The ick factor is high, but so is the risk to critical infrastructure. Surveillance cameras recently captured men entering and exiting the New York City sewer systems in neighborhoods throughout Brooklyn and Queens. 

They were seen lifting manhole covers, then going in, only to re-emerge hours later. What these sewer rats were doing remains a mystery. Perhaps they are treasure hunters or urban adventurers or they’re looking for Willard and his acolyte Ben (look it up, they were very popular, though murderous, rats in the ‘70s).  

Williamsburg resident Anthony Purdie told ABC News that “they look like they were looking for something important, like money, or for doing some type of hurting. Ain’t no fun and games. I mean, seven grown adults going down there? Got to be something, man.” 

Queens auto detailing shop owner Aki Jakupovic said the intruders were “up to no good.” 

Clearly. Besides the obvious, their actions do raise questions about how well the deepest, murkiest of OT/CI are being protected and if there are some dangerous blind spots in our current defense that could be exploited by nation-state actors and which need to be addressed without delay. 

“These environments are often monitored by decades-old sensor infrastructure and lack meaningful physical security controls, creating a dangerous blind spot in critical infrastructure defense,” says Ronald Lewis, head of cybersecurity governance at Black Duck. 

Jeff Macre, principal OT security solutions architect at Darktrace, concurs that a big issue looms as legacy operational technology (OT) systems often “continue to run on outdated hardware and software that do not receive regular security patches, which makes them highly susceptible to cyber-attacks.” 

And in the wrong hands, that could prove devastating. If a well-resourced, potentially nation-state-backed group was behind the intrusions, Lewis says, “the pattern of repeated access is unlikely to be incidental. It points to a deliberate campaign: mapping targets, probing network boundaries, testing signals, and refining tools to exploit weaknesses in operational technology (OT) environments.” 

More concerning is “how these systems are interconnected,” says Lewis, noting that “sewer monitoring networks often share architecture with water treatment systems, creating a pathway across the Purdue model, from lower-layer access points through to higher-level control systems.” 

Macre says legacy OT systems increasingly “are becoming connected to the internet as organizations increasingly focus on IT-OT convergence initiatives.”  

“While the business benefits of cross IT-OT connectivity are plentiful, including improved production efficiency, maintenance and scaling, it does significantly expand organizations’ attack surfaces,” says Macre. “Threat actors often infiltrate IT networks first, then exploit segmentation, compromised credentials, or shared IT/OT systems to move laterally, escalate privileges, and ultimately enter OT systems.” 

Organizations trying to secure legacy OT often struggle to maintain accurate, real-time visibility. “Many existing tactics, such as traditional rule-based methods, create a host of false positives and fail to detect subtle changes in OT environments such as unusual device behavior or network traffic, which can help identify early indications of an attack,” Macre says. 

That means that in a worst-case scenario, “an actor could move laterally through these networks, ultimately gaining access to core operational layers,” he explains. 

“Organizations that operate critical infrastructure must ensure that all parts of their operations, especially vulnerable IoT/OT devices, have a solid foundation of cyber hygiene, including firmware patching, password rotations, certificate management, etc., as well as plans to reduce the impact of an attack on operations,” says John Gallagher, vice president at Viakoo.  “Especially in critical infrastructure, where there is a heavy dependence on IoT/OT systems, making sure there is a way to quickly remediate and repatriate systems after a cyberattack will help to minimize the damage and restore public trust.”  

As attacks on OT proliferate and organizations grapple with the ongoing shortage of skilled security professionals, AI can help, Macre says, by providing “a more efficient and effective approach to OT threat detection and incident response.” 

Defenders face a critical gap. Environments that are physically hard to monitor are often digitally under-defended,” says Lewis, who urged software security leaders and OT practitioners to “treat these edge environments as high-risk entry points by strengthening visibility, segmentation, and anomaly detection across all layers of infrastructure.” 

AI, says Macre, “boasts the potential to revolutionize cybersecurity across legacy OT systems with minimal disruption” and “can learn the unique network communication patterns of legacy OT environments, and unsupervised ML can detect anomalies in real-time – unearthing even the smallest behavioral changes.” 

That will make “monitoring more accurate and reduce the volume of false positives,” he adds. But first, OT teams must develop several key skills, including “understanding industrial protocols, interpreting behavioral anomalies, and contextualizing alerts within operational workflows,” says Macre.  

New York City Department of Environmental Protection spokesman Wolejsza issued a warning to sewer rats, reminding them that “Sewers can contain numerous hazards, including noxious and potentially deadly gases, unstable surfaces, flooding risks, and confined spaces. For these reasons, members of the public should never enter a pipe, drain, catch basin, manhole, or outfall.” 

Ya think? But what about the deeper implications for cybersecurity? 

Recent Articles By Author

• Job Seekers Make for Vulnerable Targets
• MSG Breach: Knicks Take the NBA Championship, ShinyHunters Takes the Data 
• Conan O’Brien Deadpans Deepfakes

More from Teri Robinson