The speed to chaos is going up. In our highly connected, digitally dependent world, a single compromised update or a targeted cyberattack can bring global operations to a grinding halt in a matter of minutes. We have seen this play out twice in recent memory with devastating consequences: the 2024 CrowdStrike outage and the recent breach of Stryker by the Handala threat group.
While the root causes of these two events differ—one was a flawed software update, the other a malicious state-sponsored attack—the underlying vulnerability is identical. Both incidents expose the profound risk of relying on homogeneous, centrally managed, and self-updating software across critical infrastructure and manufacturing sectors.
The CrowdStrike warning and the Stryker reality
In July 2024, a faulty configuration update deployed by CrowdStrike caused approximately 8.5 million Microsoft Windows systems to crash globally. The update bypassed traditional staging and directly impacted the operating system kernel. The result was immediate and catastrophic: airlines grounded flights, hospitals cancelled procedures, and manufacturers halted production lines. The outage was not the work of a bad actor, but it demonstrated how a central system with direct access to millions of endpoints could instantly become a single point of failure.
Fast forward to the recent cyberattack on Stryker, a major medical technologies corporation. According to reports, the threat actor known as Handala compromised Microsoft Intune, a cloud-based endpoint management solution used by Stryker. By gaining control of this centralised management tool, the attackers were able to wipe an estimated 200,000 managed devices, including the personal devices of employees connected to the corporate environment. The attackers also defaced the corporate login pages, signalling a deep compromise of the identity infrastructure.
In both cases, the architecture designed to secure and manage devices efficiently became the very weapon used to dismantle the network. When every machine runs the exact same software, listening to the exact same central server for commands, a single flaw or compromised credential can deploy chaos universally.
Decreasing time to react, increasing time to repair
As the speed to chaos goes up, the time security teams have to react is rapidly going down. Automated systems push updates or malicious payloads across global networks in seconds. By the time an alert triggers in a security operations centre, the damage is already done.
Conversely, the time to repair is going up. Wiping out or bricking a device remotely is fast; recovering it is painstakingly slow. Following the CrowdStrike outage, IT teams had to manually reboot affected machines into safe mode and delete problematic files—a process that took days or weeks for large enterprises. For Stryker, the challenge is even more daunting. How long will it take to securely rebuild and restore 200,000 corporate and personal devices?
The collateral damage extends beyond just the hardware. Modern security architectures heavily rely on multi-factor authentication to verify identities. However, when multi-factor authentication tokens or authenticator applications are tied to the very devices that have been wiped or locked, users lose their primary method of identity verification. Employees are suddenly locked out of alternative communication channels, backup systems, and recovery tools, significantly compounding the crisis and delaying the restoration of operations.
The industrial impact of centralised vulnerabilities
For industrial and manufacturing environments, the stakes are exponentially higher. Operational technology networks are increasingly converging with enterprise IT systems. The convenience of using centralized endpoint management tools across both environments creates an unacceptable risk profile.
If a state-sponsored actor can leverage a tool like Intune to wipe corporate laptops, what stops them from pushing malicious updates to the engineering workstations that control PLCs and industrial processes? The homogeneous nature of these networks means that an attacker does not need to understand the nuances of every individual machine; they only need to compromise the central authority.
As we have detailed in our analysis of why vendor remote access is a critical vulnerability, granting broad, unsegmented access to third-party tools and vendors introduces severe supply chain risks. A compromised vendor or a hijacked central management platform bypasses the traditional perimeter, delivering chaos directly to the core of the business.
Building resilience through zero trust
To break this cycle, organisations must move away from blind trust in central, monolithic platforms. Instead, we must architect for resilience. This means adopting a true zero trust architecture that limits the blast radius of any single failure or breach.
- Isolate critical infrastructure: Ensure that management tools used for enterprise IT do not have unfettered access to operational technology environments.
- Implement pairwise authorisation: Access should be granted on a strict person-to-resource basis. A central management tool should not inherently possess the rights to wipe all devices simultaneously without additional, out-of-band verification.
- Decouple identity from a single point of failure: While multi-factor authentication is essential, organisations need robust, secondary recovery mechanisms that do not rely on the same endpoint devices that are vulnerable to mass-wipe attacks.
- Eliminate inbound connectivity: Stop relying on broad VPN access that connects entire networks. Use secure, outbound-only connections to provide access exclusively to the specific applications and resources an individual needs.
The lesson from CrowdStrike and Stryker is clear: efficiency and centralisation cannot come at the cost of resilience. As attackers continue to target the very tools designed to manage our networks, our defensive strategies must evolve to contain the damage and preserve the continuity of critical operations.
Are you ready to rethink your approach to secure remote access and protect your industrial operations from systemic failures? Contact Agilicus to learn more about how a zero trust architecture can insulate your business from the rising speed of chaos, or book a meeting with our team today.