Futuristic image that represents IT/OT isolation

Resilience of Operational and Critical Infrastructures: When States Talk About Isolation

Within the space of a few months, the Five Eyes countries (the intelligence-sharing alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States), Japan, and France have each published cyber resilience guides for critical infrastructure operators. The tone has changed decisively. The conversation is no longer about “strengthening defenses.” It is about isolating OT systems, operating in degraded mode during attacks, and rebuilding from offline backups.

This shift is not theoretical. It is driven by two converging realities: state-sponsored pre-positioning campaigns discovered inside civilian infrastructures, and an armed conflict, the one pitting the United States and Israel against Iran, during which OT attacks have caused real operational disruptions on American soil.

Key Takeaways

The United States, the United Kingdom, Australia, Canada, Japan, and France have all published cyber resilience guides for critical infrastructure.
All guides converge on the same priorities: inventory, identification of vital systems, proactive isolation of those systems, continuous detection, and tested recovery.
The Seclab Xcore platform enables organizations to meet the recommendations of these guides through a three-phase journey: Discover, Isolate, Detect.

1. The Context: Threats That Are No Longer Hypothetical

State Actors Already Inside

Volt Typhoon, a group attributed to China, is reported to have maintained persistent access inside American critical infrastructures (energy, water, telecommunications, transportation) for at least five years before being detected. The group was notably observed testing access to OT systems, such as HVAC equipment and energy and water control systems.

Salt Typhoon, also attributed to China, is reported to have compromised at least nine major US telecom operators and more than 200 organizations across 80 countries. The FBI confirmed in February 2026 that the threats remained active.

The objective of these campaigns is not classic intelligence gathering. US agencies state this with a high degree of confidence: the goal is to be able to disrupt or destroy critical OT functions at a time of the attacker’s choosing, typically in the event of armed conflict over Taiwan.

OT Attacks Now Operational

On April 7, 2026, six US federal agencies (FBI, CISA, NSA, EPA, DoE, CNMF) published a joint advisory confirming that APT actors affiliated with Iran were actively exploiting internet-accessible programmable logic controllers (PLCs) in the water, energy, and government services sectors. Some victims experienced operational disruptions and financial losses.

The geopolitical context is direct: these attacks intensified in the wake of the Epic Fury military operation launched on February 28, 2026, against Iran. Cyberattacks and kinetic conflict are now advancing in parallel. In Europe, Poland suffered coordinated cyberattacks against its power plants in December 2025, in the middle of winter, targeting heating systems.

The Agencies’ Verdict

The UK NCSC’s formulation in its guide published in January 2026 captures the paradigm shift: resilience, not prevention, is now the defining requirement. Cyberattacks will not always be stopped at the perimeter. Organizations must be able to maintain their operations and recover under pressure.

2. National Initiatives: What the Guides Are Asking For

🇺🇸 United States, May 2026

In very recent news, CISA launched CI Fortify, its resilience initiative for critical infrastructures. The document is unambiguous about the planning scenario: operators must assume that, in a conflict scenario, third-party connections (telecommunications, Internet, vendors, service providers) will be unreliable, and that malicious actors will have access to the OT network.

Recommendations:

Proactively disconnect OT networks from enterprise networks and third-party connections to maintain essential operations in a degraded communications environment.

Document systems, back up critical files, and practice replacing systems or switching to manual mode in the event of isolation failure.

CISA has begun targeted assessments with organizations supporting national security, public health, and economic continuity, with a scale-up objective in the coming months.

🇬🇧 United Kingdom, January 2026

The National Cyber Security Centre also published its guide for critical infrastructure operators. The document defines the concept of a severe cyber threat: a deliberate, highly disruptive or destructive attack aimed at stopping critical services for extended periods, physically damaging systems, or erasing data to make recovery impossible.

Recommendations:

Develop organization-wide response strategies and plans

Improve situational awareness through monitoring and intelligence sharing

Harden systems and networks to reduce vulnerabilities

Ensure the ability to maintain operations and recover during a disruption

🇦🇺 Australia, October 2025

Australia was the first of the Five Eyes alliance to publish its own CI Fortify program. The document follows in the wake of ASIO’s (domestic intelligence agency) annual assessment, which characterizes espionage and foreign interference as being at extreme levels and on an upward trajectory.

The Australian CI Fortify is structured around three preparatory steps and two planned actions:

Preparatory steps:

Maintain an up-to-date inventory of all OT assets and supporting systems, classified by criticality
Identify the vital OT systems required to maintain continuity of critical services
Define risk thresholds to assess the impact of isolation on operations

Planned actions:

Be able to isolate vital OT systems for 3 months
Be able to fully rebuild these systems from offline sources

The program states that these capabilities should serve beyond the cyber scenario alone: they also improve response to natural disasters and supply chain disruptions.

🇨🇦 Canada, April 2026

The Canadian Centre for Cyber Security launched the CIREN initiative (Critical Infrastructure Resilience and Escalated Threat Navigation).

Recommendations:

Be prepared to isolate systems for up to 3 months

Develop and test plans to operate independently (without external connectivity)

Plan for the complete reconstruction of systems in response to severe cyber incidents

🇯🇵 Japan, October 2025

Japan’s Ministry of Economy defined specific OT security guidelines for semiconductor manufacturing facilities, acknowledging that a cyberattack against a manufacturing plant would have cascading global repercussions. This sector-focused approach to resilience, centered on infrastructures whose failure would trigger an international domino effect, echoes the prioritization logic underpinning the CI Fortify and CIREN programs.

🇪🇺 Europe, NIS2

Europe was a pioneer on the subject of critical infrastructure resilience. In 2016, the NIS1 Directive had already laid the groundwork for a regulatory framework well before the Five Eyes’ operational guides. NIS2 (2022) significantly expanded the initiative.

Where the Five Eyes chose a directly operational approach, Europe took a regulatory route. The ambition is broader and the framework more structurally enduring over the long term… but implementation is noticeably slower.

In France, the Resilience Law, which transposes NIS2 among other directives, is expected in July 2026. ANSSI therefore published ReCyF v2.5 in March 2026, encouraging organizations to take ownership of the subject without waiting and to apply the recommended measures to meet NIS2’s security objectives.

What These Guides Have in Common

Despite different formats and national contexts, a common set of recommendations converges:

Inventory all OT assets, their dependencies, and their external connections.

All initiatives place the comprehensive inventory of OT assets as a non-negotiable prerequisite for any resilience strategy.

The inventory must be continuous (OT environments change), classified by criticality (not all assets carry the same importance for continuity of service), and inclusive of enabling systems (authentication servers, DNS, NTP, license servers, backup systems) whose failure can render OT assets inoperable.

Identify the vital systems required to maintain a minimum level of service.

In an OT environment with hundreds or thousands of assets, it is unrealistic (and counterproductive) to protect everything at the same level. Complexity explodes, costs become unmanageable, and operational teams, already understaffed for cybersecurity, find themselves overwhelmed.

Rather than deploying uniform protection and then managing exceptions, the approach is to first identify the assets whose failure would cause a production shutdown or a safety risk, and to concentrate maximum protection on that restricted perimeter: hardware isolation, offline backups, tested reconstruction procedures.

Reduce the attack surface by removing obsolete or unnecessary assets, flows, and access points.

Asset discovery is not merely a mapping exercise. It must also lead to an active reduction of the attack surface by identifying and removing assets, flows, and access points that are no longer necessary for operational functioning.

Experience shows that OT environments accumulate over time obsolete equipment left connected, remote access credentials for contractors that were never revoked, network flows configured for a one-off project and then forgotten, protocols enabled by default but never used. Each of these elements constitutes a potential entry point for an attacker. The Volt Typhoon campaigns specifically exploited forgotten edge devices (SOHO routers, unpatched VPN appliances) to establish their access.

Proactively isolate critical OT systems from IT networks and the Internet, with a tested capability to operate in isolated mode for weeks to months.

The capability for proactive isolation of vital OT systems must be viewed not as an improvised last resort, but as a planned, tested, and mastered capability.

A verifiable physical or logical separation between OT networks and IT/Internet networks: not merely firewall rules, but a protocol break guaranteeing that no network packet can cross the boundary in an uncontrolled manner. The system must allow vital functions to keep running with the minimum connectivity required.
Identified and documented isolation points enabling rapid disconnection of critical OT segments.
Verified offline backups of firmware, configurations, and documentation, enabling reconstruction without dependency on online services.
Manual failover procedures for automated processes that cross the OT/IT boundary.
Regular testing of these procedures, because isolation that has never been exercised is isolation that will fail when it is needed.

Detect threats and anomalies continuously across the entire infrastructure, including through threat hunting before any reconnection following a period of isolation.

In OT environments, detection cannot rely on the same approaches as in IT. Industrial networks change little: a new flow, a new piece of equipment, a change in behavior are all significant signals.

The most appropriate approach is to detect deviations from a known baseline state, rather than attempting to identify each threat individually. Unlike the approach favored in IT, this method produces fewer false positives and is better suited to operational teams that are not sized to handle hundreds of daily alerts.

Prepare for reconstruction from verified offline backups.

Backups must be stored on media physically disconnected from the network (air-gapped) to prevent any intentional degradation. They must be verified regularly: an untested backup is a promise, not a guarantee. Restoration procedures must be documented and exercised, ideally under conditions close to the actual scenario, meaning without Internet access, without remote vendor support, and with teams that may never have performed a full reconstruction.

3. The Seclab Approach: From Assessment to Action

The converging recommendations from these initiatives are reflected in the approach of the Seclab Xcore platform. This approach structures the OT cybersecurity journey into three phases: Discover, Isolate, Detect. Each phase delivers immediate value and prepares the next, without requiring a monolithic deployment or interrupting production.

Phase 1: DISCOVER, building a thorough understanding of the OT environment

Identify all OT assets and flows. This is the starting point. You cannot protect what you do not know. The Seclab Xplore module performs a non-intrusive mapping of all equipment connected to the OT network and USB ports in use, without injecting traffic or disrupting processes. The objective: obtain an accurate picture of what actually exists in the field, including forgotten equipment, undocumented connections, and unauthorized flows.

Build a structured inventory, a flow matrix, and a network map. Raw identification is not enough. Information must be structured: classifying assets by type, function, and zone; mapping flows between equipment and between zones; and producing a network representation that is usable by both IT and OT teams. This structured inventory is the deliverable required by the Australian agency, by the Canadian CIREN, and by NIS2 (Article 21). It also constitutes the essential foundation for any IEC 62443 audit or compliance assessment.

Identify vulnerabilities and assess risks. Based on the inventory, each asset is cross-referenced against known vulnerabilities, risky configurations, and network exposures. The objective is to produce a prioritized risk assessment that distinguishes critical vulnerabilities, those that could be exploited to compromise an industrial process, from secondary risks.

Define the critical assets to be protected (MVDI) and the business flows to be authorized. This is the decisive step. All initiatives ask for the identification of “vital systems” (Australia), the “minimal service in isolated mode” (United States), and “essential functions” (Canada). Seclab formalizes this concept under the name MVDI (Minimum Viable Digital Industry): the minimal perimeter of digital assets whose continuity is indispensable for maintaining industrial operations. This means identifying assets whose failure would cause a production shutdown or a safety risk, the enabling systems that support them, and the business flows strictly necessary for their operation. The MVDI is the digital survival foundation of the plant.

Phase 2: ISOLATE, deploying discovery-guided protection

Isolate critical assets (MVDI) at the network level. This is the heart of the resilience promise. The guides call for a verifiable separation between OT and IT networks, not merely firewall rules. The Volt Typhoon and Salt Typhoon campaigns specifically exploited software security equipment (unpatched Fortinet devices, compromised SOHO routers) to maintain their access for years. When an attacker is already in the IT network with privileged access, software-based separation between IT and OT becomes a digital Maginot Line.

Seclab Xchange meets this requirement through electronic isolation that creates a true hardware airgap between the two networks. Seclab’s Electronic AirGap technology physically breaks the network protocol. There is no direct network path between the two sides. Authorized data is reconstructed and transferred across this hardware break, in strict compliance with the defined security policy (direction of transfer, file types, protocols). This hardware airgap cannot be corrupted by an attacker, even if they have administrative access on one side of the boundary. The result: isolation that allows only the flows necessary for operational functioning to pass through, while guaranteeing that no network attack can cross the boundary, including zero-days.

Secure legacy or disconnected critical assets via USB isolation. Some MVDI equipment is not connected to the network: PLCs at remote sites, supervision workstations in restricted areas, legacy systems with no network interface. For these environments, USB is the only means of interacting with OT machines and equipment. Firmware updates, loading PLC recipes, exporting logs, transferring configurations: everything goes through a USB drive.

This is also the case in the extended isolation scenarios described by CI Fortify and CIREN: when network connections are cut for weeks or months, USB media becomes the last operational lifeline. Yet this vector is also one of the most exploited in OT environments (37% of OT threats are designed to spread via USB, according to Honeywell). USB isolation therefore becomes indispensable. Seclab Xport, plugged between the USB media and the critical workstation, creates a hardware control point: file integrity and authenticity verification, blocking of physical attacks, and directional transfer control. It is fully plug-and-play and requires no software installation.

Segment non-critical assets with standard security equipment. Not all OT assets fall within the MVDI. For non-critical systems, conventional network segmentation (industrial firewalls, VLANs, DMZ zones) remains appropriate and proportionate. The discovery carried out during the DISCOVER phase makes it possible to size this segmentation based on actual knowledge of flows, rather than on assumptions.

Phase 3: DETECT, continuously monitoring threats and anomalies

Maintain continuous monitoring of changes. The OT environment evolves: new connected equipment, modified flows, added remote access points. Seclab Xplore provides continuous monitoring that detects any deviation from the baseline state established during the Discover phase. A new asset, an unexpected flow, a USB port used on a workstation where it should not be: these are all signals that trigger an alert before they become attack vectors.

Detect threats and anomalies in real time. Beyond change tracking, Seclab Xplore incorporates three complementary detection engines (Sigma signatures, Suricata, AI) to identify ongoing attacks: network scans, connection attempts on industrial ports such as Modbus or S7, abnormal PLC behavior, lateral movements. Isolation of the MVDI mechanically reduces the monitoring perimeter and the volume of alerts, concentrating detection where it is most needed.

Adapt isolation or segmentation in response. Detection only has value if it leads to action. When a threat is confirmed on a non-critical segment, the response may consist of strengthening segmentation, temporarily isolating an additional zone, or tightening the filtering policies on Seclab Xchange. The model thus loops back on itself: detection feeds protection, which feeds detection.

For more information: Seclab Xcore, Defense in Depth OT