Reports of individuals entering the sewer systems of New York City at night has left people intrigued and confused, with law enforcement now investigating the matter. According to ABC News, security cameras captured at least three instances in which groups of people entered or exited the sewer system via street maintenance holes in Queens and Brooklyn. 

One video showed a group of approximately five to 10 individuals, with some wearing headlamps or carrying shovels, exiting a maintenance hole in the middle of an intersection with passing cars. Another displayed a group of similar size exiting a maintenance hole in the Gravesend neighborhood of Brooklyn, then approaching parked cars and retrieving fresh clothes to change into. Law enforcement estimates the group may have stayed in the sewers for three hours. 

After an inspection by the city’s Department of Environmental Protection, the agency determined there has been no damage to the sewer’s infrastructure. The investigation remains ongoing. 

Security Leaders Weigh In

Ronald Lewis, Head of Cybersecurity Governance at Black Duck:

The reporting around individuals accessing New York City’s sewer system is concerning. These environments are often monitored by decades-old sensor infrastructure and lack meaningful physical security controls, creating a dangerous blind spot in critical infrastructure defense.

If these intrusions are being conducted by a well-resourced, potentially nation-state-backed group, the pattern of repeated access is unlikely to be incidental. It points to a deliberate campaign: mapping targets, probing network boundaries, testing signals, and refining tools to exploit weaknesses in operational technology (OT) environments.

What makes this especially concerning is how these systems are interconnected. Sewer monitoring networks often share architecture with water treatment systems, creating a pathway across the Purdue model, from lower-layer access points through to higher-level control systems. In a worst-case scenario, an actor could move laterally through these networks, ultimately gaining access to core operational layers.

For defenders, this underscores a critical gap: environments that are physically hard to monitor are often digitally under-defended. Software security leaders and OT practitioners must treat these edge environments as high-risk entry points by strengthening visibility, segmentation, and anomaly detection across all layers of infrastructure.

Jeff Macre, Principal OT Security Solutions Architect at Darktrace:

Many legacy operational technology (OT) systems continue to run on outdated hardware and software that do not receive regular security patches, which makes them highly susceptible to cyber-attacks. In addition, more legacy OT systems are becoming connected to the internet as organizations increasingly focus on IT-OT convergence initiatives. While the business benefits of cross IT-OT connectivity are plentiful, including improved production efficiency, maintenance and scaling, it does significantly expand organizations’ attack surfaces. Threat actors often infiltrate IT networks first then exploit segmentation, compromised credentials, or shared IT/OT systems to move laterally, escalate privileges, and ultimately enter OT systems

Maintaining accurate, real-time visibility is one of the core challenges organizations face when trying to secure legacy OT systems. Many existing tactics, such as traditional rule-based methods, create a host of false positives and fail to detect subtle changes in OT environments such as unusual device behavior or network traffic, which can help identify early indications of an attack. The good news is that AI is already making a positive security impact across OT systems with the ability to learn the unique network communication patterns of each device within these environments to accurately detect potential threats and reduce the volume of false positives. The human element also remains a weak link. Many legacy OT operators lack cybersecurity training, and there’s a significant shortage of OT-specific security expertise. This makes it harder to identify and respond to threats in real time. 

Attacks on OT show no sign of slowing down. As organizations grapple with this, and the ongoing shortage of skilled security professionals, AI will provide a more efficient and effective approach to OT threat detection and incident response.  AI boasts the potential to revolutionize cybersecurity across legacy OT systems with minimal disruption. AI can learn the unique network communication patterns of legacy OT environments, and unsupervised ML can detect anomalies in real-time - unearthing even the smallest behavioral changes. This approach makes monitoring more accurate and reduces the volume of false positives. To realize the full potential of AI in OT security, there are several key skills OT teams must develop before working with AI security systems. This includes understanding industrial protocols, interpreting behavioral anomalies, and contextualizing alerts within operational workflows. Basic data analysis and system administration skills also help manage and tune AI, ensuring that it aligns with specific environments. 

With the ongoing convergence of IT and OT systems, it is also vital that organizations look to deploy platforms that can secure both IT and OT environments to avoid possible disruptions to operations. This will enable teams to better collaborate and develop an understanding of every point of convergence between their IT/OT environments. With the help of AI, IT and OT teams can use automated alerts and insights to educate one another about what constitutes “normal” activity across their environments and use this enhanced clarity to identify possible security gaps as well as make more informed decisions around their incident response and security strategies. 

For organizations to stay ahead of rising threats to OT, breaking down silos, integrating AI-powered tools, and shifting to proactive strategies is the key to creating resilient, secure OT environments. 

Darren Guccione, CEO and Co-Founder at Keeper Security:

Cybersecurity and physical security intersect frequently, especially in access control and device management. Physical security vulnerabilities can create pathways for cyberattacks - for example, unauthorized physical access to servers, workstations or network infrastructure can allow attackers to bypass digital security measures entirely. Similarly, compromised digital credentials can be used to gain physical access through connected security systems.

To mitigate these risks, modern organizations are adopting integrated strategies that align physical and digital security policies. This includes implementing centralized access management that provides unified visibility and control over who can access what, whether it’s a physical facility, a server or a cloud application. Strong authentication, role-based permissions and real-time monitoring help ensure that compromised credentials or insider misuse cannot easily escalate into broader breaches.

This convergence is essential because a weakness in either physical or cyber defenses can compromise the entire security posture of an organization. By unifying security policies and controls, organizations can detect and respond to threats more effectively, reduce the risk of insider attacks and maintain consistent enforcement of the principle of least privilege across all environments.

John Gallagher, Vice President at Viakoo:

The shift by malicious hackers to target IoT/OT devices has brought new requirements to the lines of business in industries such as manufacturing, healthcare, physical security, facilities, etc. As threats become more cyber-physical in their impact, faster incident response and forensics will drive employers to recruit security professionals who can operate outside the traditional IT space.  

Organizations that operate critical infrastructure must ensure that all parts of their operations, especially vulnerable IoT/OT devices, have a solid foundation of cyber hygiene, including firmware patching, password rotations, certificate management, etc., as well as plans to reduce the impact of an attack on operations. Especially in critical infrastructure, where there is a heavy dependence on IoT/OT systems, making sure there is a way to quickly remediate and repatriate systems after a cyber-attack will help to minimize the damage and restore public trust.  

Jody Russell, Senior Solutions Engineer at Ambient.ai: 

Everyone is asking who went into the sewers. The better question is why it took weeks, and viral videos, for anyone to find out. The footage existed from day one, but footage that gets reviewed days later isn’t security. It’s archaeology.

It happens because physical security still operates as an investigative function. Cameras record so that someone can reconstruct an incident after the fact. Critical access points to critical infrastructure should be video monitored, and many already are. But no human operator can stare at video 24/7. The National Institute of Justice found operators lose about 95% of their attention on video monitors after just 20 minutes. So no matter how many cameras you install, events get missed in the moment they happen.

This is exactly the gap AI designed for physical security can close. AI can watch every feed continuously, understand the context of what it sees, and assess behavior and intent in real time: distinguishing a utility crew on a scheduled job from an unidentified group with headlamps descending into an access point at 2 a.m. It can flag the event in seconds and put it in front of a human operator while there is still time to respond, or to prevent the next entry entirely. That shifts security from documenting incidents to preventing them. What happened under New York is what it looks like when that gap stays open.