DeNexus Blog - Industrial Cyber Risk Quantification

Cyber‑Enabled Kinetic Targeting: What Amazon’s Threat Intelligence Means for OT Cybersecurity and ICS Security

Written by DeNexus | Dec 12, 2025 11:59:59 AM

When Cyber Becomes Targeting Data 

For years, discussions about cyber‑physical risk in industrial control systems have mostly focused on one question: 
What happens when an attacker uses cyber access to directly disrupt or damage physical systems? 

Think Stuxnet spinning centrifuges apart, or Ukraine’s power grid being switched off remotely. Those are the canonical examples in OT cybersecurityICS security, and SCADA security conversations. 

Amazon recently added an important nuance to that conversation. In a public threat‑intelligence blog, they described a pattern they call cyber‑enabled kinetic targeting: cases where nation‑state threats use cyber intrusions not to cause damage directly, but to gather real‑time operational intelligence that improves physical targeting for missiles, other kinetic weapons, or other military activities. 

That sounds subtle, but it’s a meaningful shift in how we should think about risk—especially for organizations that own industrial control systems and other operational technology in critical infrastructure. 

This post takes a non‑hyped look at: 

  • What Amazon is actually describing 
  • How it differs from historical cyber‑physical attacks like Stuxnet and Ukraine 
  • Why ICS/OT information (not just control) is likely to matter in this model 
  • The role of sensor‑only and IoT systems as targeting aids 

For organizations focused on OT security and industrial cybersecurity, including DeNexus customers, this is a useful update to existing threat models. 

 

Amazon’s Cyber‑Enabled Kinetic Targeting in Plain Terms 

In their blog, Amazon’s threat intelligence team describes real campaigns where attackers: 

  • Compromise systems that provide visibility into the physical world (for example, CCTV servers or maritime Automatic Identification System (AIS) data), and 
  • Use that access to support real‑world kinetic attacks on ships or cities. 

 

Maritime targeting via AIS and vessel systems 

A state‑linked actor compromised systems on commercial vessels, including AIS and onboard CCTV. Over time, they shifted from broad reconnaissance to querying the location of a specific ship. Shortly afterwards, that vessel was targeted with a missile. The working theory: cyber access provided more precise, up‑to‑date location and visual information than public sources. 

 

Urban targeting via compromised CCTV 

In another case, attackers gained access to a server streaming live CCTV feeds from parts of a city that later came under missile attack. Authorities publicly warned residents to disconnect internet‑connected cameras because of concerns about real‑time targeting. 

In both incidents, the compromised systems are sensors, not actuators: 

  • The attacker didn’t “hack a PLC to blow something up.” 
  • They watched through compromised systems and used that insight to decide where and when to strike. 

That’s the core of Amazon’s term: 

Cyber‑enabled kinetic targeting = cyber operations whose primary value is to provide intelligence and situational awareness that improve physical targeting and impact. 

This is different from the classic narrative of “a virus caused a turbine to fail.” Here, cyber is an eye more than a hand, but it still shapes operational technology risks in very concrete ways. 

Assess your OT cyber‑physical exposure with DeRISK™ by exploring cyber risk quantification for your industrial control systems and critical infrastructure. 

 

How This Differs from Stuxnet, Ukraine, and Other Cyber‑Physical ICS Attacks 

We already have a rich history of cyber‑physical incidents in industrial environments and industrial control systems. A few key examples: 

Stuxnet (Iran, ~2010) 

Malware targeted Siemens PLCs in a nuclear facility, subtly altering centrifuge speeds while replaying normal data to operators. The PLCs themselves executed the destructive actions. 

Ukraine power grid attacks (2015, 2016) 

In 2015, attackers used stolen credentials and remote access to open breakers via distribution SCADA, causing outages for hundreds of thousands of customers. In 2016, the CRASHOVERRIDE/INDUSTROYER malware spoke native grid protocols to automate switching operations. 

Triton / Trisis (Saudi Arabia, 2017) 

Attackers targeted a safety instrumented system (SIS), attempting to modify safety logic at a petrochemical facility. Had it been successful in the way many experts fear, this could have combined process manipulation with disabled safety, with severe physical consequences. 

These are cyber‑physical attacks in the traditional ICS security sense: 

  • The attacker obtained access to ICS/OT networks and devices. 
  • They manipulated control logic or commands. 
  • Physical effects (damage, outages, unsafe states) were the direct result of ICS behavior. 

If we simplify: 

  • Stuxnet, Ukraine, Triton, etc. → cyber as the actuator of physical change. 
  • Amazon’s CCTV/AIS examples → cyber as the sensor that improves separate kinetic operations. 

Both bridge cyber and physical worlds, but along different paths. Both matter for OT cybersecurity and SCADA security, but defenders need to recognize that they are distinct threat models. 

 

What We Haven’t Seen (Publicly) with ICS/OT Yet 

It’s tempting to jump straight to: “Attackers will absolutely use ICS/OT for cyber‑enabled kinetic targeting.” That may well be true, but it’s worth being precise about what the public record currently shows about operational technology risks. 

Today, open reporting gives us: 

  • Many ICS/OT incidents where control systems are used directly to cause physical impact (Stuxnet, Ukraine grid, Triton, various water and manufacturing cases). 
  • Cases where cyber operations against IT/OT environments occur in the context of kinetic conflict (for example, operations in and around Ukraine after 2014). 

What we do not have a lot of clear, public examples of is the following very specific pattern: 

“Attackers compromised a SCADA/DCS/PLC/RTU environment primarily to extract operational data, and then used that data explicitly as targeting intelligence for missiles or other kinetic weapons.” 

That doesn’t mean it hasn’t happened. It does mean: 

  • If it has, it hasn’t been widely or clearly documented in open sources the way Amazon’s AIS/CCTV cases have. 
  • From a non‑hyped standpoint, it’s more honest to treat this as a plausible evolution, not a confirmed trend. 

That’s exactly where Amazon’s framing is useful: it gives us a language and a mental model to ask better questions of our ICS/OT environments and critical infrastructure, without claiming that every plant historian or SCADA HMI is already feeding missile guidance systems. 

 

Why ICS/OT Information Is So Valuable in This Threat Model 

Even if we leave aside direct control, ICS/OT environments are rich sources of structured knowledge about the real world. That’s precisely the kind of information an adversary needs to select high‑value targets and maximize impact in a cyber‑enabled kinetic targeting scenario. 

Think about what a typical industrial control or monitoring environment reveals:  

 

Asset criticality and topology 

One look at a P&ID (piping and instrumentation diagram), asset tree, or SCADA screen tells you which units, lines, or substations are critical, which are redundant, and where single points of failure exist. 

You see feed lines, bottlenecks, storage capacities, and interdependencies. For owners of OT and industrial control systems, identifying these critical assets is exactly where DeRISK™ Cyber Risk Quantification (CRQ) helps by quantifying OT cyber‑physical risks in business terms. 

 

Operating states and constraints 

Historian data shows production rates, load levels, pressure and temperature ranges, and how often the plant operates near critical thresholds. 

Alarm logs reveal chronic weak spots and systems under stress. 

 

Timing and patterns 

ICS trends show when equipment is started, stopped, or cycled. 

Maintenance schedules and planned outages tell you when redundancy is reduced. 

 

Physical layout and safety envelopes 

Engineering drawings and HMI layouts, often stored alongside ICS systems, reveal physical locations of hazardous units, control rooms, and safety systems. 

You can infer where a physical strike would cause a fire, a release, or a cascading outage, versus just a nuisance. 

From a cyber‑enabled kinetic targeting lens, an attacker doesn’t necessarily need to control anything to use this: 

  • They can use ICS/OT data to identify the most valuable parts of a facility: the unit whose loss would stop production, the substation that feeds a critical region, the pipeline segment that creates a choke point. 
  • They can use it to understand what kind of physical damage would matter most: is it worse to hit power, feedstock, storage, or a specific control room? 
  • They can use it to pick timing: striking when the plant is at peak load, or when safety systems are in maintenance, can maximize impact. 

In other words: ICS/OT data is a detailed annotated map of “what matters physically” in your environment. That’s exactly the kind of map a kinetic attacker would love to have—and why OT cybersecurity and ICS security need to take information exposure as seriously as command paths. 

 

Don’t Forget the “Just Sensors”: CCTV, IoT, and Facility Telemetry 

Amazon’s examples both involve what many operators might consider “supporting systems”: 

  • CCTV infrastructure 
  • AIS and related vessel systems 

These may not be SCADA or PLCs, but they are still operational systems that tell you what’s happening in the physical world and shape operational technology risks. 

Inside a facility, there are many similar sensor‑only or IoT systems that could feed a cyber‑enabled kinetic operation: 

 

Video and access control 

Cameras show where vehicles park, how security patrols move, what traffic patterns look like around sensitive assets. 

Badge and access logs show who is on site, when, and in which areas. 

 

Smart building systems 

“Simple” smart lighting, HVAC, and occupancy sensors reveal when areas are staffed or empty, when operations ramp up or down, and sometimes which rooms hold critical staff. 

 

Industrial IoT and condition monitoring 

Vibration, temperature, and acoustic sensors on equipment show which machines are in use, which are critical, and when maintenance is happening. 

Even if an attacker never touches a PLC, they can infer where the heart of the process is. 

 

Logistics and fleet tracking 

GPS‑tracked vehicles, railcars, or barges give a live picture of how materials, fuel, or product move. 

In some sectors, simply knowing where a convoy or shipment is—and where it typically waits—can support kinetic decisions against critical infrastructure. 

None of these systems necessarily grant the ability to cause physical damage directly. But in Amazon’s threat model, they don’t have to. Their value is informational: 

They answer the question: “Where can I hit to cause the most physical effect, at the best time, with the highest chance of success?” 

That’s the same role AIS and CCTV played in Amazon’s case studies. 

 

What Defenders Should Take Away (Without Panic) 

You don’t need a new buzzword to act on this. But Amazon’s framing does suggest a few practical shifts in how we think about OT cybersecurityICS security, and SCADA security. 

 

  1. Expand what you treat as “sensitive” OT

Instead of focusing only on systems that can issue control commands (PLCs, RTUs, DCS, SCADA servers), also ask: 

  • Which systems in our environment provide rich visibility into physical operations, locations, and patterns? 
  • If an adversary could silently watch what these systems see, who else could that help them target? 

That list will likely include CCTV, access control, building management, fleet tracking, and various industrial IoT dashboards. 

 

  1. Acknowledge ICS/OT data as a targeting asset

For ICS/OT specifically: 

  • Continue to prioritize protections against direct manipulation of control systems; the history there is real and well‑documented. 
  • At the same time, treat your engineering data, historian trends, HMI views, and asset models as sensitive in their own right, even if they’re read‑only. 
  • Assume that for a determined adversary, just understanding the structure and behavior of your system is valuable. 

For organizations that want to prioritize what matters most, DeNexus DeRISK™ Quantified Vulnerability Management supports risk-based vulnerability management and vulnerability prioritization based on business impact across OT and industrial control systems. 

 

  1. Bridge cyber and physical security conversations

This threat model falls in the gap between traditional silos: 

  • Cyber teams may see a CCTV compromise as an “IT problem.” 
  • Physical security may not realize the cameras could be feeding geopolitical adversaries in real time. 

The right response is joint threat modeling: 

  • Run tabletop exercises where cyber, physical security, and operations look at scenarios like: 
    “Assume an adversary can see everything our cameras and dashboards see, but cannot control anything. What could they do with that information?” 
  • Use those exercises to drive decisions on segmentation, monitoring, and incident response across your OT cybersecurity program and wider industrial cybersecurity posture. 

 

  1. Stay honest about what we know and what’s emerging 

Finally, it’s worth being explicit in how you talk about this with leadership: 

  • We know attackers can and do use cyber means to cause physical damage in ICS/OT. 
  • We know from Amazon’s reporting and other conflicts that attackers are using cyber visibility to enable kinetic operations. 
  • We do not yet have a long list of public examples where ICS/OT control systems are used primarily as targeting sensors for kinetic strikes, but we can see how the same logic could apply. 

That nuance doesn’t weaken the argument; it strengthens your credibility. 

 

Closing Thoughts 

Amazon’s cyber‑enabled kinetic targeting label doesn’t invent a new form of warfare, but it does sharpen our language around something that’s been emerging for a while: cyber as a high‑resolution sensor layer for physical conflict. 

Today, the clearest examples involve CCTV, maritime tracking, and mobile apps. Tomorrow, similar techniques may well be used against industrial environments, where ICS/OT data and facility telemetry provide a detailed map of what matters most. 

The right response is not panic or hype, but a modest expansion of how we think about “critical.” 
If a system helps you understand your physical world in real time, it’s reasonable to assume it could help someone else target that world more effectively too. 

That’s the essence of this new threat model—and it’s something defenders can start planning for today as part of a modern OT cybersecurity and ICS security strategy. 

Ready to go deeper? Explore DeNexus resources, learn more about OT security, and see how DeRISK™ cyber risk quantification can support data‑driven decisions across your industrial control systems. 

 

About DeNexus 

DeNexus specializes in OT/ICS cyber risk quantification for owners and operators of industrial control systems and critical infrastructure. The DeRISK™ platform helps organizations quantify OT cyber‑physical risks and prioritize mitigations based on business impact. Learn more about DeNexus and its approach to industrial cybersecurity and OT security at denexus.io. 
View full post