.
- Legacy systems—few years old in IT, decades old in OT—weren’t designed for present-day threat models.
OT Parallels to Cloud Security ([13:21])
- Resistance to linking OT with the cloud has faded as cloud-based backend services (e.g., data historians) have become necessary for efficiency and visibility.
- "It’s hard to acquire products that don’t use the cloud of some sort as a backend for a lot of things." – Chris Grove ([13:21])
How Automation Introduces New Attack Surfaces ([16:03])
- All OT tech has weaknesses; attackers with adequate skills can exploit project files, logic templates, golden images, backups, and more.
- Attacks often exploit less-secure IT-OT connections to indirectly influence physical processes.
Risky "Modernization Moves" ([18:15])
- Pitfall: "Not including cybersecurity in the design from the beginning… bolting on security as an afterthought." – Chris Grove ([18:15])
- Financial and logistical obstacles mean many OT environments struggle to retrofit effective protections.
Standardization vs. Tactical Defense ([20:06])
- Regulatory guidance exists (e.g., CISA, ISA 62443) but isn’t uniformly practical for all organizations.
- Sometimes incremental, tactical improvements are more feasible than full-scale standard adoption.
Common Attacker Tradecraft and Defender Opportunities ([21:13])
- Key Insight: Attackers often shut down IT operations to create the impression they can impact OT, prompting defenders to halt operations out of caution, even without proof of physical compromise.
- "Just the fact that they are near it on some networks… is something that is a lot more than sometimes even having the access." – Chris Grove ([22:15])
- Impressions of access can trigger expensive, wide-scale responses without actual OT manipulation.
Detection and Early Warning Priorities ([24:06])
- Visibility across all systems is paramount: "If you pick one or pick two or pick three [control points], whichever one you didn’t pick is the one that they’re going to probably enter through." – Chris Grove ([24:39])
- It’s not about producing more alerts/data, but actionable intelligence—integrating IT and OT telemetry to spot complex attack paths.
Special Event Security & Real-World Constraints ([27:35])
- For high-profile events (Olympics, World Cup, national celebrations), defenders may "lockdown" systems, restrict changes/access, and intensify monitoring.
- Some sites are mature; others lack staff/technology, relying on federal assistance.
Evolving with the Technology: Embracing the Cloud ([31:40])
- OT defenders once avoided cloud platforms; now, it’s a competitive advantage, especially with AI-powered anomaly detection and data analysis.
- "The safest way to do it is to make sure that everyone’s on board… and we’re not… starting up… shadow cloud or anything dangerous like that." – Chris Grove ([33:24])
Notable Quotes & Memorable Moments
- "A lot of this activity can be opportunistic… reducing Internet-exposed OT remains a very high-leverage defense." – Greg Otto ([09:19])
- "We are so dependent… Without the water, we don't have power. Without the power, we don't have water… It's a very complex bulb of spaghetti." – Chris Grove ([10:21])
- "Not including cybersecurity in the design from the beginning… bolting on security as an afterthought." – Chris Grove ([18:15])
- "If you pick one or pick two or pick three [control points], whichever one you didn’t pick is the one that they’re going to probably enter through." – Chris Grove ([24:39])
- "The safest way to do it is to make sure that everyone's on board… and we're not… starting up… shadow cloud or anything dangerous like that." – Chris Grove ([33:24])
Important Timestamps and Segments
- Federal Policy Rollback Overview – [00:40]–[08:08]
- Opportunistic Attack Vector Analysis – [09:19]–[12:37]
- OT and Cloud: Converging Threat Models – [13:21]–[16:03]
- Automation as Attack Surface – [16:41]–[19:33]
- Modernization Risks & Standardization Debate – [18:15]–[21:13]
- Attacker Tactics and Defensive Gaps – [21:13]–[24:39]
- Defender Best Practices for Early Detection – [24:39]–[27:35]
- Event-Year Security & Real-World OT Constraints – [27:35]–[31:40]
- OT’s Evolving Relationship to the Cloud and AI – [31:40]–[33:24]
Summary Table
| Topic | Guest/Speaker | Timestamp | Key Insight/Quote | |-------------------------------------------|------------------|-------------|-----------------------------------------------------------------------------------------------| | OMB Cyber Policy Rollback | Tim Stark | 00:40–08:08 | Rollback could lead to inconsistencies and less accountability | | Opportunistic OT Attacks | Chris Grove | 09:19–12:37 | Many attacks start as "noise" and only move into OT if opportunity appears | | OT vs. Cloud Security Parallel | Chris Grove | 13:21–16:03 | "Now it's hard to acquire products that don’t use the cloud..." | | Automation as an Attack Surface | Chris Grove | 16:41–19:33 | Attackers often leverage weaknesses in project files, backups, legacy systems | | Modernization Dangers | Chris Grove | 18:15–20:06 | Adding security as an afterthought increases cost and risk | | Tradecraft in Opportunistic Attacks | Chris Grove | 21:13–24:06 | Impressions of compromise can force expensive shutdowns | | Visibility and Detection | Chris Grove | 24:39–27:35 | Need holistic monitoring across all systems ("pick one, they’ll use another") | | Special Event Security Responses | Chris Grove | 27:35–31:40 | Some cities lock down OT, others rely on partners & federal government due to limited staffing | | OT's Willingness to Adopt Cloud and AI | Chris Grove | 31:40–33:24 | Cloud and AI now seen as necessary enablers for defense, not threats themselves |
Takeaways for OT Defenders
- Don’t over-attribute sophistication to every attack: Many are opportunistic, exploiting overlooked weaknesses.
- Legacy OT environments need holistic, integrated security—piecemeal or afterthought fixes are high-risk.
- Visibility across IT and OT is essential for meaningful detection and rapid response.
- Prepare for large events with increased vigilance, personnel, and cross-agency support.
- Modern defenders must embrace cloud and AI thoughtfully—as force multipliers, not panaceas, and with robust controls to avoid new risks.
This episode offers nuanced, experience-based guidance for security leaders and practioners tasked with protecting evolving, interdependent critical infrastructure systems from both opportunistic and targeted threats.