When IT Fails, Operations Technology Suffers

Modern industrial operations face a significant cybersecurity challenge, where attacks on traditional IT infrastructure directly threaten critical operational technology (OT) systems. According to recent threat intelligence, state-sponsored actors, criminal organizations, and hybrid threat groups are systematically exploiting conventional IT entry points to compromise industrial control environments. This convergence creates substantial risks for manufacturing, energy, transportation, and other vital sectors.

The manufacturing sector represented over 41% of detected incidents, while transportation and shipping accounted for nearly 28%. Utilities, energy production, and aerospace and defense organizations comprised most remaining cases. These industries prove particularly attractive targets because they rely heavily on integrated industrial systems where operational disruptions create immediate and severe consequences.

Attackers consistently bypass hardened industrial controllers, instead targeting standard business systems like email servers, perimeter gateways, and endpoint devices. These IT assets frequently connect to Level 3 and Level 4 operational environments, providing attackers with indirect pathways into sensitive industrial networks.

State-backed operations continue posing the most sophisticated OT threats, with the Sandworm group responsible for approximately one-third of documented intrusions in recent years. During the reporting period, this group concentrated on Ukrainian energy and telecommunications infrastructure, deploying Industroyer2 malware to manipulate substation operations alongside wiper tools designed to hamper recovery efforts. Their activities demonstrate a deliberate strategy to coordinate cyber attacks with physical conflict timelines.

Another persistent threat, TEMP.Veles (also known as XENOTIME), maintains its position as the most advanced adversary targeting safety instrumented systems. The group’s history includes the notorious TRITON attack framework that attempted to modify safety controller logic. Recent reconnaissance activities suggest continued interest in energy and chemical sector organizations, with particular focus on engineering workstations and safety networks that could provide strategic access for future operations.

Iranian groups APT33 and APT34 have expanded their activities beyond espionage to include destructive capabilities. Both groups target aviation, petrochemical, and government networks using credential theft, web infrastructure exploitation, and wiper deployment. This evolution indicates a shift toward coercive tactics that combine data theft with operational disruption.

Ransomware operators increasingly understand industrial dependencies and leverage this knowledge for greater impact. The Qilin group has conducted 63 confirmed attacks against industrial organizations since mid-2024, specifically targeting energy distribution and water utility providers. Their use of both Windows and Linux payloads enables broader reach within mixed IT-OT environments. Several incidents involved encryption of shared engineering resources and historian systems, creating operational delays even when industrial controllers remained unaffected.

This trend highlights how financial motives are merging with OT-aware methodologies. Ransomware groups recognize that operational disruption increases their leverage during negotiations, prompting them to adapt their tools to target systems positioned at the IT-OT boundary.

Attackers consistently exploit weak network segmentation using techniques that bridge IT and OT environments. PowerShell activity constituted the largest portion of detections, followed by Cobalt Strike frameworks. These findings indicate adversaries rarely require industrial control system-specific exploits during initial compromise phases. Instead, they rely on stolen credentials, remote access tools, and administrative shares to navigate toward engineering assets.

Once inside appropriate network segments, attackers transition to industrial protocols including Modbus, DNP3, and IEC 61850. These protocols allow malicious commands to blend with legitimate operational traffic, creating visibility challenges for defenders who lack continuous monitoring of process-level communications. Sophisticated operators then deploy specialized tools like Industroyer for power distribution systems or TRITON for safety controllers.

Vulnerability data reinforces the focus on boundary systems between enterprise and industrial networks. Ongoing exploitation targets Cisco ASA and FTD devices, including attacks that modified device firmware. Critical vulnerabilities in SAP NetWeaver and other manufacturing operations software created direct pivot points into factory workflows.

Recent disclosures affecting Rockwell ControlLogix and GuardLogix platforms enable remote code execution or can force controllers into failed states. Attacks targeting these devices pose immediate availability and safety risks. The average patch deployment timeline exceeds 180 days in OT networks due to required scheduled downtime, leaving vulnerable services unpatched long after fixes become available.

John Fokker, Vice President of Threat Intelligence Strategy at Trellix, emphasized that “regular training sessions educating employees about emerging threats, phishing attempts, and proper handling of sensitive information can substantially reduce risks. Additionally, involving staff in security best practices and readiness testing helps build a resilient organizational culture.”

(Source: HelpNet Security)