Last week, I watched an informative segment on 60 Minutes titled “The China Hack” and as someone deeply immersed in identity, security and global-scale deployments at Ory, it was obvious that there are clear lines between what they revealed and what we are trying to solve.
The show reported what many of us who live in this security world have known for a long time. Adversaries connected with the People’s Republic of China have been systematically targeting U.S. critical infrastructure, not just the traditional top-tier targets, but even small local utilities. For example, a town in Massachusetts (population ~10,000) was told by the FBI that its water and electrical utility network had been breached and monitored by these nation state actors.
Here are some key take-aways and how they map directly to identity protection:
Identity is the new perimeter
In the 60 Minutes segment, it was revealed that the hackers didn’t immediately deploy destructive malware. Instead, they penetrated the network, stole login credentials, “masqueraded as a legitimate employee” and lay dormant...waiting for the right moment to act. For Security professionals, we know that this is typical behavior for nation state actors but the general public may not know this and may assume that once you gain unauthorized access to a network such as a utility, that the attackers would do immediate harm.
What does that mean for us in identity and access management (IAM)? It means the weakest link isn’t always “the network” in the sense of the firewall or another device, it is the human identity, the account, the credential that grants access. At Ory, we’ve long believed that identity has to be first-class security. The story on 60 Minutes just underlines how identity is now the gateway to everything...not just intellectual property, credit cards, confidential data; but also to water, power & transport.
When an adversary quietly “becomes” a legitimate user, they bypass many of the layers that traditional perimeter security love to highlight as being effective.
Small towns, big risks... identity doesn’t discriminate
The Massachusetts town example stood out: 10,000 residents. Not a military base, not a major federal supplier, yet still successfully targeted. “If you are willing to go after a small water provider … what other target is off the list?” asked General Tim Haugh, former Director of the National Security Agency.
From Ory’s vantage point, this is a critical message for our customers: You don’t have to be a Fortune-500 to be a meaningful target. Identity systems in smaller organizations, municipalities, niche services; they’re all in play. The entry point of identity scales down as well as up.
We must stay vigilant that the identity infrastructure we build works equally for the enterprise as for the leanest team, because attackers will go where the access is weakest. This is one of the reasons that when using Ory, you have the flexibility to roll out a small modular deployment to solve a specific niche need, as well as a full-blown enterprise deployment; on-premise, in your own Virtual Private Cloud (VPC) or via our SaaS Cloud.
Infrastructure is only as strong as the identities that access it
The clip showed how control of the water treatment plant’s chemical dosing tanks would’ve meant that the attackers could “poison the water”.
Let’s apply that to our domain: When identity is compromised, all the downstream systems, APIs, devices, workflows become vulnerable. At Ory, when we talk about identity infrastructure, we’re not just talking about login screens and tokens... we’re talking about the trust fabric that underpins access to services, databases, systems. If that fabric is weak, adversaries can pivot from digital identity to physical (and potentially devastating) real-world consequence.
Because identity is what governs access; who becomes whom, where they go, what they do; it is the fulcrum upon which all things balance.
The case for “zero-trust identity” gets louder
From the 60 Minutes segment: The hackers weren’t doing flashy things at first, they were gaining persistent access and laying in wait. General Haugh put it bluntly: “It is much more consuming to try to get somebody out of a network than to deny them access.”
For security professionals this translates into a clear mandate: don’t assume any network is safe. Don’t assume a user once logged in is to be eternally trusted. Don’t assume credentials haven’t been phished or compromised. Identity has to be verified continuously, access has to follow the concept of 'least-privilege', tokens should be short-lived, sessions segmented, and privileges tightly controlled.
Ory is built for this: robust identity infrastructure, fine-grained access controls, anomaly detection around environmental and user behavior. Because if identity is the gateway, we need to harden it like we would a vault door or risk granting access to the entire water supply.
Identity isn’t just about “users” anymore, it’s about devices, services, and trust relationships
The show focused on login credentials and masquerading employees. But the implications for our space are broader: Modern systems are composed of services calling services, devices authenticating, micro-services granting access to APIs, and most recently of AI agents acting on behalf of humans. Identity is everywhere.
For Ory, part of the mission is to recognize that we don’t just protect human users; we protect the identity of a machine-to-machine call, an IoT device, an AI agent, a backend service. And that’s precisely where attackers will move: they’ll bypass human-facing UIs, find a vulnerable service identity, escalate privileges, and cross the bridge from digital access to physical consequences.
Why identity protection is no longer optional... it’s foundational
At Ory, I see every day how identity systems are the backbone of modern security. The 60 Minutes episode reminds us: when identity is weak, even what seems like a minor risk (a small town utility) becomes a national security issue. When adversaries exploit identity, they can weaponize our own trusted infrastructure against us. Therefore:
- Invest in identity infrastructure as a strategic asset, not a checkbox
- Ensure identity lifecycle (onboarding, off-boarding, privilege changes) is managed rigorously
- Embrace fine-grained access, continuous verification, zero-trust assumptions
- Extend identity protection to services, devices, agents, APIs...not just users
- Enable observability of identity events so you can detect bad actors "hiding in plain sight" (masquerading as an employee) early
At Ory, we’re committed to making identity infrastructure scalable, reliable, and secure so that organizations don’t wake up one morning to an alert that “the water supply was accessed by a bad actor using valid credentials”.
Let’s treat identity as the frontline of defense because the water, the power, and the lives downstream depend on it.
How can Ory help?
