In January 2024, the hacktivist group CARR (Cyber Army of Russia Reborn), which Mandiant in April 2024 associated with the APT44/Sandworm, climbed into the water control systems in Muleshoe, Texas - less than 40 miles from the Cannon airbase, where the command of the US Air Force special operations is served. The attackers reconfigured the control parameters and caused an overflow of the water tower. The same method hit the neighboring cities - Abernathy, Hale Center, Lockney - and posted a video of their interactions with HMI panels in the public domain. Not zero-day, not custom exploit - just went through the VNC with defaulted creeds.
According to Informzashita, in the first half of 2025, the number of attacks on SCADA system increased by 27% compared to the same period last year. The strongest - in the energy sector (+38%), the chemical and petrochemical industries (+17%).
Kill chain attacks on water treatment plants: from reconnaissance to manipulation of the process
Attacks on SCADA systems of water treatment plants follow a certain logic that can be decomposed MITRE ATT&CK. At each stage - a specific vector and a specific detection orientation for SOC.
Initial Access: how attackers get into the OT network
Three vectors recorded in real incidents:
Default accounts (T1078.001, Initial Access / Persistence / Privilege Escalation). According to the EPA, more than 70% of water treatment systems, tested since September 2023, violate the cybersecurity requirements of the Safe Drinking Water Act. Unchanged default passwords, lack of MFA, non-compliance with the principle of minimum privileges. When the HMI interface hangs on a default password and is available via VNC - the attacker does not need a exploit. This is how the CARR got into the Muleshoe system.
Detection: monitoring of successful authentications on HMI/SCADA servers from atypical IP addresses. Alert for the use of default accounting - admin/admin, administrator/password and vendor-specific defaults for Siemens, Schneider Electric, Rockwell.
External Remote Services (T1133, Initial Access / Persistence). VNC, RDP, TeamViewer - standard set for remote access of engineers-technologists. People's Cyber Army and Z-Pentest have purposefully scanned VNC servers, proprietary water management software and firewalls for vulnerabilities. In an incident at the water treatment plant in Oldsmar (Florida, February 2021), according to the initial statement of the Sheriff Pinellas County, an unknown person connected through TeamViewer to the operator's HMI and on the duty officer began to change the settings - the concentration of sodium hydroxide was changed from regular ~ 100 ppm to 11 100 ppm. The operator noticed the movement of the cursor and rolled back the changes. Later in 2023, a report by Cyber Florida called into question the fact of an external invasion, leaning towards a version of the operator error.
(It’s worth mentioning: Oldsmar is one of the most controversial cases in the history of OT incidents. The sheriff said one thing, the investigation showed another. But the very fact that the operator watched how the cursor moves on the screen - this is the reality of many water treatment plants with the open TeamViewer.)
Detection: baseline authorized remote-access sessions - IP bands, time windows, duration. Connecting VNC/RPD from outside the white list is analt with a critical priority.
Operation of publicly available applications (T1190, Initial Access). PLC web interfaces, HMI panels with HTTP access, MQTT brokers without authentication. On Shodan request port:502 (Modbus TCP) returns thousands of devices. The Siemens S7-1200/1500 PLC has a default web server - the attacker receives configuration data before authentication.
Detection: monitoring of external connections to the ports of industrial protocols - 502 (Modbus TCP), 102 (S7comm), 44818 (EtherNet/IP), 20000 (DNP3). Correlation rule: if source IP is not from the internal OT subnet and destination port is included in this list - incident.
Discovery and Impact: What Happens After Intlies
Having accessed, the attacker scans the subnet to the presence of PLC and HMI - Network Service Discovery (T1046). In the OT-network, this is more noticeable than in IT: industrial devices do not tolerate intensive scanning, and the standard Modbus traffic is predictable and cyclical.
Next - impact:
Manipulation of transmitted data (T1565.002, Impact). The attacker sends the instructions of the records to the PLC registers. In terms of Modbus, it is function codes FC5 (Write Single Coil), FC6 (Write Multiple Coils), FC16 (Write Multiple Registers). Through the record, the settings of the technological process change - the concentration of reagents, pressure, flow.
Service stop (T1489, Impact). Forced disconnection of processes - from stopping pumping stations to disconnection systems. At the Arkansas City Water Treatment Facility (September 2024), the facility switched to manual control, although according to the city authorities, the water supply was not formally interrupted.
Destruction of data (T1485, Impact). Wiper attacks on SCADA servers and history bases. In August 2021, at the water disposal station (wastewater) in Maine ransomware ZuCaNo was deployed through remote access to the SCADA-computer - according to the data CISA advisory AA21-287A.
APT-groups aimed at ICS: SCADA APT attack in detail
Russian affiliates. Sandworm (Military Unit 74455, GTSST GRU). CARR is a Sandworm-related group that acts rougher and riskier. According to Mandiant, CRR is a hacktivist persona that Sandworm uses for deniable operations. The result of the attacks: reconfiguration of control parameters, change administrative passwords for blocking legitimate operators.
The Iranian Affiliates. Cyber Av3ngers is a group affiliated with the IRGC (Islamic Revolutionary Guard Corps). Israeli-made PLC (Unitronics) is targeted: "Every equipment 'made in Israel' is CyberAv3ners legal target." In addition to opportunistic attacks, the group uses custom IOCONTROL malware to infiltrate water systems and gas stations.
The Chinese Affiliates. Volt Typhoon - pre-positioning. In early 2024, it was discovered that the group maintained access to critical infrastructure for at least five years. Tactics - living-off-the-land, a minimum of own tools, a maximum of regular utility. BlackTech attacks the firewalls of remote offices to penetrate large networks and escalate until full administrative control.
Here is what catches the eye: CARR and Cyber Av3ngers use primitive methods - default passwords, opened by VNC. And Volt Typhoon has been in infrastructure for five years and uses only the standard OS utility. Two poles: noisy hacktivism and quiet pre-positioning. Detect the first - trivial (if at all there is monitoring). Detecting the second is a different task.
How OT threats are different from IT: industrial cybersecurity at the protocol level
This section is for those who come from IT security and try to apply the usual approaches in the OT environment. Spoiler: Most of them don't work.
Industrial protocols Modbus DNP3 do not have built-in authentication. Modbus TCP, designed in 1979, does not provide for authentication or encryption. Any device that can form a correct TCP package on a port 502 with a rolled function code is perceived by the PLC as a legitimate master. FC6 (Write Single Register) changes the setting of the process - without a password, without token, without logging at the protocol level. DNP3 Secure Authentication (SA) exists, but is deployed at single objects. A significant part of the communications at the level of field devices goes through serial /analog (Non-IP) interfaces - RS-485, current loops 4-20 mA - which are not covered by standard network monitoring means at all.
Simply put, Modbus is a protocol from an era when no one was thinking about network attacks. He trusts everyone. Always.
Patching is not possible in the usual mode. PLC, which controls the chlorination of water, is not restarted according to the schedule. Stopping the process is a real threat to human health. Patt management in OT: test updates on the stand → service window once a quarter or less → update with manual rollback ready. Many SCADA servers run on Windows XP/7/Server 2008, for which patches are no longer available.
Baseline has a different scale. In IT baseline network traffic - thousands of different connections every minute. In OT baseline Modbus traffic between master and slave predictable to specific function code and register address. Normal cycle: master every 500 ms sends FC3 (Read Holding Registers) to 0400000-00x000F registers. The appearance of FC16 (Write Multiple Registers) from a new IP anomaly. But for its detection, DPI is needed at the level of the industrial protocol, not the standard netflow.
And here is the paradox: the predictability of OT-traffic - at the same time weakness (it is easy to fake a legitimate request) and strength (any deviation is noticeable - if you look at anything).
IDS/IPS in the OT segment is only a passive mode. Active traffic blocking in an industrial network can cause an emergency process stop. Suricata/Snort in OT is deployed on the SPAN port in IDS mode, not IPS. In IT inline-blocking - the norm, in OT - a direct route to the accident.
Insider threat: compromised engineering stations in OT
According to Informzashita, in some cases, Russian enterprises recorded the actions of domestic violators with multimillion-dollar damage.
Engineering Station (Engineering Workstation) - Windows machine with PLC programming software: TIA Portal for Siemens, Studio 5000 for Rockwell, EcoStruxure for Schneider Electric. She has legitimate access to registers and download programs is a full-time function. Compromise through phishing or infection of the USB drive gives the attacker full access to the technological process without having to bypass network segmentation.
It's the most unpleasant vector. Engineering station - by definition a trusted host. She should Write to the PLC registers. It is impossible to distinguish legitimate flashing from malicious at the network level - it is impossible without context.
Detection: monitoring software downloads in PLC. Each repeller is fixed: who, when, from which host, what project is loaded. If the TIA Portal initiates a download of the program at 2:00 am from the engineering station, which usually works from 8:00 to 18:00 - this is an alter.
The second scenario is an operator with legitimate access to HMI. Countermeasures: two-factor authorization of critical operations (change of statutory, PLC flashing) at the level of the SCADA-server, and not only at the level of network access. According to Darktrace, insider threats bypasses many standard protective measures, as they operate within the framework of legitimate powers.
Baseline: what to fix in the first week
When deploying monitoring, the first task is the baseline of normal traffic:
List of all IPs in OT subnets and their roles: PLC, HMI, SCADA-server, historian, engineering station
Normal communication pairs: what master asks which slave, with what frequency, what function codes uses
Temporary windows of regular recording operations (FC5/6/15/16) - usually only with manual operator or automatic adjustments
Normal remote-access session: source, destination, time, duration
This baseline is the basis of all detection rules. Without it, the OT monitoring will drown in false positives. In practice, a week is the minimum. At facilities with seasonal modes (water cleaning, heat supply) full baseline is assembled for a quarter.
Hardening-checklist for CII Critical Infrastructure Operator
Ready list of actions with reference to NIST CSF v2.0:
Inventory of OT-Assets (ID.AM-01). Full list of PLC, HMI, SCADA servers, switches, remote access points. Insert serial interfaces - Modbus RTU via RS-485 is no less critical than the Modbus TCP.
Change of all default accounts (PR.AA-01). By register: for each device, check the vendor documentation for default credentials and replace.
IT/OT segmentation on Purdue Model. DMZ (Level 3.5) between the corporate network (Level 4-5) and technological (Level 0-3). Through the DMZ - only rectoralation and remote access via jump host with MFA. Direct connections IT ↓ COP - prohibition.
Disabling unused services on PLC. Built-in web server - disable if not required. SNMP v1/v2c - replace v3 or deactivate. FTP/Telnet - replace with SFTP/SSH.
Passive monitoring of OT traffic (DE.AE-01). SPAN port on the OT-segment switch → IDS with support for industrial protocols. Tools: Suricata with rules for Modbus/S7comm/DNP3, specialized solutions - Claroty, Dragos Platform, Nozomi Networks.
Two-factor authorization of critical operations. Changing the settings, loading programs in the PLC, changing the network configuration - only with confirmation and logging.
Offline backups of PLC configurations and SCADA projects. Store in isolation, check the possibility of recovery quarterly.
Manual control procedure (RC.CO-01). If SCADA is not available, operators should be able to conduct the process manually. Regular exercises on the transition to manual mode.
Audit of all dots of remote access. VPN concentrators, TeamViewer/AnyDesk, cellular modems on remote substations - in the register, under monitoring, from whitelist sources.
Risk and Resilience Assessments. The EPA recorded that many operators did not even perform the mandatory RRA and Emergency Response Plans. In the Russian context - similar requirements of the 187-FZ on the security of the CII.
The cost of delay is specific: according to IBM Cost of a Data Breach 2024, the average cost of data leakage in the industrial sector was $ 5.56 million - an increase of 18% compared to 2023, the maximum increase among all industries studied.
Four years of OT-infrastructure audits showed one regularity: the main vector of attacks on the SCADA system is not zero-day and not complex APT-tulki. These are default passwords, open VNCs and no segmentation. CARR and Cyber Av3ngers do not use anything technically complex - they exploit what the operators left open. Sandworm delegates CARR dirty work, and he is engaged in prepositioning for large-scale scenarios. Volt Typhoon has been in the infrastructure for five years and is discovered by chance.
The most inconvenient truth: most water treatment plants do not have a single person responsible for cybersecurity of the OT-segment on an ongoing basis. According to CISA, only 20% of water systems in the United States have implemented basic protection measures. In Russia, the 187-FZ obliges, but the formal compliance and real security are different things, and everyone knows this who conducted an audit of the CII facility.
According to Informzashita, in the first half of 2025, the number of attacks on SCADA system increased by 27% compared to the same period last year. The strongest - in the energy sector (+38%), the chemical and petrochemical industries (+17%).
Kill chain attacks on water treatment plants: from reconnaissance to manipulation of the process
Attacks on SCADA systems of water treatment plants follow a certain logic that can be decomposed MITRE ATT&CK. At each stage - a specific vector and a specific detection orientation for SOC.
Initial Access: how attackers get into the OT network
Three vectors recorded in real incidents:
Default accounts (T1078.001, Initial Access / Persistence / Privilege Escalation). According to the EPA, more than 70% of water treatment systems, tested since September 2023, violate the cybersecurity requirements of the Safe Drinking Water Act. Unchanged default passwords, lack of MFA, non-compliance with the principle of minimum privileges. When the HMI interface hangs on a default password and is available via VNC - the attacker does not need a exploit. This is how the CARR got into the Muleshoe system.
Detection: monitoring of successful authentications on HMI/SCADA servers from atypical IP addresses. Alert for the use of default accounting - admin/admin, administrator/password and vendor-specific defaults for Siemens, Schneider Electric, Rockwell.
External Remote Services (T1133, Initial Access / Persistence). VNC, RDP, TeamViewer - standard set for remote access of engineers-technologists. People's Cyber Army and Z-Pentest have purposefully scanned VNC servers, proprietary water management software and firewalls for vulnerabilities. In an incident at the water treatment plant in Oldsmar (Florida, February 2021), according to the initial statement of the Sheriff Pinellas County, an unknown person connected through TeamViewer to the operator's HMI and on the duty officer began to change the settings - the concentration of sodium hydroxide was changed from regular ~ 100 ppm to 11 100 ppm. The operator noticed the movement of the cursor and rolled back the changes. Later in 2023, a report by Cyber Florida called into question the fact of an external invasion, leaning towards a version of the operator error.
(It’s worth mentioning: Oldsmar is one of the most controversial cases in the history of OT incidents. The sheriff said one thing, the investigation showed another. But the very fact that the operator watched how the cursor moves on the screen - this is the reality of many water treatment plants with the open TeamViewer.)
Detection: baseline authorized remote-access sessions - IP bands, time windows, duration. Connecting VNC/RPD from outside the white list is analt with a critical priority.
Operation of publicly available applications (T1190, Initial Access). PLC web interfaces, HMI panels with HTTP access, MQTT brokers without authentication. On Shodan request port:502 (Modbus TCP) returns thousands of devices. The Siemens S7-1200/1500 PLC has a default web server - the attacker receives configuration data before authentication.
Detection: monitoring of external connections to the ports of industrial protocols - 502 (Modbus TCP), 102 (S7comm), 44818 (EtherNet/IP), 20000 (DNP3). Correlation rule: if source IP is not from the internal OT subnet and destination port is included in this list - incident.
Discovery and Impact: What Happens After Intlies
Having accessed, the attacker scans the subnet to the presence of PLC and HMI - Network Service Discovery (T1046). In the OT-network, this is more noticeable than in IT: industrial devices do not tolerate intensive scanning, and the standard Modbus traffic is predictable and cyclical.
Next - impact:
Manipulation of transmitted data (T1565.002, Impact). The attacker sends the instructions of the records to the PLC registers. In terms of Modbus, it is function codes FC5 (Write Single Coil), FC6 (Write Multiple Coils), FC16 (Write Multiple Registers). Through the record, the settings of the technological process change - the concentration of reagents, pressure, flow.
Service stop (T1489, Impact). Forced disconnection of processes - from stopping pumping stations to disconnection systems. At the Arkansas City Water Treatment Facility (September 2024), the facility switched to manual control, although according to the city authorities, the water supply was not formally interrupted.
Destruction of data (T1485, Impact). Wiper attacks on SCADA servers and history bases. In August 2021, at the water disposal station (wastewater) in Maine ransomware ZuCaNo was deployed through remote access to the SCADA-computer - according to the data CISA advisory AA21-287A.
APT-groups aimed at ICS: SCADA APT attack in detail
Russian affiliates. Sandworm (Military Unit 74455, GTSST GRU). CARR is a Sandworm-related group that acts rougher and riskier. According to Mandiant, CRR is a hacktivist persona that Sandworm uses for deniable operations. The result of the attacks: reconfiguration of control parameters, change administrative passwords for blocking legitimate operators.
The Iranian Affiliates. Cyber Av3ngers is a group affiliated with the IRGC (Islamic Revolutionary Guard Corps). Israeli-made PLC (Unitronics) is targeted: "Every equipment 'made in Israel' is CyberAv3ners legal target." In addition to opportunistic attacks, the group uses custom IOCONTROL malware to infiltrate water systems and gas stations.
The Chinese Affiliates. Volt Typhoon - pre-positioning. In early 2024, it was discovered that the group maintained access to critical infrastructure for at least five years. Tactics - living-off-the-land, a minimum of own tools, a maximum of regular utility. BlackTech attacks the firewalls of remote offices to penetrate large networks and escalate until full administrative control.
Here is what catches the eye: CARR and Cyber Av3ngers use primitive methods - default passwords, opened by VNC. And Volt Typhoon has been in infrastructure for five years and uses only the standard OS utility. Two poles: noisy hacktivism and quiet pre-positioning. Detect the first - trivial (if at all there is monitoring). Detecting the second is a different task.
How OT threats are different from IT: industrial cybersecurity at the protocol level
This section is for those who come from IT security and try to apply the usual approaches in the OT environment. Spoiler: Most of them don't work.
Industrial protocols Modbus DNP3 do not have built-in authentication. Modbus TCP, designed in 1979, does not provide for authentication or encryption. Any device that can form a correct TCP package on a port 502 with a rolled function code is perceived by the PLC as a legitimate master. FC6 (Write Single Register) changes the setting of the process - without a password, without token, without logging at the protocol level. DNP3 Secure Authentication (SA) exists, but is deployed at single objects. A significant part of the communications at the level of field devices goes through serial /analog (Non-IP) interfaces - RS-485, current loops 4-20 mA - which are not covered by standard network monitoring means at all.
Simply put, Modbus is a protocol from an era when no one was thinking about network attacks. He trusts everyone. Always.
Patching is not possible in the usual mode. PLC, which controls the chlorination of water, is not restarted according to the schedule. Stopping the process is a real threat to human health. Patt management in OT: test updates on the stand → service window once a quarter or less → update with manual rollback ready. Many SCADA servers run on Windows XP/7/Server 2008, for which patches are no longer available.
Baseline has a different scale. In IT baseline network traffic - thousands of different connections every minute. In OT baseline Modbus traffic between master and slave predictable to specific function code and register address. Normal cycle: master every 500 ms sends FC3 (Read Holding Registers) to 0400000-00x000F registers. The appearance of FC16 (Write Multiple Registers) from a new IP anomaly. But for its detection, DPI is needed at the level of the industrial protocol, not the standard netflow.
And here is the paradox: the predictability of OT-traffic - at the same time weakness (it is easy to fake a legitimate request) and strength (any deviation is noticeable - if you look at anything).
IDS/IPS in the OT segment is only a passive mode. Active traffic blocking in an industrial network can cause an emergency process stop. Suricata/Snort in OT is deployed on the SPAN port in IDS mode, not IPS. In IT inline-blocking - the norm, in OT - a direct route to the accident.
Insider threat: compromised engineering stations in OT
According to Informzashita, in some cases, Russian enterprises recorded the actions of domestic violators with multimillion-dollar damage.
Engineering Station (Engineering Workstation) - Windows machine with PLC programming software: TIA Portal for Siemens, Studio 5000 for Rockwell, EcoStruxure for Schneider Electric. She has legitimate access to registers and download programs is a full-time function. Compromise through phishing or infection of the USB drive gives the attacker full access to the technological process without having to bypass network segmentation.
It's the most unpleasant vector. Engineering station - by definition a trusted host. She should Write to the PLC registers. It is impossible to distinguish legitimate flashing from malicious at the network level - it is impossible without context.
Detection: monitoring software downloads in PLC. Each repeller is fixed: who, when, from which host, what project is loaded. If the TIA Portal initiates a download of the program at 2:00 am from the engineering station, which usually works from 8:00 to 18:00 - this is an alter.
The second scenario is an operator with legitimate access to HMI. Countermeasures: two-factor authorization of critical operations (change of statutory, PLC flashing) at the level of the SCADA-server, and not only at the level of network access. According to Darktrace, insider threats bypasses many standard protective measures, as they operate within the framework of legitimate powers.
Baseline: what to fix in the first week
When deploying monitoring, the first task is the baseline of normal traffic:
List of all IPs in OT subnets and their roles: PLC, HMI, SCADA-server, historian, engineering station
Normal communication pairs: what master asks which slave, with what frequency, what function codes uses
Temporary windows of regular recording operations (FC5/6/15/16) - usually only with manual operator or automatic adjustments
Normal remote-access session: source, destination, time, duration
This baseline is the basis of all detection rules. Without it, the OT monitoring will drown in false positives. In practice, a week is the minimum. At facilities with seasonal modes (water cleaning, heat supply) full baseline is assembled for a quarter.
Hardening-checklist for CII Critical Infrastructure Operator
Ready list of actions with reference to NIST CSF v2.0:
Inventory of OT-Assets (ID.AM-01). Full list of PLC, HMI, SCADA servers, switches, remote access points. Insert serial interfaces - Modbus RTU via RS-485 is no less critical than the Modbus TCP.
Change of all default accounts (PR.AA-01). By register: for each device, check the vendor documentation for default credentials and replace.
IT/OT segmentation on Purdue Model. DMZ (Level 3.5) between the corporate network (Level 4-5) and technological (Level 0-3). Through the DMZ - only rectoralation and remote access via jump host with MFA. Direct connections IT ↓ COP - prohibition.
Disabling unused services on PLC. Built-in web server - disable if not required. SNMP v1/v2c - replace v3 or deactivate. FTP/Telnet - replace with SFTP/SSH.
Passive monitoring of OT traffic (DE.AE-01). SPAN port on the OT-segment switch → IDS with support for industrial protocols. Tools: Suricata with rules for Modbus/S7comm/DNP3, specialized solutions - Claroty, Dragos Platform, Nozomi Networks.
Two-factor authorization of critical operations. Changing the settings, loading programs in the PLC, changing the network configuration - only with confirmation and logging.
Offline backups of PLC configurations and SCADA projects. Store in isolation, check the possibility of recovery quarterly.
Manual control procedure (RC.CO-01). If SCADA is not available, operators should be able to conduct the process manually. Regular exercises on the transition to manual mode.
Audit of all dots of remote access. VPN concentrators, TeamViewer/AnyDesk, cellular modems on remote substations - in the register, under monitoring, from whitelist sources.
Risk and Resilience Assessments. The EPA recorded that many operators did not even perform the mandatory RRA and Emergency Response Plans. In the Russian context - similar requirements of the 187-FZ on the security of the CII.
The cost of delay is specific: according to IBM Cost of a Data Breach 2024, the average cost of data leakage in the industrial sector was $ 5.56 million - an increase of 18% compared to 2023, the maximum increase among all industries studied.
Four years of OT-infrastructure audits showed one regularity: the main vector of attacks on the SCADA system is not zero-day and not complex APT-tulki. These are default passwords, open VNCs and no segmentation. CARR and Cyber Av3ngers do not use anything technically complex - they exploit what the operators left open. Sandworm delegates CARR dirty work, and he is engaged in prepositioning for large-scale scenarios. Volt Typhoon has been in the infrastructure for five years and is discovered by chance.
The most inconvenient truth: most water treatment plants do not have a single person responsible for cybersecurity of the OT-segment on an ongoing basis. According to CISA, only 20% of water systems in the United States have implemented basic protection measures. In Russia, the 187-FZ obliges, but the formal compliance and real security are different things, and everyone knows this who conducted an audit of the CII facility.
