Operational Technology & SCADA Attacks

Operational Technology (OT) and SCADA attacks target the industrial systems that control essential processes in energy, manufacturing, utilities and other critical infrastructure. These environments are designed for stability and safety, and the equipment that runs them is built to operate continuously and predictably.

As organizations integrate more connected capabilities such as remote monitoring, predictive maintenance and Industrial IoT, OT environments are becoming more closely linked with IT networks. This shift delivers operational and efficiency benefits, but it also expands the potential attack surface that adversaries may try to exploit.

OT refers to the technologies that monitor and control physical processes. This includes systems such as Programmable Logic Controllers (PLCs), sensors, Human-Machine Interfaces and Distributed Control Systems.

SCADA (Supervisory Control and Data Acquisition) is a system architecture used to manage these processes locally or across remote sites through centralized visibility and control.

Unlike traditional IT systems, where the primary impact of a cyberattack is usually limited to data, disruptions in OT environments can affect physical operations, equipment availability and safety. This difference reflects the core mission of OT: maintaining continuous, safe operation of industrial processes. Modern attackers understand this operational dependency and increasingly target the interfaces and connected systems around OT, rather than the controllers themselves.

• ICS (Industrial Control Systems): An umbrella term for the various control systems and instrumentation used in industrial production.
• SCADA (Supervisory Control and Data Acquisition): A system architecture used to control industrial processes locally or at remote locations. SCADA systems gather real-time data from sensors to monitor equipment and conditions.
• PLC (Programmable Logic Controller): Ruggedized industrial computers that control manufacturing processes, such as assembly lines or robotic devices.
• HMI (Human-Machine Interface): The dashboard or screen that operators use to communicate with the machine, review data, and issue commands.
• DCS (Distributed Control Systems): Control systems used in continuous processes like oil refining or power generation, where control elements are distributed throughout the system rather than centralized.

Historically, OT networks were protected by an "air gap" (physical isolation from the internet). Today, the demand for real-time analytics, predictive maintenance, and remote vendor support has eroded that isolation.

These environments were engineered for deterministic, real-time operation, long equipment lifecycles and high availability. Their design priorities differ from IT, which creates unique security considerations.

• Pivot Attacks: Direct access to control equipment is uncommon, so attackers typically aim to access connected IT systems first and then pivot into the OT environment. They compromise the corporate IT network first, then move laterally through the "DMZ" to reach the plant floor.
• The Visibility Gap: SANS data indicates that while detection times are improving, many organizations still lack deep visibility into their OT traffic. Visibility into OT traffic is improving across the industry, although many organizations still benefit from deeper monitoring tools tailored to industrial protocols.
• Shared Responsibility: The challenge is often cultural. IT teams prioritize patching, while OT teams prioritize stability. Security succeeds only when these goals are aligned, ensuring security measures do not cause the downtime they are meant to prevent.

Ransomware groups now understand that downtime costs millions. They target the Windows-based supervisory layer (HMIs and Historians). Even if the PLCs are untouched, supervisory systems may lose visibility into the process, prompting a controlled and safe shutdown.

Attackers abuse legitimate tools already present in the environment. They may use PowerShell or standard industrial protocols (like Modbus or DNP3) to send malicious commands. Because this looks like valid traffic, it often bypasses traditional firewalls.

Many machines require remote maintenance from the original equipment manufacturer (OEM). Attackers target these trusted third-party connections to bypass the perimeter.

Many industrial protocols were designed decades ago without encryption or authentication. If an attacker gains network access, they can often "speak" directly to controllers without needing a password.

In the corporate office, a cyberattack is a data problem. In the plant, it is a physical problem.

• Physical Safety: Incorrect commands can disable safety shutoffs, over-pressurize valves, or overheat equipment. This puts human lives and the environment at risk.
• Operational Downtime: In continuous process industries (like oil and gas), an emergency shutdown is not just a pause. It can take weeks to safely restart, costing millions in lost production.
• Equipment Damage: Cyberattacks can physically destroy hardware. Rapidly cycling a breaker or ignoring torque limits can "brick" custom machinery that takes months to replace.

Defenders must understand how adversaries operate in these unique environments.

1. Reconnaissance: Attackers look for engineering schematics, vendor documentation, or internet-facing devices to understand the process.
2. Initial Access: Gaining a foothold in the IT network via phishing or VPN exploitation.
3. Lateral Movement: Moving from the IT network to the OT network, often hunting for "jump servers" or dual-homed workstations.
4. Process Discovery: Once inside, attackers map the OT network to identify which HMI controls which pump. They learn the process logic to understand how to cause disruption.
5. Execution: The payload is delivered. This could be a ransomware locker on the HMI or a specific "stop" command sent to a critical controller.

Standard IT detection methods can be dangerous in OT. Active scanning (pinging every device) can overload older controllers and cause them to crash.

• Passive Monitoring: The standard for OT is passive listening. Security tools mirror traffic (via SPAN ports) to analyze industrial protocols without interacting with the devices directly.
• Anomaly Detection: Instead of looking for "bad" files, OT security looks for "abnormal" behavior. If a workstation that usually only reads data suddenly tries to write code to a PLC, that is an alert.
• Identity is Critical: With more remote access, verifying who is logging in is essential. SANS reports high adoption of MFA, which is a positive step for securing remote vendor access.

We cannot simply "patch everything" in OT. Downtime windows are rare, and patches must be certified by vendors. Defense requires a layered approach.

• Network Segmentation: Strictly separate the IT network from the OT network (following the Purdue Model). Ensure a compromise in email servers cannot reach the production line.
• Virtual Patching: If you cannot patch a legacy Windows HMI, place it behind an Intrusion Prevention System (IPS) that detects and blocks exploits targeting its specific vulnerabilities.
• Secure Remote Access: Eliminate "always-on" VPNs. Use secure access gateways that require MFA and record sessions for all remote maintenance.
• Asset Inventory: Automated, passive tools should track firmware versions and asset details so you know exactly what you are defending.

Acronis Cyber Protect is designed to support the reality of industrial environments, where high availability is the primary goal and legacy systems are common.

• Support for Legacy Systems: These systems have long operational lifecycles and remain critical to production, even when original software support has ended. We support backup and security for legacy OS versions (like Windows XP) often found in long-lifecycle industrial equipment.
• Non-IT Recovery: The people on the plant floor know the process best. Acronis "One-Click Recovery" empowers operators to restore a corrupted HMI to a working state in minutes, without needing to wait for IT support to arrive.
• Fail-Safe Patching: When you do have a maintenance window, patching is risky. Acronis automatically creates a system backup before applying any patch. If the patch causes instability, the system automatically reverts to the working state, ensuring uptime.
• Air-Gap Support: For high-security zones, Acronis updates can be delivered via secure, physical media, ensuring protection without exposing the network to the internet.
• Minimal Performance Impact: Our single-agent architecture is lightweight, designed not to interfere with the real-time performance requirements of control systems.

See Acronis Cyber Protect in Action

• What is Ransomware?
• What is Social Engineering?

What makes OT and SCADA systems different from regular IT systems in terms of cybersecurity?

The difference is in priority and consequence:

• IT (Information Technology): Focuses on Confidentiality, Integrity, Availability (CIA). The primary risk is data theft or business interruption.
• OT (Operational Technology): Focuses on Availability, Integrity, Confidentiality (AIC). The primary risks are physical safety (human lives, environment) and operational downtime. Security controls must support continuous, safe operation of the physical process.

Why can't legacy OT assets simply be patched or upgraded like IT workstations?

Legacy OT assets, like Programmable Logic Controllers (PLCs) and old HMIs, patching follows a controlled process because updates must be validated for safety and compatibility, and downtime windows are limited.

• Vendor Certification: Patches must be rigorously tested and certified by the Original Equipment Manufacturer (OEM) to ensure they do not cause instability or disrupt the real-time process.
• Downtime Windows: OT systems often run 24/7. Maintenance windows for patching are rare and planned weeks or months in advance.
• These systems were built for durability and long-term operation. However, their hardware and firmware may not be compatible with modern patching processes or scanning tools.

How do attackers typically gain access to OT or SCADA environments?

Attackers rarely hack a controller directly from the internet. They normally pivot from within the IT environment:

• Initial Access: They compromise the less-secure corporate IT network (e.g., via phishing or a vulnerable VPN).
• Lateral Movement: They then hunt for "jump servers," dual-homed workstations, or weakly configured firewalls in the Demilitarized Zone (DMZ) to move laterally from the IT network onto the plant floor network.

Are air gaps and network isolation still effective defenses for OT?

The traditional "air gap" (physical isolation) has largely been eroded due to business demands for:

• Real-time analytics and data sharing with the corporate network.
• Predictive maintenance.
• Remote vendor and OEM support.

While a true air gap is rare, Network Segmentation (layered isolation following the Purdue Model) remains an absolutely essential defense to prevent lateral movement from the IT network to the OT environment.

What are best practices for remote access to critical infrastructure and vendor connections?

Best practices focus on secure, auditable, and temporary access:

• Eliminate "Always-On" VPNs: Access should not be continuous.
• Secure Access Gateways: Use a solution that acts as a secure jump box.
• Multi-Factor Authentication (MFA): Require MFA for all remote logins.
• Session Recording: Record all remote maintenance sessions for auditing and forensic purposes.

How should organizations segment networks to prevent lateral movement from IT to OT?

Organizations should implement a Defense-in-Depth strategy based on the Purdue Model, which involves:

• Strict Segregation: Using a robust firewall to strictly separate the corporate IT network (Level 4/5) from the Demilitarized Zone (DMZ).
• One-Way Flow: Using technologies like data diodes in some high-security zones to enforce one-way traffic, allowing data to flow from the plant floor up to the corporate network, but not the reverse.

What are the most important security controls for legacy systems that cannot be patched?

For systems with long operational lifecycles that cannot run modern security tooling, focus on compensating controls:

• Virtual Patching: Place the legacy asset behind an Intrusion Prevention System (IPS) that detects and blocks exploits targeting its known vulnerabilities.
• Network Segmentation: Isolate the system on its own protected network segment.
• Passive Monitoring: Use passive network analysis to detect any abnormal behavior directed at the legacy system.
• Reliable Backup: Implement a system (like Acronis's support for legacy OS) to quickly restore a working image of the system after a compromise.

How can you monitor sensitive networks without risking downtime or crashes?

The standard for safe OT monitoring is Passive Monitoring:

• SPAN Ports: Security tools mirror network traffic (via SPAN ports) to "listen" to industrial protocols without ever interacting with or sending packets to the control devices.
• Anomaly Detection: Monitoring tools look for "abnormal" behavior (e.g., a sudden attempt to write code to a PLC) rather than using traffic-heavy signature scanning.

How can companies recover quickly after an OT cyberattack disrupts operations?

Fast recovery is key to minimizing expensive downtime:

• Operator Empowerment: Provide operators with "one-click recovery" solutions to restore compromised HMIs and workstations to a working state immediately, without waiting for the IT team to arrive.
• Air-Gapped Backup: Store backups of critical system images on secure, isolated media to prevent ransomware from reaching the recovery data.
• Pre-Patch Backup: Automatically create a full system backup before applying any patch or update, allowing for a rapid, fail-safe rollback if the patch causes instability.

What incident response plans are recommended for OT and SCADA attacks?

OT Incident Response Plans must be different from IT plans, prioritizing process containment and physical safety:

• Safety First: Immediately assess and ensure human and environmental safety.
• Process Containment: Isolate the compromised OT segment or device, but only if it does not cause a more dangerous emergency shutdown.
• Controlled Shutdown: If necessary, execute a manual, safe, and orderly process shutdown, which is preferable to an uncontrolled emergency stop.
• Forensics & Recovery: Use passive monitoring data for forensics, then restore operational stability using pre-tested system backups.

Are there notable examples of real-world cyberattacks on industrial systems, and what were their lessons?

Yes, several attacks highlight the unique risks of OT:

• Stuxnet (2010): The first known digital weapon to physically destroy industrial equipment (uranium centrifuges). Lesson: Targeted physical destruction is possible.
• BlackEnergy (2015): Targeted Ukraine's power grid, successfully causing a widespread power outage. Lesson: The compromise of the IT network can lead directly to physical disruption of critical infrastructure.
• Colonial Pipeline Ransomware (2021): A ransomware attack on the IT side of the business led to the precautionary shutdown of the operational pipeline. Lesson: The convergence risk is real; IT compromise forces OT shutdown.