By River Caudle
Your IT department did everything right. They deployed Cisco firewalls. Fortinet VPNs. Palo Alto for the perimeter. They patched when the vendors told them to patch. They checked every compliance box.
And in September 2025, Chinese state actors installed bootkits on those very appliances that survived firmware upgrades.
UNC4356's Line VIPER bootkit sits below the operating system layer, intercepting CLI commands, suppressing forensic artifacts, and persisting through every remediation attempt your incident response team can imagine. Cisco's official guidance? "Rebuilding the appliance represents the only effective method to remove attacker persistence."
Your IT team followed the vendor guidance, yet you were still compromised. Why? Because you were playing a game you cannot win. As we teach in the Secure Method, applying patches is purely a risk management decision, and right now, the risk is that the patch won't save you.
Welcome to the reality of 2025.
The Betrayal of "Best Practices"
I'm going to name names because the standard demands we look at reality, not marketing.
Fortinet FortiCloud SSO: Disclosed December 9th. Actively exploited by December 13th. Four days. But here's the part that should make you sick: FortiCloud SSO is disabled by default in factory settings, but it automatically enables when you register your device to FortiCare via the GUI unless you explicitly opt out. Attackers authenticated as admin and downloaded config files containing hashed credentials. If you ran FortiGate in 2025, you need to rotate every credential in your environment. Merry Christmas.
Palo Alto PAN-OS: Authentication bypass on the management interface. GreyNoise counted 25+ distinct exploitation sources within days. The vulnerability existed because management interfaces were exposed to the internet - a configuration Palo Alto's own best practices warn against, yet their sales team conveniently omits while closing the deal.
Cisco AsyncOS: A CVSS 10.0 zero-day turned email gateways into command-and-control infrastructure. China-linked APT group UNC9686 had been exploiting it since late November before Cisco even knew. Your Secure Email Gateway became their C2.
Juniper Session Smart Router: CVSS 9.8. Unauthenticated API requests grant full administrative control. Your SD-WAN backbone became an open door.
I could keep going. I have 245 more where these came from - that's how many vulnerabilities CISA added to the Known Exploited Vulnerabilities catalog this year. Twenty percent growth. The highest annual expansion since the catalog's inception.
The Trap of Convergence
Here is the statistic that should end every IT/OT convergence conversation:
VPN compromise accounted for 48% of ransomware attacks in 2025.
Nearly half of all ransomware incidents started with the technology your IT department deployed specifically to "secure" remote access. Your VPN wasn't the lock. It was the door.
The Clop ransomware syndicate hit Broadcom, Estée Lauder, Mazda, Canon, Allianz UK, and The Washington Post through a single Oracle E-Business Suite vulnerability. 76% of ransomware attacks now exfiltrate your data before encrypting it - every ransomware incident is automatically a data breach. Global ransomware damages hit $57 billion this year. Critical infrastructure sectors - energy, manufacturing, water, healthcare - accounted for 50% of all targets.
The IT department told you convergence makes you safer. The data proves that IT/OT integration builds the bridge attackers cross. The more you connect, the more you expose.
In the SECURE Method, we define a Conduit as any path that connects two zones. If your VPN connects the Enterprise Zone to the Manufacturing Zone, it is a conduit. And if that conduit is compromised, your "Air Gap" is a myth.
The OT Reality
Now let me tell you what happened when these attackers reached operational technology environments.
Rockwell Automation ControlLogix (CVE-2025-7353): Rockwell shipped a web-based debugger enabled in production firmware. Not a bug. Not an exploit. Development code shipped to safety-critical systems controlling assembly lines, chemical reactors, and safety-instrumented systems. Unauthenticated attackers could dump memory, modify execution flow, and achieve complete control over mission-critical PLCs.
This validates exactly why we use the "Bang Test" in our architecture planning. We do not assign Security Levels based on the vendor's promise or the attacker's skill. We assign them based on Consequence. If that Rockwell controller fails and kills someone, it is Security Level 4, regardless of whether the hacker is a teenager or a nation-state.
Erlang/OTP SSH (CVE-2025-32433): CVSS 10.0. Unauthenticated remote code execution through crafted SSH messages before authentication even completes. Palo Alto's Unit 42 tracked the exploitation attempts: 70% correlation with OT network environments. In Japan, that number hit 99.74%. In the United States, 1,916 OT-specific triggers.
They weren't trying to steal your customer database. They were going for your control systems.
Emerson ValveLink: Cleartext storage of sensitive information in memory. The credentials controlling your process valves - flow control across oil, gas, chemical, power, and water treatment - sitting unencrypted in RAM. The passwords were in plain text.
Siemens SICAM T (CVSS 9.9): Remote code execution on the devices providing automation and protection for electrical substations and distributed energy resources. Not your corporate network. Your power grid.
On August 14th, 2025, CISA published 32 ICS advisories in a single day. Thirty-two. Affecting critical manufacturing, energy, water, healthcare, transportation, and government facilities. That's not a bad day. That's the new normal.
Stop Racing, Start Architecting
2025 proved that the race is unwinnable. Weaponization happens within hours of disclosure; your patch cycle takes weeks.
VulnCheck identified 883 CVEs actively exploited in the wild in 2025. Yet CISA only added 245 to KEV. That's 638 attacks your vulnerability management program never saw coming.
The attackers are faster - and they're getting smarter. 2025 saw a fundamental shift: while 2024 focused on authentication bypass, 2025 pivoted to missing authorization vulnerabilities that enable privilege escalation after initial access. Storm-2460 used exactly this pattern: standard user access, Windows CLFS escalation, PipeMagic backdoor, ransomware. The initial access barely mattered. The lateral movement did the work.
IEC 62443 teaches us to stop racing.
You cannot patch your way out of a compromised architecture. Instead, you must build Defensible Positions. This is why we focus on Compensating Countermeasures. If you cannot patch the legacy PLC, and you cannot trust the firewall provided by IT, you must wrap the asset in a hard shell.
This isn't about "security through obscurity." It is about physics. If the control network does not physically connect to the attack vector, the CVSS score is academic.
The 80% of OT attacks that originate from IT networks? They require an IT network connection to exist. Eliminate the connection, eliminate the attack path.
The Riverman Rules: Strategic Conclusions for 2026
We cannot simply "disconnect" everything - the business demands data, and as we discussed in class, if we don't give it to them on our terms, they will take it on theirs.
To survive the landscape of 2026, you must apply these three rules to your infrastructure immediately:
1. Reject Enterprise Gear in OT
The data on Cisco and Fortinet compromises proves that Enterprise IT firewalls are primary targets. Do not use Enterprise IT firewalls for OT Zones. You must use purpose-built Industrial Firewalls (like the "Learning Firewall" or Anybus Defender) that are less susceptible to the specific bootkit vectors targeting IT appliances. These devices function as Compensating Countermeasures, allowing you to "Tap, Observe, and Enforce" traffic without relying on the IT stack.
2. The Death of Implicit Trust
Attackers are exploiting "missing authorization" to move laterally once inside a network. This means Implicit Trust within a Zone is no longer a safe default. You must push for Microsegmentation immediately. Breaking Zones into smaller Cells (sub-zones) is the only way to contain the exploits described in 2025. If a workstation is compromised, microsegmentation ensures it cannot talk to the safety PLC in the next cell.
3. Connectivity as a Concession
Treat connectivity not as a feature, but as a negotiated risk. Use the Data Exchange Agreement to define exactly what IT gets and how they get it. Implement a Zone Historian to enforce a logical "Data Diode" - ensuring that while data may leave for the enterprise to satisfy business needs, the connection is architected to prevent any command and control from entering.
The Final Question
Your IT department controls the network your production runs on. They select the vendors. They define the architecture. They set the patch schedules. They decide what connects to what.
And in 2025, every major vendor they trusted got compromised. Every architectural assumption they made enabled lateral movement. Every timeline they operated on was too slow.
So here's the question you need to answer before the next zero-day drops:
Who controls your infrastructure?
Because the attackers already know.
🌊