The cybersecurity landscape for industrial control systems (ICS) and operational technology (OT) is at a critical inflection point. For decades, the foundational blueprint for securing these environments has been based on an assumed reality of isolation and clear boundaries, a concept most notably codified by the Purdue Model.1 However, this report demonstrates that these traditional defenses now provide only a fragile "illusion of protection," a deceptive appearance of security that is easily bypassed by modern adversaries. This strategic vulnerability is not merely a technical flaw; it is a fundamental miscalculation that leaves critical infrastructure susceptible to attack.
The traditional security posture has been undermined by three primary vectors that are systematically eroding the integrity of the ICS perimeter. First, "wireless bleeding," a phenomenon where wireless signals—including Wi-Fi and Bluetooth—extend far beyond physical perimeters, creates unseen pathways for unauthorized access.1 Second, "remote site gaps," which are the unmanaged and often unsecured network points in geographically dispersed infrastructure, serve as digital blind spots that attackers are actively exploiting.1 Third, the "flawed assumptions" of the Purdue Model have created a paradox where networks, despite being technically segmented, function as a single flat network in practice, enabling an attacker to move laterally with ease once inside.1
This report presents a comprehensive analysis of these vulnerabilities, supporting its claims with extensive public research from sources such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the MITRE ATT&CK for ICS framework, and documented real-world cyberattacks.1 The evidence presented herein confirms that a perimeter-centric defense is obsolete and fundamentally inadequate for securing modern, interconnected industrial environments. The analysis concludes that the solution is not an incremental upgrade of existing tools, but a foundational shift to a new security paradigm: Preemptive Cyber Defense.1 This proactive approach aims to neutralize threats at the earliest stages of an attack, actively denying, disrupting, and deceiving adversaries before they can cause harm.
The report details how a solution anchored in this preemptive philosophy, such as PacketViper's Automated Moving Target Defense (AMTD), directly addresses the critical gaps exposed by the failings of traditional security models.1 This new approach provides not only a demonstrably more resilient security posture but also a clear and auditable path to compliance with stringent regulations, offering a sustainable defense for the future of critical infrastructure.
The long-standing reliance on static security measures in industrial environments has created a predictable landscape that sophisticated attackers can methodically study and exploit.1 This predictability gives rise to a critical vulnerability: the illusion of protection. This section deconstructs three primary pillars of this illusion, providing a detailed, evidence-based critique of why they no longer provide adequate security.
The Purdue Model, developed in the 1990s, was a pioneering architectural framework for industrial network segmentation.1 Its central premise was to create distinct security boundaries by isolating OT systems from enterprise IT networks, often through "air gaps" or strict firewalls.1 This hierarchical structure was logical and effective in a world where industrial systems operated in relative isolation, with physical separation serving as the primary security control.2 However, this model's rigid design and core assumptions have been rendered obsolete by the pervasive convergence of IT and OT.2
This is no longer a theoretical concern. The SANS 2024 ICS/OT Survey found that only 8.2% of organizations maintain 100% isolated systems, a statistic that underscores the disconnect between the Purdue Model's design and today's operational reality.2 Modern industrial environments, driven by the need for remote monitoring, predictive maintenance, and data-driven decision-making, are increasingly interconnected.2 This hyper-convergence directly contradicts the Purdue Model's vertical, hierarchical structure, leading to a state where, while a network may be technically segmented on paper, it functions as a "flat network" in practice.1 This paradox occurs when segmentation rules are overly permissive, granting broad communication between segments, or when all segments are routed through a central management layer with open permissions.1 The result is that a breach in one "segment" can quickly spread to all others, as the underlying trust relationships remain intact and lateral movement is unrestricted.1
The illusion of security provided by the Purdue Model’s strict boundaries is a direct enabler of documented security failures. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has explicitly identified "poor network segmentation" between IT and OT environments as a significant risk during its cyber threat hunts.4 CISA's findings directly validate the report’s claim that segmentation, as it is often implemented, leaves critical systems exposed.4 This flawed practice creates the ideal environment for attackers to use the lateral movement techniques outlined in the MITRE ATT&CK for ICS framework.1 When the theoretical flaws of a security model lead to documented security gaps and are exploited by real-world attack techniques, the model is no longer a blueprint for protection but a documented enabler of risk.
The concept of a physical perimeter—a fence, a wall, or a locked door—has long been the cornerstone of industrial security. The illusion of protection assumes that if a physical barrier is intact, a facility is secure. However, a significant and often-overlooked vulnerability is "wireless bleeding," where wireless signals extend far beyond these physical boundaries, creating invisible pathways for unauthorized access.1 This threat is not limited to Wi-Fi; it also includes the often-neglected risk posed by Bluetooth.1 A person in a nearby parking lot, a residential area, or a public space can gain a foothold inside the network without breaching the physical perimeter.1
This is a real and documented threat. The U.S. Food and Drug Administration (FDA) has issued a safety communication about a set of cybersecurity vulnerabilities, known as "SweynTooth," affecting certain medical devices that use Bluetooth Low Energy (BLE).7 These vulnerabilities could allow an unauthorized user to "wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user".7 As medical devices are a form of operational technology, this government-backed alert provides a critical parallel to industrial systems, demonstrating that wireless vulnerabilities can affect physical, mission-critical assets.7 Another example involves security researchers who discovered that Baxter's Sigma Spectrum infusion pumps stored hospital Wi-Fi credentials in memory, which an attacker with brief physical access could easily retrieve.8
The illusion that a physical perimeter is sufficient is a dangerous one. As documented by Check Point, Wi-Fi hacking can occur through various attack vectors, including "Evil Twin attacks," where an attacker creates a fake wireless network with a similar name to the legitimate one, luring unsuspecting users to connect and reveal their credentials.9 The FBI also warns against conducting sensitive transactions on public Wi-Fi networks.10 This demonstrates that the threat is not just from a sophisticated, long-range attack but from a proximal one. An attacker in a parking lot could create an evil twin network, which an unsuspecting engineer or employee could connect to, thereby providing an initial foothold that bypasses the physical security of the facility altogether. This confirms that the threat landscape is not only digital and distant but also physical and proximal, and that the illusion of physical security is a dangerous vulnerability.
For many critical infrastructure sectors, the network is not confined to a single, easily defensible central facility. It is often a complex, geographically dispersed network of unattended remote sites, such as pump stations, well pads, and substations.1 These sites represent a significant layer of exposure, as they often have minimal physical protection and lack the managed network infrastructure found at a main plant.1 These unattended perimeters are, in effect, digital blind spots, lacking real-time monitoring and relying on unmanaged switches, DHCP, and unsecured VPN endpoints.1
This unattended perimeter has been the vector for some of the most impactful cyberattacks on critical infrastructure. The 2021 Colonial Pipeline ransomware attack, while initiated through a compromised VPN account, demonstrated the vulnerability of a distributed and interconnected pipeline network.11 The attack, which forced the shutdown of a system that transports 45% of the fuel to the U.S. East Coast, underscored how a single point of failure can lead to catastrophic consequences across a distributed network.11 A more visceral example is the 2021 Oldsmar, Florida, water treatment plant incident, where an attacker remotely accessed the plant's HMI and changed the sodium hydroxide levels to a toxic amount.12 The incident revealed a lack of remote access controls and a failure to enforce a least privilege access policy.12 The attacker’s ability to manipulate a physical process from a remote location provides a stark warning about the risks posed by unmanaged remote access.12
Other documented events reinforce this concern. The report will cite the Australian sewage company hack and a similar case in Louisiana where a terminated engineer was able to shut down a paper mill from home, both demonstrating the dangers of a digital blind spot at remote sites.13 These documented incidents demonstrate that attackers have found and are actively exploiting the critical gap at the unattended perimeter, turning a physical weakness into a devastating digital vulnerability.
Table 1 provides a concise summary of the key vulnerabilities and how traditional defenses fail to address them.
The illusion of protection is most dangerous when it leads organizations to believe that a strong perimeter is all that is needed. The reality is that once a threat bypasses the perimeter, whether through a wireless bleed or a compromised remote site, the internal environment is often built on a flawed foundation of implicit trust.1 This section explores the internal vulnerabilities that allow threats to spread and the paradoxical challenges of applying IT-centric security models to the unique realities of OT.
The Purdue Model’s lower levels (Levels 1 and 2), which govern controllers, HMIs, and field devices, are often architected with the flawed assumption that they operate in a trusted environment.1 In many cases, these layers are flat networks, lacking internal segmentation or authentication between devices. As a result, once an attacker gains access to these lower levels, there is little to no obstacle to prevent lateral movement and direct interaction with critical process control systems.1 This is not a theoretical flaw; it is a direct contributor to documented security failures.
A cyber threat hunt by CISA at a critical infrastructure organization found that shared local administrator accounts with identical, plaintext passwords were being used across numerous hosts.4 CISA also noted that these accounts had unrestricted remote access, and that a non-privileged user from the IT network could use their credentials to access the critical SCADA VLAN, a failure of poor network segmentation.4 These findings reveal a critical truth: the threat is often not a sophisticated external hacker but a compromised or malicious insider. When the internal network is built on a foundation of implicit trust, any breach of that trust—whether from an external attacker using stolen credentials or an actual rogue employee—can become catastrophic.
To truly understand the danger of a network built on implicit trust, it is necessary to examine the attacker’s playbook. The MITRE ATT&CK for ICS framework provides a globally recognized knowledge base of adversary tactics and techniques based on real-world observations.5 It provides a vocabulary for discussing how threats pivot from a point of initial access and move laterally through a network to achieve their objectives.1 The existence of these documented techniques confirms that attackers have a clear, repeatable process for exploiting the internal vulnerabilities discussed in this report.
The following table breaks down specific lateral movement techniques from the framework and links them to the real-world vulnerabilities and incidents discussed in this report.
This detailed mapping reveals a powerful causal chain. The flawed assumptions of the Purdue Model and the existence of internal vulnerabilities create a fertile environment.1 The MITRE ATT&CK framework provides the list of specific technical actions an attacker takes to exploit that environment.5 By linking the abstract security flaw to a concrete, documented attack technique, the analysis provides a compelling and actionable argument for a new defense strategy.
In response to the failures of perimeter-based security, many organizations have looked to the Zero Trust model, which operates on the principle of "never trust, always verify".17 While this is a theoretically sound approach, its application in OT environments creates a "Zero Trust paradox".1 The IT-centric solutions that embody this model are fundamentally incompatible with the unique realities of industrial operations, a fact that multiple industry sources have highlighted.1
The core challenges are rooted in the nature of OT systems.18 Many environments are built on legacy technology and equipment deployed decades ago that cannot be easily patched, updated, or replaced.16 These systems, which have 20- to 30-year lifespans, simply do not support the modern security agents or protocols that are central to many Zero Trust implementations.1 Furthermore, unlike IT, which prioritizes data confidentiality, OT’s absolute priority is the availability and safety of physical processes.16 This means that a planned downtime for a security update is often not an option.16
Another critical distinction is the difference between identity and behavior. IT-centric Zero Trust relies heavily on verifying user identity, but in the lower-level OT environment, the concept of a user often disappears.16 Devices like PLCs and HMIs do not track which user entered a command, and there is a lack of Identity Access Management (IAM) systems.1 Therefore, a Zero Trust for OT policy must shift its focus from identity to behavior, evaluating whether network traffic aligns with "known good" patterns and makes sense in the current environment.16 The paradox is that the principle of Zero Trust is a correct one, but the implementation using IT-centric tools is fundamentally incompatible with OT realities. As industry experts have noted, an organization cannot simply purchase a Zero Trust product; it must adopt a tailored strategy that accounts for the specific challenges of its environment.19
The analysis of the illusion of protection demonstrates that traditional, reactive security models are no longer sufficient. It is not enough to simply detect an attack after it has begun; the goal must be to neutralize threats before they can materialize into a successful attack. This fundamental reorientation of strategy marks the dawn of a new security paradigm: Preemptive Cyber Defense.1
For decades, cybersecurity has been a reactive discipline, centered on a "detect and respond" model.1 This approach relies on fixed, static defenses such as firewalls and intrusion detection systems to form a perimeter that, once breached, triggers an alert and a subsequent response.1 However, as the analysis has shown, this creates a predictable environment that modern, sophisticated attackers can meticulously study, map out, and bypass.1
Preemptive Cyber Defense is a strategic departure from this reactive model. Gartner, a leading research and advisory company, defines this approach as one that aims to "prevent and deter cyber attacks before they can launch or succeed".1 This is achieved through a combination of capabilities: denying attackers the opportunity to initiate an attack, disrupting ongoing attacks, and deceiving adversaries to divert them from critical assets.1 The goal is not to build a series of increasingly formidable, yet static, walls, but to transform the network into a dynamic, unpredictable, and hostile environment where an attacker's intelligence-gathering efforts are rendered futile.1
A core strategic innovation of Preemptive Cyber Defense is its paradoxical approach to managing the attack surface.1 While traditional security wisdom dictates that an organization should actively shrink its attack surface by closing ports and eliminating unnecessary services, this is an incomplete strategy that modern attackers can easily bypass.1
The counter-intuitive strategy is to intentionally increase the perceived attack surface to defend and conceal the actual one.1 This is accomplished by deploying a vast and unpredictable layer of deceptive elements—such as decoys, fake network services, and deceptive responders—across both IT and OT environments.1 This expansion makes the network appear far larger and more complex than it actually is, creating a "target-rich" but "amorphous" and "unreliable" environment for adversaries.1 The deceptive assets are designed to attract unauthorized scans and connections, luring attackers away from production systems and into a virtual minefield of false targets.1 This strategy, which targets the earliest stages of the cyber kill chain—reconnaissance and initial access—turns the attacker's own reconnaissance efforts against them.1 It forces adversaries to expend their time and resources, while providing high-fidelity intelligence to defenders.1
A foundational platform for this new paradigm is PacketViper's Automated Moving Target Defense (AMTD) solution.1 It is a tangible example of a preemptive security architecture purpose-built to address the vulnerabilities exposed in this report. The platform's unique capabilities directly map to the challenges of wireless bleeding, remote site gaps, and flawed Purdue Model assumptions, providing a holistic and proactive defense.
PacketViper's solution is a multi-layered, agentless defense that operates autonomously to protect both IT and OT environments.1 The core is its patented AMTD, which continuously and automatically alters key network parameters to disrupt an adversary’s ability to conduct reconnaissance and exploit vulnerabilities.1 The solution's architecture is distributed, with a central Control and Management Unit (CMU) that coordinates defensive actions with Boundary Security Units (BSUs) and Remote Security Units (RSUs).1 The RSU is a ruggedized, industrial-grade device designed for deployment at small, unattended remote sites, providing autonomous detection and containment even without central connectivity.1 This distributed, "hive-minded" architecture ensures that a threat detected at a single remote location can be instantly neutralized across the entire network by propagating a blacklist rule at "wire speed".1
The platform's deceptive responders provide a verifiable data feed of unauthorized activity, creating a "false positive free" signal of a malicious actor engaged in reconnaissance or an attack.1 This capability directly addresses the internal blind spot created by ineffective network segmentation. Furthermore, the solution’s native support for OT protocols like Modbus TCP/IP addresses the key pitfalls of IT-centric Zero Trust by providing non-disruptive, agentless protection for legacy devices.1 Its Deceptive Responder Identity Detection (DR ID) capability provides critical identity intelligence in environments where traditional Identity Access Management (IAM) systems are limited or nonexistent, providing a compelling compensating control for unpatchable or vendor-managed systems.1
The efficacy of PacketViper's solution is not merely a theoretical exercise; it is validated by a series of compelling real-world use cases and demonstrable, quantifiable outcomes.1
The ManuTech Case Study: In a scenario involving an automotive parts manufacturer with a decentralized OT network, a rogue insider threat introduced a malicious device that bypassed traditional firewalls and antivirus protocols.1 The PacketViper OT Remote (OTR) solution instantly detected the anomalous behavior and isolated the compromised network segment.1 The central CMU then pushed out containment rules to all RSUs across the enterprise, blacklisting the threat vector’s IP and preventing any lateral movement, thereby neutralizing a potentially catastrophic zero-day exploit.1
The Fortune 500 Oil & Gas Case Study: After deploying the solution, a Fortune 500 Oil & Gas company with a complex, distributed network of hundreds of unattended OT assets saw its security posture so dramatically improved that a subsequent third-party penetration test was a failure for the attackers.1 The penetration testers were "unable to complete the test until the automated threat detection and prevention tool was turned off," providing a powerful, third-party-validated endorsement of the technology's effectiveness against sophisticated red teams.1
The Municipal Water/Wastewater Case Study: This use case demonstrates the operational and economic benefits of the solution for understaffed security teams.1 A municipal water authority deployed the solution and demonstrated "over 50K probes and scans in a half-day test period" targeting remote OT assets.1 The in-line deployment not only obfuscated these assets but also successfully contained a threat during a red team exercise. The solution acts as a "force multiplier" by drastically reducing network "noise" and freeing up analysts to focus on genuine threats.1
The measurable business impact extends to the bottom line. The solution significantly reduces network traffic, with customers typically experiencing a 30% to 70% reduction in total inbound traffic.1 This has a profound economic impact, as it lowers operational costs for volumetrically priced Managed SIEM and SOC services.1 The demonstrable reduction in false positives also lowers alert fatigue and frees up security analysts to focus on real threats, thereby making the entire security operation more efficient.
The analysis confirms that the illusion of protection created by traditional security models is no longer tenable in a world of IT/OT convergence, wireless bleeding, and unattended remote sites. A fundamental reorientation of defensive strategy is not a luxury but an operational imperative. The solution lies in adopting a new paradigm: Preemptive Cyber Defense.
PacketViper's technology occupies a unique and defensible position in the nascent but critical market for preemptive security solutions. Its patented approach to AMTD is a significant evolution of prior art, which often focuses exclusively on IT environments and lacks the advanced elements of a modern preemptive defense.1 Its solution is fundamentally different from other commercial vendors, which are often out-of-band and require complex orchestration with external platforms for a response.1 The key differentiators are summarized in the following table.
For Chief Information Security Officers (CISOs), the recommendation is clear: achieving a resilient security posture requires moving beyond a reactive, perimeter-based mindset. It demands the adoption of a new security paradigm that provides real-time, autonomous protection at the network edge.1 A solution like PacketViper's AMTD serves as a foundational component for this new strategy, acting as a force multiplier for understaffed security teams and providing demonstrable, third-party-validated protection against sophisticated threats.1
For Compliance Officers, this technology provides a compelling path to not only meet the letter of the law but also exceed its intent. The solution’s clear alignment with the core requirements of NERC CIP-015-1 and its ability to act as a proven compensating control for difficult-to-secure, vendor-managed systems provides a defensible and auditable security posture.1
The analysis concludes that PacketViper's technology represents a fundamental reorientation of defensive strategy. It is not merely a tool but a foundational platform for a new era of proactive security, forcing the attacker to play on a field where the rules are constantly changing. By moving beyond the illusion of protection, organizations can build a truly resilient, intelligent, and preemptive defense for the future.
The Illusion of Protection_ Why Wireless Bleeding, Remote Site Gaps, and Flawed Purdue Model Assumptions Endanger Industrial Control Systems.pdf
Is It Time to Rethink the Purdue Model? | Nexus, accessed August 17, 2025, https://nexusconnect.io/articles/is-it-time-to-rethink-the-purdue-model
Is the Purdue Model for operational technology security outdated? - Acronis, accessed August 17, 2025, https://www.acronis.com/en-sg/blog/posts/is-the-purdue-model-for-operational-technology-security-outdated/
CISA identifies OT configuration flaws during cyber threat hunt at ..., accessed August 17, 2025, https://industrialcyber.co/cisa/cisa-identifies-ot-configuration-flaws-during-cyber-threat-hunt-at-critical-infrastructure-organization-lists-cyber-hygiene/
Lateral Movement, Tactic TA0109 - ICS | MITRE ATT&CK®, accessed August 17, 2025, https://attack.mitre.org/tactics/TA0109/
Vulnerabilities and Attacks on Bluetooth LE Devices—Reviewing Recent Info - Technical Articles - All About Circuits, accessed August 17, 2025, https://www.allaboutcircuits.com/technical-articles/vulnerabilities-and-attacks-on-bluetooth-le-devicesreviewing-recent-info/
FDA Informs Patients, Providers and Manufacturers About Potential Cybersecurity Vulnerabilities in Certain Medical Devices with Bluetooth Low Energy, accessed August 17, 2025, https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities-0
Dangers of Healthcare Wi-Fi-Based Location Systems - RF Technologies, accessed August 17, 2025, https://www.rft.com/dangers-of-healthcare-wi-fi-based-location-systems/
Wi-Fi Hacking: How It Works, and How to Stay Secure - Check Point Software, accessed August 17, 2025, https://www.checkpoint.com/cyber-hub/cyber-security/what-is-hacking/wi-fi-hacking-how-it-works-and-how-to-stay-secure/
Cybercrime | Federal Bureau of Investigation - FBI, accessed August 17, 2025, https://www.fbi.gov/investigate/cyber
Colonial Pipeline ransomware attack - Wikipedia, accessed August 17, 2025, https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
Excerpt #5: Industrial Cybersecurity Case Studies and Best Practices, accessed August 17, 2025, https://gca.isa.org/blog/excerpt-5-industrial-cybersecurity-case-studies-and-best-practices
Real-Life Industrial IoT Cyberattack Scenarios - EE Times Europe, accessed August 17, 2025, https://www.eetimes.eu/real-life-industrial-iot-cyberattack-scenarios%EF%BB%BF/
Best Practices for MITRE ATT&CK Mapping - CISA, accessed August 17, 2025, https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf
Top 10 most common vulnerabilities in Industrial Control Systems ICS - negg Blog, accessed August 17, 2025, https://negg.blog/en/top-10-most-common-vulnerabilities-in-industrial-control-systems-ics/
Is Zero Trust the Right Choice for Operational Technology (OT)?, accessed August 17, 2025, https://instasafe.com/blog/is-zero-trust-right-choice-for-ot/
Zero Trust & Enforcing OT Security Inside the Perimeter - Industrial Defender, accessed August 17, 2025, https://www.industrialdefender.com/blog/zero-trust-enforcing-ot-security-inside-the-perimeter
Why is Zero Trust Access important in OT? - SSH Communications Security, accessed August 17, 2025, https://www.ssh.com/academy/operational-technology/why-is-zero-trust-access-important-in-ot
Six Common Pitfalls to Avoid When Implementing a Zero Trust Model, accessed August 17, 2025, https://blog.wei.com/six-common-pitfalls-to-avoid-when-implementing-a-zero-trust-model