Since IBM X-Force published its report, “Security Attacks on Industrial Control Systems,” last year, we have observed a startling increase in the number of attacks against these systems.

Attacks Against Industrial Control Systems Increasing

According to IBM Managed Security Services (MSS) data, attacks targeting industrial control systems (ICS) increased over 110 percent in 2016 over last year’s numbers, as of Nov. 30.

Specifically, the spike in ICS traffic was related to SCADA brute-force attacks, which use automation to guess default or weak passwords. Once broken, attackers can remotely monitor or control connected SCADA devices.

In January 2016, GitHub released a penetration testing solution that contained a brute-force tool that can be used against Modbus, a serial communication protocol. The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months.

U.S.-based actors accounted for the majority of ICS attacks in 2016. This was not surprising, since the U.S. has the largest presence of internet-connected ICS systems in the world.


The U.S. was also the largest target of ICS-based attacks in 2016, primarily because, once again, it has a larger ICS presence than any other country at this time.


Notable Recent ICS Attacks

ICS attacks, like other types of cyberthreats, have been increasing in scale and sophistication over the past few years. The rise is linked with the growing connectivity of industrial systems. Let’s review a few high-profile cases reported over the last year from different parts of the world:

ICS Malware Targets European Energy Company

The SFG malware, discovered in June 2016 on the networks of a European energy company, created a backdoor on targeted industrial control systems. The backdoor delivered a payload that was “used to extract data from or potentially shut down the energy grid,” according to security researchers at SentinelOne Labs, as reported by The Register.

The Windows-based SFG malware is designed to bypass traditional antivirus software and firewalls. It contains all the hallmarks of a nation-state attack, likely of Eastern European origin.

New York Dam Attack

In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York. The attackers compromised the dam’s command-and-control (C&C) system in 2013 using a cellular modem.

This is troubling because it represents one of the first major efforts of a foreign government entity to commandeer U.S. infrastructure. Although the attack happened in 2013, it wasn’t reported or attributed until 2016.

Ukrainian Power Outage

In December 2015, a power company located in western Ukraine suffered a power outage that impacted a large area that included the regional capital of Ivano-Frankivsk, Reuters reported. Investigatiors discovered that cybercriminals had faciliated the outage by using BlackEnergy malware to exploit the macros in Microsoft Excel documents. The bug was planted into the company’s network using spear phishing emails.

These three attacks succeeded primarily due to the lack of situational awareness by both the employees and management of the firms in question. This is not surprising, given the increase of automation and internet connectivity within the industrial world.

Mitigating Risk to ICS

Government and private institutions around the world are starting to focus on mitigating risk to ICS. Cybercriminals are developing new threats on a daily basis that can, and eventually will, result in catastrophic utility outages.

The threat to ICS permeates across a nation’s entire economy and infrastructure. Organizations across all verticals must take full responsibility for protecting their own assets and consumers. There should be no exceptions, since the best way to keep adversaries out of an ICS is to implement simple safeguards, best practices and risk management solutions. You can download ICS-specific resources from government entities like the National Institute of Standards and Technology (NIST), which also offers network protection advice for connected things in the industrial realms.

For more information on protecting ICS from rising threats while continuing to enable technological advancements, read IBM X-Force’s research report, “Security Attacks on Industrial Control Systems.” The report looks at the history of ICS, the susceptibility of these systems to certain attacks and ways to defend those systems.

More from Energy & Utility

Today’s Biggest Threats Against the Energy Grid

2 min read - Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats. Physical Threats to the Energy Grid Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid…

2 min read

2022 Industry Threat Recap: Energy

3 min read - In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023. This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack. Despite the overall drop in threats, however, the industry remains…

3 min read

X-Force 2022 Insights: An Expanding OT Threat Landscape

9 min read - This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

9 min read

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

3 min read - The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

3 min read