Cybersecurity Risks in Industrial Control Systems: Real-World Lessons from the Field
Industrial control systems (ICS) and operational technology (OT) environments are often perceived as tightly secured, but real-world incidents reveal hidden vulnerabilities, misconfigurations, and overlooked risks. Security experts shared firsthand accounts of high-stakes threats, compliance failures, and critical gaps in OT security highlighting the disconnect between policy and practice.
State-Sponsored Threats and Persistent Access
During an incident response in the Middle East, Fortinet’s FortiGuard team uncovered an Iranian-linked advanced persistent threat (APT) actor attempting to infiltrate an organization’s OT network. The attacker repeatedly bypassed containment efforts by deploying new malware and exploiting an undocumented "n-day" vulnerability, maintaining persistent access even after cleanup attempts. While the OT network was not fully compromised, the incident underscored the sophistication of state-sponsored threats targeting critical infrastructure.
The Cost of IT Tools in OT Environments
At a power generation plant, a compliance-driven vulnerability scan conducted despite warnings triggered a catastrophic shutdown of two turbines. The scan, mandated by leadership, disrupted operations within minutes, resulting in the cybersecurity team’s expulsion from the site for years. The incident demonstrated the dangers of applying IT security tools to OT systems without proper safeguards.
Shadow IT and Forgotten Systems
A federal engineering agency’s "isolated" Solaris servers, running mission-critical field control systems, were discovered to be accessible from corporate workstations and even the public internet using default credentials. The systems, unpatched for years, had been left unmonitored after the original developer retired and the maintenance contract lapsed. The discovery revealed how physical isolation becomes meaningless when network segmentation fails, and how forgotten systems pose severe risks.
Digital Transformation and OT Security Gaps
A pharmaceutical company undergoing digital transformation uncovered extensive shadow IT and SaaS risks, including unmanaged Windows XP machines, open USB ports on labeling equipment, and disconnected but vulnerable networks. A breach at a peer company traced to a foreign cyberattack prompted a 48-hour remediation effort to secure systems while complying with Computer Systems Validation (CSV) requirements, which can take months to complete. The incident highlighted the challenges of balancing security with regulatory constraints in highly regulated industries.
Firewalls Failing to Segment OT Networks
A manufacturing company’s multimillion-dollar firewall deployment failed to block unauthorized access to thousands of OT devices across its network. A security assessment revealed deep visibility into proprietary industrial protocols, exposing how misconfigured firewalls left critical systems vulnerable. The discovery enabled the company to refine segmentation policies without disrupting operations.
Hidden Assets and DNS-Based Exfiltration
A Nozomi Networks sensor at a manufacturing facility detected suspicious DNS traffic from a Windows machine, initially dismissed as noise. Further analysis revealed malware using DNS tunneling for command-and-control communication and data exfiltration. The incident exposed gaps in OT visibility and reinforced the need for continuous monitoring, even in legacy environments.
Lateral Movement Risks in Manufacturing
A global manufacturer assumed its IT and OT networks were segmented until a risk assessment revealed extensive interconnections and open pathways for lateral movement. Without disrupting production, the team enforced behavior-based policies to restrict unnecessary traffic, reducing exposure while maintaining operational continuity.
Key Takeaways
These incidents reveal recurring themes in OT security:
- Assumptions vs. Reality: "Isolated" systems are often reachable, and segmentation is frequently ineffective.
- Tool Misapplication: IT security practices can disrupt OT operations if not adapted for industrial environments.
- Legacy Risks: Unpatched, end-of-life systems remain a persistent threat.
- Visibility Gaps: Passive monitoring often misses critical assets, while active discovery uncovers hidden risks.
- Human Factors: Shadow IT, forgotten systems, and compliance pressures create blind spots.
The stories underscore that OT security requires tailored approaches balancing risk mitigation with operational resilience, and verifying security measures rather than assuming them.
Source: https://www.securityweek.com/real-world-ics-security-tales-from-the-trenches/
Unnamed Firm LLC cybersecurity rating report: https://www.rankiteo.com/company/unnamedfirm
"id": "UNN1779280574",
"linkid": "unnamedfirm",
"type": "Cyber Attack",
"date": "9/2001",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Industrial',
'location': 'Middle East',
'name': 'Unnamed Middle East organization',
'type': 'Critical Infrastructure'},
{'industry': 'Energy',
'name': 'Power generation plant',
'type': 'Utility'},
{'industry': 'Engineering',
'name': 'Federal engineering agency',
'type': 'Government'},
{'industry': 'Pharmaceutical',
'name': 'Pharmaceutical company',
'type': 'Private'},
{'industry': 'Manufacturing',
'name': 'Manufacturing company',
'type': 'Private'},
{'industry': 'Manufacturing',
'name': 'Global manufacturer',
'type': 'Private'}],
'attack_vector': ['Exploiting n-day vulnerability',
'Vulnerability scan',
'Default credentials',
'DNS tunneling',
'Unmanaged systems'],
'data_breach': {'data_exfiltration': ['DNS tunneling'],
'sensitivity_of_data': ['High'],
'type_of_data_compromised': ['Proprietary industrial '
'protocols',
'Mission-critical field control '
'data']},
'description': 'Industrial control systems (ICS) and operational technology '
'(OT) environments face hidden vulnerabilities, '
'misconfigurations, and overlooked risks. This document '
'highlights real-world incidents involving state-sponsored '
'threats, compliance failures, and critical gaps in OT '
'security.',
'impact': {'data_compromised': ['Proprietary industrial protocols',
'Mission-critical field control data',
'DNS-tunneled data'],
'downtime': ['Catastrophic shutdown of two turbines'],
'operational_impact': ['Disrupted operations',
'Expulsion of cybersecurity team',
'Production disruption'],
'systems_affected': ['OT network',
'Turbines',
'Solaris servers',
'Windows XP machines',
'Labeling equipment',
'OT devices']},
'lessons_learned': ["Assumptions vs. Reality: 'Isolated' systems are often "
'reachable, and segmentation is frequently ineffective.',
'Tool Misapplication: IT security practices can disrupt '
'OT operations if not adapted for industrial '
'environments.',
'Legacy Risks: Unpatched, end-of-life systems remain a '
'persistent threat.',
'Visibility Gaps: Passive monitoring often misses '
'critical assets, while active discovery uncovers hidden '
'risks.',
'Human Factors: Shadow IT, forgotten systems, and '
'compliance pressures create blind spots.'],
'motivation': ['State-sponsored espionage',
'Compliance pressure',
'Negligence',
'Data exfiltration',
'Lateral movement'],
'post_incident_analysis': {'corrective_actions': ['Refined segmentation '
'policies',
'Enforced behavior-based '
'policies',
'Secured unmanaged systems',
'Enhanced monitoring',
'48-hour remediation '
'effort'],
'root_causes': ['Undocumented n-day vulnerability',
'Compliance-driven vulnerability '
'scan without safeguards',
'Forgotten and unpatched Solaris '
'servers',
'Misconfigured firewalls',
'Lack of network segmentation',
'Shadow IT and unmanaged systems']},
'recommendations': ['Tailor security approaches for OT environments balancing '
'risk mitigation with operational resilience.',
'Verify security measures rather than assuming them.',
'Adapt IT security tools for OT systems with proper '
'safeguards.',
'Enforce continuous monitoring and network segmentation.',
'Address legacy and unmanaged systems proactively.'],
'references': [{'source': 'Fortinet’s FortiGuard team'},
{'source': 'Nozomi Networks'}],
'regulatory_compliance': {'regulations_violated': ['Computer Systems '
'Validation (CSV) '
'requirements']},
'response': {'containment_measures': ['Cleanup attempts',
'48-hour remediation effort'],
'enhanced_monitoring': ['Continuous monitoring'],
'network_segmentation': ['Refined segmentation policies'],
'remediation_measures': ['Enforced behavior-based policies',
'Refined segmentation policies',
'Secured unmanaged systems'],
'third_party_assistance': ['Fortinet’s FortiGuard team',
'Nozomi Networks']},
'threat_actor': ['Iranian-linked APT actor'],
'title': 'Cybersecurity Risks in Industrial Control Systems: Real-World '
'Lessons from the Field',
'type': ['APT Attack',
'Compliance-Driven Disruption',
'Shadow IT',
'Misconfiguration',
'Data Exfiltration',
'Lateral Movement'],
'vulnerability_exploited': ['Undocumented n-day vulnerability',
'Unpatched Solaris servers',
'Misconfigured firewalls',
'Open USB ports',
'Lack of network segmentation']}