1,000 systems down, manual operations engaged, and why your ‘secure’ OT network is probably next.
Start your engines, or rather, grab your walkie-talkies. The Romanian National Administration “Apele Române” just got a nasty holiday present: a massive ransomware attack taking down over 1,000 systems. They claim their Operational Technology (OT) is fine, but when you are coordinating flood defences via radio because the dashboard is dark, “fine” is doing a lot of heavy lifting. This isn’t just about Romania; it is a symptom of a global disease where critical infrastructure is protected by prayers and plywood. As geo-political tensions rise, water is the new frontline. We are seeing an increased attack surface on these utilities, and frankly, our defences are looking pretty porous. If you think your air gap will save you, I have a bridge to sell you.
The Romanian Ripple Effect
Let’s look at the recent catastrophe at the Romanian National Administration, ‘Apele Române,’ to see what a bad week really looks like. Over 1,000 systems — we are talking GIS servers, databases, workstations, and email — got scrambled. The weapon of choice? Good old Windows BitLocker. The attackers didn’t need a fancy zero-day exploit; they just locked the digital doors using the building’s own security keys. But here is the part that makes my eye twitch: the official statement claims Operational Technology was not affected.
Fantastic news, right? Except in the next breath, they admit staff are coordinating flood defences using phones and radios. Let’s be very clear: if you have to manually call Bob at the dam to ask him to turn a valve because your SCADA screens are dark, your OT is decidedly affected. The pumps might still be spinning (the muscle), but the brain of the operation has been lobotomised. It is a modern utility reverting to the Stone Age, relying on oral tradition and walkie-talkies to manage critical water levels. This isn’t just a glitch; it is a terrifying loss of situational awareness.
The attackers left a ransom note with a seven-day timer, and the Romanian National Cyber Security Directorate (DNSC) has rightly advised them not to pay. But looking at the map, with the geopolitical temperature rising next door between Russia and Ukraine, this smells less like a random cash grab and more like a calculated disruption of a soft target. As I’ve noted before, nation-state actors are increasingly treating water infrastructure as low-hanging fruit. The Romanians are now finding out that when the IT network goes down, the “secure” OT network is just a submarine running silent and deep — blind, deaf, and dangerous.
The Air Gap Fairy Tale
Let’s address the elephant in the server room: the Air Gap. It is a fairy tale we tell ourselves to sleep better at night. In the Romanian incident, the officials claimed the operational hardware wasn’t encrypted. Great. But if your SCADA system — the eyes and ears of your operation — is down, it doesn’t matter if the pumps *can* run. You are effectively commanding a submarine with the sonar cut; the engine is turning, but you are running blind, praying you don’t hit a mountain.
This scenario highlights the fatal flaw of relying on ‘perimeter’ security. Firewalls and VPNs are relics. They are porous. Once a bad actor breaches the IT network (usually via a phishing email or a compromised laptop), pivoting to the OT network is trivial. It is classic lateral movement. As I discussed in our article Avoid Exploitation of Unitronics PLCs used in Public Water Systems, it is terrifyingly easy to find these devices naked on the internet. Tools like Shodan act as a search engine for negligence, highlighting devices with default passwords or open ports that should never see the light of day.
We build these complex networks and call them fortresses, but they are just plywood painted to look like stone. One kick and the whole thing falls over. CISA has been shouting from the rooftops regarding the vulnerability of water sector infrastructure, noting that these systems are often “target rich, cyber-poor.” If you think your VPN is saving you, you are wrong. It is just a very long Ethernet cable that bypasses your security controls. It is time to admit the air gap is gone and stop pretending a firewall is a defence strategy.
Plugging the Leaks with Zero Trust
Since we have established that your perimeter is about as effective as a screen door on a submarine, we need a different approach. Stop trying to secure the wire and start securing the identity. This is the core of Zero Trust. It means assuming your network is already compromised — because, statistically, it is. You do not need to rip out every legacy PLC (which is good, because you won’t). You need to wrap them in a protective layer that cares about who is knocking, not just where they are plugging in.
Here is how you actually plug the leaks:
- Robust Multi-factor Authentication: And for the love of sanity, no SMS. SMS is insecure, easily spoofed, and functionally broken. Use hardware keys or biometrics.
- Single Sign-On: Eliminate the ‘sticky note password’ problem. If your operators have to remember fifteen passwords, they will write them down on a Post-it note stuck to the HMI. Centralise it.
- Precise Authorisation and Segmentation: Stop letting the receptionist’s compromised PC talk to the flood control dams. Access should be granular — down to the specific device for the specific user.
The tool for this is not a better VPN; VPNs are dangerous tunnels into your soft underbelly that facilitate the very lateral movement we are trying to stop. You need an Identity-Aware Proxy, like Agilicus AnyX. It acts as a bouncer, checking ID before anyone even sees the application. As we detailed in our internal webinar Nation State Attacks on Critical Infrastructure, modern authentication can stop these breaches dead in their tracks without requiring you to replace all that rusty legacy hardware. Secure the user, and the network can take care of itself.
Conclusions
So, the Romanian authorities are running flood defences with pen and paper while their IT team rebuilds 1,000 servers. Sounds fun, right? It is a stark reminder that the “air gap” between IT and OT is a fairy tale we tell ourselves to sleep better. It does not work. The bad actors are already inside, or at the very least, knocking on the front door with a digital battering ram. If you want to stop being the next headline, stop relying on 1990s perimeter defence. Implement strong identity, use multi-factor authentication that actually works, and for the love of sanity, stop putting PLCs on the open internet. Secure the user, not just the wire.