Operational Technology Attack Guide: Top 10 OT Cyber Attacks Since 2020

What Is an Operational Technology Attack?

This decade’s start has rocked the OT (operational technology) cyber security landscape. OT cyber security attacks at the beginning of this decade were rare, with just seven found on the public record. Most security professionals can recite the big ones without hesitation: Stuxnet, Triton, and Industroyer. But since 2020, it is much harder for anyone to keep track of them all. Our ongoing research shows that we are approaching one hundred publicly known cyber security incidents, having physical consequences to operations.

The following infographic reflects what we believe are the top ten most impactful attacks to operations. These attacks are chosen qualitatively, weighting the transformational value of the incident for the OT cyber security space.

This decade’s start has rocked the OT (operational technology) cyber security landscape. OT cyber security attacks at the beginning of this decade were rare, with just seven found on the public record. Most security professionals can recite the big ones without hesitation: Stuxnet, Triton, and Industroyer. But since 2020, it is much harder for anyone to keep track of them all. Our ongoing research shows that we are approaching one hundred publicly known cyber security incidents, having physical consequences to operations.

The following infographic reflects what we believe are the top ten most impactful attacks to operations. These attacks are chosen qualitatively, weighting the transformational value of the incident for the OT cyber security space.

Why these Operational Technology Attacks Are So significant

To create this top 10 list, we dissected the OT and ICS cyber attacks on the record by evaluating the cause, the effect, and the sophistication of each one. The distinguishing trait shared by all is that they caused (or attempted to cause) physical consequences. This fact is transformative on the  OT cyber attack’s impact assessment. To illustrate with a metaphor: the cyber attackers of the past were merely attempting to steal our wallet, but now they may also try to punch us in the face. In other words, the effects of the attack can be felt in our daily life. For example, the global ransomware attack on JBS Foods in May 2021 disrupted meat production in North America and Australia. This negatively impacted the supply and price of meat, and farmers with livestock operations.

Some of the attacks listed did not directly target operations, but they stopped operations as a result. This was the case at Supeo, where in Denmark, trains were indirectly brought to a standstill. This incident, is important despite the short period of operational downtime, because it shows the fragility of a critical network relying on IT dependencies for its daily functions.

Beyond Disruption: Physical Damage and Public Safety Threats

Most of the attacks were ransomware that for some reason or another affected operations. In other words, most of the reported attacks on OT can be labeled as unintended cyber-sabotage. But there were instances of deliberate sabotage, both attempted and successful. This is the case of the actions of Predatory Sparrow, a hacktivist group, who has attacked critical infrastructure in Iran. These attacks include controlling and changing rail signage, and causing a fire in the Khuzestan a Steel manufacturing plant. The latter attack was captured live on plant CCTV cameras, and the footage exfiltrated and posted to Twitter, by the Predatory Sparrow hacktivists. In 2022, a widely reported incident was the unsuccessful attempt to poison the water at Oldsmar’s treatment plant, by abusing a shared Team Viewer password. In this case an operator watched the attack unfold in real time and was able to take corrective action to prevent serious consequences to the public.

Supply Chain Vulnerabilities in Operational Technology

Arguably the SolarWinds attack did not cause any OT disruptions worth mentioning, and any on the public record. But all OT professionals worry about the implications of the attack because it’s a prime example of the risk in blindly trusting software supply chains. In this attack, the SolarWinds Orion product was trojanized by an unknown actor. Orion is commonly used by IT managed service providers (MSPs), which collectively serve more than 30,000 companies. According to press reports, the backdoor was inserted and delivered to 18,000 companies as part of a routine update. This is a classic software supply chain attack, and most OT security vendors and OT security programs are unable to detect it. Not long ago, OT systems were mostly immune, due to strong segmentation practices, but the increased connectivity between IT and OT networks permits a nightmare scenario were several network infrastructures can be affected at the same time.

 

Most Impactful Operational Technology Attacks: Technical Analysis

We already talked about the attack on the Khuzestan Steel manufacturing plant, which stands out due to the sophistication of the payload. That is also the case for the Industroyer2 malware attack, deployed during the current conflict between Russia and the Ukraine. While the attack failed to take the Ukrainian transmission  grid offline, its modular framework based on the older Industroyer malware variant features a sophisticated payload, able to communicate with intelligent electric devices (IEDs) using standard electrical ICS protocols such as DNP3 and IEC61850.

But the one attack that has impacted policy, practices and even had political repercussions – that directly involved the president of the United States over gas shortages — was the Colonial Pipeline ransomware attack. The company shutdown the pipeline for five days, out of an “abundance of caution,” to ensure the malware did not spread from their IT-hosted billing system into their OT network. The attack was widely covered by the media, showing drivers across America facing long lineups at the pump caused by fears of a nation-wide gas shortage. For that reason, we place it as the number one cyber security OT incident in this list.

How Operational Technology Attacks Work

Unlike traditional IT breaches that aim to steal data or ransom files, operational technology (OT) attacks target physical processes—with the intent to disrupt, degrade, or destroy real-world infrastructure. These attacks are often more complex, requiring knowledge of industrial protocols, equipment behavior, and safety systems. Understanding the typical steps attackers take can help organizations better defend their environments.

 

Attack Vectors and Entry Points

Most OT attacks begin in the IT environment, where attackers can find a foothold using familiar techniques:

• Phishing emails that compromise credentials

• Exploiting remote access vulnerabilities (e.g., RDP, VPN)

• Compromised third-party vendors or software supply chains

• Physical access to plant systems or portable media (USB drives)

From there, attackers look for paths into the OT network. This is often possible due to weak segmentation between IT and OT environments, flat OT networks, or poorly secured interfaces like engineering workstations and HMIs.

Lateral Movement in OT Networks

Once inside, attackers move laterally across the network—searching for high-value targets like:

• PLCs (Programmable Logic Controllers)

• SCADA systems

• Engineering stations and historians

• Safety Instrumented Systems (SIS)

This lateral movement often relies on:

• Credential harvesting and privilege escalation

• Exploiting industrial protocols (e.g., Modbus, DNP3) that lack encryption or authentication

• Living-off-the-land tactics, using legitimate tools and credentials to avoid detection

Unlike in IT, attackers may spend weeks or even months exploring an OT environment, learning how it works before deploying a payload.

Payload Deployment and Execution

The final stage is payload deployment, where the attacker takes action to cause disruption or damage. This might include:

• Modifying PLC logic to alter physical processes (e.g., changing pump speeds, disabling alarms)

• Triggering shutdowns or equipment malfunctions

• Overwriting firmware or wiping data on OT devices

• Disabling safety systems to increase the impact of a future attack (as seen in the Triton/Trisis malware)

What makes OT attacks especially dangerous is that they often target safety and reliability, rather than data. This can result in production losses, equipment damage, environmental harm, or even threats to human life.

Detecting and Preventing Operational Technology Attacks

Operational technology (OT) environments are often slow to detect threats due to outdated systems, limited visibility, and the misconception that “air-gapping” is still enough. In reality, early detection and proactive prevention are critical to stopping attacks before they escalate into physical damage or downtime. This section explores how organizations can recognize warning signs, monitor their networks effectively, and respond quickly when incidents occur.

 

Early Warning Signs

While many OT attacks are stealthy, they often leave behind subtle traces. Recognizing these early can make all the difference:

• Unusual device behavior (e.g., unexpected configuration changes or reboots)
• Unauthorized access attempts from new or unrecognized hosts
• Communication with unfamiliar IP addresses or unexpected outbound traffic
• Changes in PLC code or HMI logic without proper change control
• Repeated login failures or unusual activity during off-hours
• Alarms or alerts being disabled or modified

In OT, these signs may not trigger traditional IT alerts—so context-aware detection is crucial.

 

Network Monitoring Best Practices

Effective OT monitoring requires tools and processes tailored to industrial environments. Key best practices include:

• Passive monitoring: Use network taps or span ports to observe traffic without disrupting operations.
• Protocol-aware analysis: Deploy tools that understand ICS protocols like Modbus, DNP3, OPC UA, and EtherNet/IP.
• Baselining normal behavior: OT networks are often deterministic. Anomaly detection works best when “normal” traffic patterns are clearly defined.
• Zone-based visibility: Monitor network traffic between IT and OT, as well as within OT zones (e.g., Level 1 to Level 2 per Purdue Model).
• Integration with SOC/SIEM tools: Bridge IT/OT visibility gaps by feeding OT alerts into centralized security operations.

OT-native monitoring platforms like Nozomi Networks, Claroty, and Dragos offer these capabilities out of the box.

 

 

Incident Response for OT Environments

Responding to incidents in OT is fundamentally different from IT. The priority is safety and uptime, not just data recovery.

Key OT-specific IR practices:

• Predefined roles and protocols: Establish who does what during an incident—from control room operators to IT responders.
• Isolation, not shutdown: Whenever possible, contain infected systems without halting critical processes.
• Backup and restoration plans for devices like PLCs and HMIs, not just servers.
• Tested playbooks that reflect real-world OT constraints (e.g., regulatory reporting, vendor coordination).
• Coordination between IT and OT teams to avoid conflicting actions during high-pressure scenarios.

Proactive tabletop exercises and incident simulations are essential for OT environments, helping teams prepare without risking actual operations.

 

Future Threat Landscape for Operational Technology

As industrial systems become more connected, digitized, and data-driven, the threat landscape for operational technology (OT) continues to evolve. Cybercriminals, nation-state actors, and hacktivists are all increasingly targeting industrial infrastructure—not just for financial gain, but to create real-world disruption. Understanding what’s next in OT cyber threats is essential for building resilient defenses that stand the test of time.

 

Emerging Attack Techniques

The future of OT cyberattacks will be marked by more precision, automation, and stealth, often blending IT and OT tactics. Key trends to watch include:

• AI-Assisted Intrusions
  Adversaries are beginning to use AI to automate reconnaissance, generate more convincing phishing lures, and identify the most valuable targets within hybrid IT/OT environments.
• Living-Off-the-Land in OT
  Threat actors are adapting IT “living-off-the-land” tactics—using built-in tools and native protocols—to hide in plain sight within OT networks. This makes attacks harder to detect and allows them to persist longer.
• Cross-Protocol Attacks
  As convergence increases, attackers are exploring how to exploit interactions between IT and OT protocols—e.g., leveraging vulnerable web servers or databases to indirectly manipulate PLCs or sensors.
• Firmware and Hardware-Level Attacks
  Sophisticated campaigns increasingly focus on firmware implants or supply chain compromises at the device level—threats that traditional software-based defenses may never see.
• Attacks on Edge and IIoT Devices
  With industrial environments pushing data processing to the edge, IIoT devices are becoming high-value targets. Many of these endpoints are deployed without proper hardening or visibility.

As attackers get smarter and industrial systems get more connected, the lines between cyber and physical threats will blur further—leading to more coordinated, multi-stage attacks that are harder to detect and stop.

 

Critical Infrastructure Vulnerabilities

Despite increasing awareness, critical infrastructure sectors remain highly vulnerable due to a combination of legacy technology, low patchability, and regulatory pressure to maintain uptime above all else.

Some of the top vulnerabilities include:

• Aging Systems with Insecure Protocols
  Many control systems were never designed with cybersecurity in mind. Protocols like Modbus and DNP3 still lack encryption and authentication in many deployments.
• Insufficient Network Segmentation
  Flat networks and weak separation between corporate and operational zones make it easy for attackers to move laterally once inside.
• Over-Reliance on Remote Access
  While necessary for modern operations, poorly secured remote access points remain one of the most exploited vectors in OT cyberattacks.
• Limited Visibility and Monitoring
  Many organizations still lack real-time visibility into their OT environments, leaving them blind to abnormal activity or silent threats.
• Workforce and Skills Gap
  The shortage of professionals who understand both cybersecurity and industrial operations leaves many systems under-secured or misconfigured.

As national infrastructure becomes increasingly digital, the consequences of inaction grow more severe—ranging from power outages and transportation disruptions to risks to public safety and economic stability.

 

Final Thoughts

The OT threat landscape is changing fast. While industrial organizations have historically been slow to adapt, the time for action is now. The attackers are evolving. So must the defenders.

To stay ahead, critical infrastructure operators must:

• Embrace modern, hardware-enforced security architectures

• Invest in OT-specific monitoring and detection tools

• Foster strong collaboration between IT and OT teams

• Regularly assess and harden systems—before attackers do it for them

By understanding the threats on the horizon and addressing today’s vulnerabilities, organizations can protect not just their networks—but the real-world processes and people that depend on them.