What is a Zero-day?
A Zero-day is a vulnerability in software or hardware that is not yet known to the vendor, and for which no patch or mitigation is yet available. The name refers to the fact that the vendor has had “zero days” to respond to the threat.
Zero-days are particularly dangerous in OT environments because systems often run for long periods without updates or Monitoring.
🎯 Characteristics of Zero-days
| Property | Explanation |
|---|---|
| Unknown to the vendor | No official patch or mitigation available |
| Often actively exploited | Used by attackers before discovery by defensive teams |
| Hard to detect | Evades standard signature-based detection |
| High risk | Often used in APT campaigns or supply chain attacks |
🧠 Examples in an OT context
| Vulnerability | Impact on industrial systems |
|---|---|
| Zero-day in a PLC web interface | Remote code execution with access to machine control |
| Vulnerability in HMI firmware | Manipulation of operator information without logging |
| Stuxnet-like exploits | Abuse of 0-days in Windows and Siemens WinCC/Step7 |
| Zero-day in a remote access appliance | Full access to the OT network via RDP/VPN |
🔐 Detection and mitigation
| Measure | Explanation |
|---|---|
| Anomaly detection | Heuristic or behaviour-based detection rather than signatures |
| Threat Intelligence feeds | Real-time alerts about active zero-day exploits |
| SBOM and asset tagging | Quick analysis of whether vulnerable components are present |
| Application Whitelisting | Only approved binaries may run |
| Patch management | Patch quickly as soon as a fix becomes available |
| Network segmentation | Limits attackers’ lateral movement within the OT network |
| Incident Response Plan | Procedures ready for temporary mitigation or isolation |
🔁 Zero-day vs. N-day
| Type | Description |
|---|---|
| Zero-day | Not yet public or patched |
| N-day | Publicly known, patch available (but possibly not installed) |
Many attacks still exploit N-day vulnerabilities because patching in OT is carried out slowly or only to a limited extent.
📌 In summary
Zero-days are invisible threats that can hit any system — no matter how ‘up to date’ it appears. For OT environments, this means that patching alone is not enough: you also need visibility, segmentation, Monitoring and policy.