First failure, lack of network segmentation between the IT and OT networks.

The attackers were able penetrate the IT portion of the facility’s network, and then move beyond that to eventually infiltrate the control and communication assets on the operational technology (OT) side of the house.

Second failure:

The facility admitted that its disaster recovery plans only included physical emergency scenarios, not cyber-related attacks.