Executive Summary

A report from Cyble Research & Intelligence Labs (CRIL) has highlighted a significant and dangerous trend: cyberattacks targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments nearly doubled in 2025. The convergence of IT and OT has expanded the attack surface, attracting both financially motivated ransomware groups and politically motivated hacktivists. The report warns that attackers in 2026 are predicted to increase their focus on directly targeting internet-exposed SCADA and Human-Machine Interface (HMI) systems. This poses a direct threat to the stability of critical infrastructure and the security of large-scale public events like the 2026 Winter Olympics, where disruption of vendor systems could be used for extortion.

---

Threat Overview

The primary threat to industrial environments is the breakdown of the traditional air gap between IT and OT networks. As industrial processes become more connected for remote monitoring and efficiency, they also become more exposed to threats from the internet. Attackers who gain a foothold in a corporate IT network can now more easily pivot into the OT network, where they can potentially manipulate or disrupt physical processes.

Cyble's report identified several key trends:

• Increased Ransomware Attacks: Ransomware groups are no longer just targeting IT data; they are actively targeting OT systems, knowing that any disruption to physical operations creates immense pressure to pay a ransom.
• Exploitation of Exposed Assets: A large number of HMI, SCADA, and VNC systems are directly exposed to the internet with weak or default credentials, providing an easy entry point for attackers.
• Hacktivism: Politically motivated groups are increasingly targeting critical infrastructure to make a statement or cause disruption, with less emphasis on financial gain.

This trend is particularly concerning for events like the Winter Olympics, which rely on a complex ecosystem of third-party vendors for everything from ticketing to facility management. A successful attack on one of these vendors could disrupt the event and be used to extort the vendor or the event organizers.

---

Technical Analysis

Attacks on ICS/OT environments often follow this pattern:

1. Initial Access: Attackers typically gain initial access through the less-secure IT network via phishing (T1566 - Phishing) or by scanning the internet for exposed OT devices like HMIs with default passwords (T1190 - Exploit Public-Facing Application).

2. Discovery & Lateral Movement: Once in the IT network, attackers search for connections to the OT network. They move laterally from IT to OT, often exploiting trust relationships and a lack of segmentation (T1021 - Remote Services). Inside the OT network, they use industrial protocols like Modbus or DNP3 to discover and identify critical controllers (T0829 - Network Sniffing).

3. Impact: The ultimate goal is to impact the physical process. This can be achieved by sending malicious commands to Programmable Logic Controllers (PLCs) (T0831 - Manipulation of Control) or by deploying ransomware on HMIs and engineering workstations, rendering them inoperable (T1486 - Data Encrypted for Impact).

MITRE ATT&CK for ICS Mapping

Tactic	Technique ID	Technique Name
Initial Access	T0886	Remote Services
Discovery	T0846	Network Sniffing
Lateral Movement	T0867	Exploitation of Remote Services
Command and Control	T0884	Connection Proxy
Inhibit Response Function	T0814	Denial of Service
Impair Process Control	T0831	Manipulation of Control

---

Impact Assessment

Cyberattacks on ICS/OT environments can have devastating real-world consequences:

• Physical Disruption: Attacks can lead to the shutdown of power plants, contamination of water supplies, or halting of manufacturing lines, causing physical damage and economic loss.
• Safety Risks: Manipulation of industrial processes can create unsafe conditions, leading to equipment damage, environmental incidents, or even injury and loss of life.
• National Security Threat: The widespread disruption of critical infrastructure sectors like energy, water, and transportation is a major national security concern.
• Supply Chain Disruption: An attack on a single key manufacturing facility can have ripple effects throughout the global supply chain.

---

Cyber Observables for Detection

Detecting threats in OT networks requires specialized monitoring:

Type	Value	Description
network_traffic_pattern	IT-to-OT traffic	Any unauthorized or unexpected traffic crossing the boundary from the IT network to the OT network.
protocol	Modbus, DNP3, S7	Monitor industrial protocol traffic for unauthorized commands, such as writing to PLC registers from an unknown source.
log_source	HMI/SCADA logs	Look for logins from new or unauthorized user accounts, or changes to control logic.
port	5900	Monitor for unexpected VNC traffic (port 5900), which could indicate an attacker attempting a remote takeover of an HMI.

---

Detection & Response

• OT Network Visibility (D3-NTA): Deploy a specialized OT security monitoring solution that can passively analyze industrial network traffic. These tools understand protocols like Modbus and DNP3 and can use Network Traffic Analysis to baseline normal operations and alert on anomalies, such as unauthorized PLC programming commands or a new device appearing on the network.
• IT/OT Boundary Monitoring: Heavily instrument the IT/OT boundary. All traffic crossing this boundary should be logged and inspected. Alert on any new connections or protocols.
• Incident Response Plan: Develop a specific IR plan for OT incidents. This plan must include engineers and plant operators, as response actions could have physical safety implications. The plan should include steps for safely isolating affected systems and returning to manual control if necessary.

---

Mitigation

Securing ICS environments requires a combination of traditional IT security practices and OT-specific controls.

1. Network Segmentation (M0930): The most critical defense is robust Network Segmentation. The OT network must be strictly isolated from the IT network and the internet. A properly configured DMZ should be used to mediate any required communication between the two environments.

2. Remove Exposed Assets: Do not expose HMIs, PLCs, or other OT devices directly to the internet. Use secure remote access solutions, such as a VPN with MFA, for any required external access.

3. Vulnerability Management (M0941): While patching can be challenging in OT environments, a risk-based vulnerability management program is essential. Identify and prioritize patching for critical vulnerabilities, especially on any systems that bridge the IT/OT divide.

4. User Account Management (M0942): Apply the principle of least privilege. Do not use shared or default passwords on OT devices. Ensure engineers and operators have only the access they need to perform their roles.