Real-World ICS Attacks and Lessons

Introduction

The theoretical risks of ICS attacks became undeniable reality through a series of high-profile incidents that demonstrated the devastating potential of cyber-physical attacks. These case studies are not historical curiosities—they are blueprints that adversaries continue to refine and that defenders must study to understand what AI-driven detection systems need to catch.

Each attack reveals different aspects of the ICS security challenge: the sophistication of nation-state operations, the vulnerability of critical infrastructure to unsophisticated attacks, and the cascading economic impacts of OT disruption.

Ukraine Power Grid Attacks

In December 2015, attackers attributed to the Russian military intelligence agency (GRU) compromised three Ukrainian power distribution companies, causing power outages for approximately 230,000 customers. The attackers used spear-phishing emails with BlackEnergy malware to gain initial access to IT networks, then pivoted through VPN connections into the OT environment over a period of six months.

The 2016 follow-up attack on Kyiv's power grid used a more sophisticated approach. The Industroyer/CrashOverride malware was purpose-built to communicate directly with power grid equipment using ICS protocols (IEC 101, IEC 104, IEC 61850, OPC DA). This was only the second known malware after Stuxnet designed specifically to interact with industrial equipment.

Key Lesson: The Ukraine attacks demonstrated that air-gapping is an illusion when VPN connections, vendor access, and IT/OT convergence create pathways between networks. AI-powered behavioral monitoring could have detected the six-month reconnaissance period and the anomalous ICS protocol commands during the actual attack.

Oldsmar Water Treatment Attack

In February 2021, an attacker remotely accessed the SCADA system of the Oldsmar, Florida water treatment plant through TeamViewer and attempted to increase sodium hydroxide (lye) levels from 100 parts per million to 11,100 parts per million—a 111-fold increase that could have poisoned the water supply of approximately 15,000 residents.

The attack was detected by a plant operator who noticed the mouse cursor moving on the HMI screen and saw the sodium hydroxide level being changed. The operator immediately reversed the change. While this incident was unsophisticated—exploiting shared TeamViewer credentials on an internet-facing system—it highlighted the terrifying simplicity of attacking unprotected water infrastructure.

• Attack Vector: Remote desktop software (TeamViewer) with shared credentials, directly accessible from the internet
• Detection Method: Visual observation by an alert operator—no automated detection was in place
• Root Causes: Shared passwords, no multi-factor authentication, no network segmentation, outdated Windows 7 systems
• AI Opportunity: ML-based process anomaly detection would have flagged a 111x change in chemical dosing as extreme deviation from baseline

Colonial Pipeline Incident

In May 2021, the DarkSide ransomware group compromised Colonial Pipeline, which operates the largest fuel pipeline system in the United States, transporting 2.5 million barrels per day across 5,500 miles. The company preemptively shut down pipeline operations for six days, causing fuel shortages, panic buying, and emergency declarations across the southeastern United States.

Critically, the ransomware only affected the IT billing systems—OT systems were not directly compromised. Colonial shut down operations because they could not bill customers and feared the ransomware might spread to OT networks. This highlights a key lesson: IT/OT interdependencies mean that an IT compromise can cause OT shutdowns even without directly attacking operational systems.

1. Initial Access: Compromised VPN password (no MFA) found in a dark web credentials dump
2. Impact: Six-day shutdown of 45% of US East Coast fuel supply, $4.4 million ransom paid (partially recovered by FBI)
3. Cascade Effect: Fuel shortages at 11,000+ gas stations, flight disruptions, emergency government waivers for fuel transport
4. Lesson: IT/OT segmentation and independent OT billing systems could have prevented the operational shutdown

These three incidents collectively illustrate that ICS attacks are not theoretical—they cause real-world physical consequences. AI-driven security monitoring, proper network segmentation, and strong authentication are essential safeguards that could have detected or prevented each of these attacks.