Why 10 Years After Ukraine Power Blackouts, We’re Still Falling for the Same Trick

I was looking at the calendar this morning and realized we are days away from a grim anniversary.

On December 23, 2015, the world of Operational Technology changed forever. Hackers shut off power to more than 225,000 customers in Ukraine. It was the moment the theoretical became real. We saw exactly what happens when bad actors gain access to critical infrastructure.

The entire industry shouted, “Never Again.” We promised better firewalls, deeper packet inspection, and more intelligent detection.

But here we are. It’s December 2025. An entire decade has passed. And I have to ask: Have we actually learned anything?

Because when I look at the data, the answer is a hard, painful “No.”

The $2.5 Billion Phone Call

If you want proof that the last ten years have been a “Lost Decade” for OT security, you don’t need to look further than what happened to Jaguar Land Rover just a few months ago in August.

They didn’t get hit by a futuristic AI super-weapon. They got hit by Vishing (voice phishing). Someone picked up the phone, tricked an employee, stole a credential, and walked right through the front door.

The result? A $2.5 billion impact on the UK economy and a direct cost of $258 million (a number that keeps going up).

Ten years ago in Ukraine, the vector was “Spear Phishing and Valid Credentials”. Ten years later at JLR, the vector was “Vishing and Credential Theft”.

The attack hasn’t evolved. It hasn’t needed to.

The Definition of Insanity

We are seeing this pattern repeat with exhausting frequency.

Look at the Bremanger Dam incident from April of this year. Russian hacktivists didn’t burn a zero-day exploit to seize control of the dam. They found a default password on a web-accessible control panel.

Look at Nucor in May. They had to halt production at multiple sites (costing them an estimated $20-50 million), likely due to an unpatched edge device or phishing.

We have spent billions of dollars on "detection" tools since 2015. We’ve deployed armies of sensors to tell us when the hackers are inside. But we haven’t done the one thing that actually matters: We haven’t stopped them from logging in.

As long as your OT assets are visible on the public internet or accessible via a standard VPN that trusts a stolen password, you are vulnerable. It doesn't matter how much you spend on detection if the attacker has the admin credentials. To the firewall, they look just like you.

Stop Detecting. Start Cloaking.

If the last ten years have taught us anything, it’s that we cannot train every human not to click a link. We cannot patch every vulnerability fast enough. We cannot rely on “air gaps” that no longer exist.

The only way to break this cycle (and avoid writing this same blog post in 2035) is to change the architecture.

We need to stop trying to secure the door and start hiding it.

At BlastWave, we talk about “Cloaking” because it’s the only strategy that addresses the root cause of the failures of the last decade. If hackers scanning for open ports can’t see your connection, they can’t phish it, they can’t brute-force it, and they certainly can’t log in to it.

The Ukraine attack was a wake-up call. But looking at the 2025 numbers, most of the industry hit the snooze button. It is time to take the lessons learned from these infamous hacks and identify common threads for preventing the attacks from succeeding. Stay tuned for that analysis in the new year.

For now, it’s time to wake up and stop repeating the same mistakes — again and again. Hackopedia Volume 1, launching in January, examines this incident alongside more than twenty other real-world OT and Critical Infrastructure breaches to show exactly how they could have been prevented.

You can pre-register for early access to Hackopedia Volume 1 and receive the release by email here: https://www.blastwave.com/hackopedia

‍

— Cam Cullen, CMO, BlastWave