Gyala closed a new investment round and accelerates the cyber resilience of critical IT/OT/IoT infrastructures Read

Cybersecurity in wartime:

when resilience becomes a variable shaped by external factors

Fonte report Gartner “War in the Middle East: An Emerging Cybersecurity Playbook for Geopolitical Conflict” del 16 Marzo 2026)

There is one thing geopolitical conflicts do with remarkable precision: they eliminate ambiguity.

They do not necessarily introduce new vulnerabilities, nor fundamentally change the nature of threats, but they place pressure on everything that had been working up to that point — or appeared to be working — forcing organisations to confront a question: what happens when the operating conditions for which our security was designed are suddenly no longer adequate?

The war in the Middle East sits precisely within this context, because it makes it clear that cyber exposure is independent of geography, and that digital dependencies — cloud, vendors, shared infrastructures — can turn a regional event into a global issue.

Resilience, when misinterpreted

For years, the concept of resilience has been associated with redundancy, distribution and operational continuity, often embodied in the promise of the cloud as an environment that is inherently more stable and flexible

What emerges in an active conflict scenario is something different. When a portion of cloud infrastructure becomes unavailable — for example, because it is located in an affected area such as AWS regions in the UAE and Bahrain — workloads must be moved elsewhere quickly. However, alternatives are neither infinite nor always available, and above all they are constrained by regulatory requirements that often prevent data and services from being transferred beyond defined regulatory boundaries.

In this context, resilience does not disappear, but it ceases to be an attribute guaranteed by architecture and becomes a variable shaped by external factors beyond the organisation’s control.

The gap between compliance and actual capability

One of the most evident aspects is the objective gap between formally compliant postures and real operational capabilities — a gap that remains invisible under normal conditions but becomes immediately measurable under stress.

Many organisations have security programmes aligned with recognised frameworks, have successfully passed audits, and have implemented controls.
However, this does not necessarily mean those controls can withstand scenarios where, for example, entire portions of infrastructure are unavailable, decision-making timeframes shrink, and operational pressure increases.
This is where the distinction between compliance and resilience becomes clear: the former demonstrates adherence to a standard, while the latter measures the ability to function when that standard is no longer sufficient.

The illusion of being removed from the problem

Another aspect the document highlights is the perceived isolation — the idea that the lack of a direct presence in a conflict zone significantly reduces exposure.

In reality, the interconnected nature of digital infrastructures makes this distinction increasingly irrelevant, as the impact spreads through the supply chain, cloud services, shared platforms and vendors, creating cascading effects that can affect organisations that are geographically distant but technically dependent on the same ecosystems.

This marks an important shift in how the attack surface should be interpreted: it no longer aligns with what is directly controlled, but rather with the set of operational relationships on which the organisation’s operations depend.

The supply chain

Within this context, reliance on third parties emerges as one of the most critical areas of exposure, not so much due to the presence of specific vulnerabilities, but because of the combination of limited visibility, limited control maturity, and the increasing complexity of supply chains.

The fact that a significant proportion of breaches involve vendors is not an anomaly, but the direct result of a model in which organisations continuously expand their operational perimeter without maintaining equivalent control over its components.

In conflict scenarios, this dynamic is actively exploited, as indirect attacks through the supply chain make it possible to bypass more robust defences and achieve broader impact with relatively little effort.

CPS: a critical but under-governed domain

Alongside this, cyber-physical systems represent another significant area of exposure, often underestimated despite their direct impact on operations.

The issue is not limited to the level of protection, but also to the difficulty of gaining a comprehensive view of the connections, access and dependencies that characterise them, particularly in environments where layered technologies and operational requirements have, over time, led to compromises that are difficult to track.

These systems become high-priority targets during an attack precisely because they enable the disruption of critical processes with immediate and tangible effects, amplifying the impact compared to a purely IT-based attack.

Decision-making as an attack surface

A less obvious, yet equally relevant, aspect concerns how decisions are made. Technologies such as deepfakes, now amplified by GenAI, are making it possible to convincingly impersonate key figures within an organisation, such as executives or authorised decision-makers.

Today, the point of entry is no longer just a vulnerable system, but also an apparently legitimate request: a voice authorising a payment, a message confirming a transaction, a communication that appears to come from a trusted source.

When combined with the use of tools not designed for critical contexts and weak authentication mechanisms, the risk spans both technical and decision-making domains. The attack materialises when someone acts on manipulated information and, during a crisis—when decisions must be made quickly and processes tend to simplify—the scope for deception increases.

From planns to execution capability

All of this points to a central issue: cybersecurity cannot be interpreted as a set of static controls, but must be an operational capability that operates under degraded, uncertain and rapidly changing conditions.

This implies not only adopting more distributed and flexible architectures, but also the need to rigorously test the assumptions on which business continuity plans, recovery strategies and incident response models are based.

We can no longer afford to make assumptions

The idea that infrastructure is always available, that suppliers are reliable, that controls function as expected, and that decision-making processes cannot be manipulated are the very foundations on which many organisations have built their cybersecurity strategy. However, when these assumptions no longer hold, cybersecurity ceases to be an exercise in compliance and becomes, in effect, a matter of operational continuity.

At that point, the difference becomes clear between what was designed to function under normal conditions and what is capable of withstanding conditions in which those conditions no longer exist.