When a major UK retailer detected a cyberattack last year, its security team “pulled the plug” to cut connectivity to core systems instead of relying solely on software controls. This stopped the attack before it could escalate, greatly limiting its spread. As a result, the company sidestepped weeks of downtime and the financial fallout that other organisations have suffered in similar breaches.
That decision to break-glass-in-emergency and unplug systems demonstrates a growing reality in cybersecurity. Software defences continue to be essential, yes, but they struggle to keep up with new attack classes and AI-fuelled threats. Automated malware, projected to account for up to 50% of all threats, moves in newly surreptitious ways, testing defences in real time and adapting faster than human security teams can respond.
This forces organisations to rethink a core belief of modern security architecture: that connectivity should always be on. Increasingly, resilience depends on the ability to interrupt threats, with certainty.
The ability to physically connect and disconnect networks on demand fundamentally reshapes protection strategies.
Autonomous threats exploit digital-only strategies
The answer isn’t as simple as fighting fire with fire and adopting AI defences. Traditional malware operates from fixed rules. As attackers shift to AI-powered techniques, an organisation’s software-based controls, regardless of their sophistication, are still exposed by existing in the same digital realm that attackers exploit.
In industrial settings, where uptime is non-negotiable, this increases vulnerability. Once isolated OT systems are now routinely connected to cloud platforms and IT networks. It boosts efficiency but expands the attack surface.
Reactive tools can’t ensure containment by themselves. For industrial operators, failure to isolate a breach right away can result in total production shutdowns and devastating financial and safety consequences.
Precision through physical network isolation
If you can’t fight fire with fire, what about implementing a ‘firebreak’? Physical network isolation has re-emerged as a deliberate control that tackles the weaknesses at the heart of software-only strategies. It creates a physical break in connectivity that teams can instantly trigger. Instead of systems staying permanently online or offline, they shift between defined states based on risk and allow proactive defences the opportunity to work.
During normal operations, connectivity stays active. When a threat is detected or suspected, operators can instantly cut that connection, isolating compromised segments before attackers move laterally. Backup and recovery environments stay physically out of reach until they’re needed.
This ensures that a compromise in one domain can’t spread, keeping your critical assets safe.
The timeline makes this urgent: research reveals that breaches take an average of 241 days to identify and contain, yet autonomous threats operate at machine speed. They test multiple entry points and chain actions across systems without human oversight.
By the time an alert is reviewed, validated and escalated through internal processes, an intrusion may already have moved laterally or even reached backup environments. The gap between detection and decision-making is where automated attacks get the upper hand.
Going back to our example of industrial settings to show how critical this can be, a ransomware attack that disables plant monitoring systems can not only stop revenue-generating operations for weeks but also expose the organisation to fines under critical infrastructure regulations. Where every hour of downtime carries a high cost, delay is untenable. Choosing controlled isolation at the precise moment can prevent far more severe disruption to facilities, systems or production infrastructure.
Because isolation controls sit outside the digital domain malware operates within, they can’t be disabled or tampered with from a compromised environment. When security teams rely only on digital defences, they’re forced to fight on the attacker’s terms. In contrast, physical isolation lets defenders dictate an attack’s boundaries; even if malicious parties bypass software controls, the infrastructure itself becomes the final barrier.
From an attacker’s perspective, the path they want to exploit is no longer available.
Implementation without disruption
Adopting physical isolation doesn’t mean ripping out and replacing your entire infrastructure. Start with the systems that are most exposed and most critical to operations. Isolation controls can be phased in gradually, allowing you to tackle the segments with the highest risk and value first and build momentum from there. Then you can expand across the wider organisation. Over time, this creates a strong structural containment layer, dramatically reducing the possibility of enterprise-wide breaches.
As the technology is introduced, teams define clear procedures and decision-making processes, so cutting connectivity transforms into a deliberate risk management choice, not a last-minute reaction.
Anticipating the next wave of industrial threats
As attacks evolve and grow more autonomous, exploiting human behaviour and process gaps as much as code-level weaknesses, software defences on their own are no longer enough. The global average breach today is $4.44 million. When downtime hits operational and financial performance, escalation becomes existential.
Physical network isolation and segmentation in the form of network firebreaks gives organisations something software alone can’t: control. It enables them to determine how far compromise can travel, even if digital defences fail. Instead of reacting within the attacker’s chosen environment, they pre-emptively define the limits of exposure.
The ability to connect and disconnect provides a safeguard that still works when digital tools are compromised. For industrial organisations, this is transitioning from enhancement to necessity. As attacks grow more automated, the organisations that can cut exposure in seconds will be the ones that avoid devastating shutdowns.
