BLOG

Author
Denrich Sananda

Date
17-04-2026

Industrial Cybersecurity

The 7 Most Common ICS Attack Vectors Targeting North American Critical Infrastructure

Industrial control system attacks are not random. Adversaries targeting North American critical infrastructure are methodical. They research their targets, identify the weakest entry point, and move through the environment deliberately - often dwelling in a network for weeks or months before triggering an operational impact.

Understanding which attack vectors are actually being used against facilities like yours is not an academic exercise. It is the most direct input into prioritizing your OT security investments. You do not need to defend against every possible threat equally. You need to close the pathways that are actively being exploited against your sector.

This post covers the seven attack vectors that appear most consistently in ICS/OT incident data across North American critical infrastructure in 2024 and 2025. For each one, we describe how it works in an OT environment, which sectors are most exposed, and the specific controls that prevent, detect, and contain it.

 

Ransomware attacks on industrial organizations increased 87% in 2024

with 1,693 documented incidents targeting OT environments globally. Manufacturing, energy, and oil and gas were the three most targeted sectors. In the majority of confirmed cases, the initial access vector was either a phishing email to an IT/OT-connected user or exploitation of an unpatched remote access pathway.

Source: Dragos 2025 OT/ICS Cybersecurity Year in Review

 

The 7 ICS Attack Vectors at a Glance

 

#

Attack Vector

Primary Entry Point

Most Affected Sectors

1

Spear-Phishing Targeting IT/OT Bridge Personnel

Corporate email to OT-connected workstations

All sectors - manufacturing, energy, utilities

2

Uncontrolled Remote Access and VPN Exploitation

Persistent vendor VPN, RDP, and unmanaged jump servers

Manufacturing, oil and gas, water/wastewater

3

Supply Chain Compromise via Third-Party Software and Firmware

OEM updates, integrator laptops, software patches

All sectors - highest consequence in energy and defense

4

IT/OT Convergence - Lateral Movement from the Corporate Network

Flat or weakly segmented IT/OT boundary

Manufacturing, utilities, critical infrastructure

5

Exposed HMI and SCADA Interfaces on the Public Internet

Directly internet-accessible ICS devices

Water/wastewater, oil and gas, small utilities

6

USB and Removable Media in Air-Gapped OT Environments

Contractor or engineer-introduced removable media

Nuclear, defense, high-security manufacturing

7

Insider Threats - Accidental and Malicious

Privileged access by current or former personnel

All sectors - most common in large facilities

 

None of these vectors is novel. They have appeared in OT incident investigations repeatedly across sectors and geographies. What changes year over year is the sophistication with which they are combined. A 2024 ransomware campaign against a North American manufacturer used spear-phishing to gain IT access, lateral movement through a weak IT/OT boundary, and remote access credentials harvested from a compromised engineering workstation to deliver the ransomware payload directly to OT historian and SCADA servers.

The sections below cover each vector in detail.

 

Attack Vector 1: Spear-Phishing Targeting IT/OT Bridge Personnel

Phishing remains the most common initial access vector in OT incidents - not because it is technically sophisticated, but because it is reliable. In OT environments, the most valuable phishing targets are not IT administrators. They are the engineers, operators, and supervisors whose workstations have access to both corporate IT systems and OT control networks.

A spear-phishing email targeting a process engineer at a chemical plant is more dangerous than one targeting a corporate IT user, because the process engineer's workstation may have direct connectivity to Level 2 HMIs and engineering software. Compromising that workstation does not require any subsequent lateral movement to reach OT assets.

How it works in OT:

  • Adversary research targets facility: LinkedIn, company websites, and conference presentations frequently reveal the names, roles, and technology vendors used by OT personnel.
  • Spear-phish delivered to IT/OT bridge user: Email contains a credential harvesting link or a malicious attachment that installs a remote access tool on the target workstation.
  • Adversary assesses OT connectivity from compromised workstation: What OT systems can this workstation reach? What credentials are stored? What engineering software is installed?
  • Lateral movement or direct OT access: Depending on network segmentation, the adversary either moves directly to OT or pivots through additional IT systems to reach it.

Priority controls:

  • Application whitelisting on OT-connected workstations: Prevents malicious executable payloads from running, regardless of how they arrived.
  • Network segmentation enforcement: Even if the workstation is compromised, enforced IT/OT segmentation limits what the adversary can reach from it.
  • Security awareness training specific to OT roles: Generic phishing training is not sufficient. OT-connected personnel need training on the specific social engineering tactics used against targets in the industrial sector.

 

Attack Vector 2: Uncontrolled Remote Access and VPN Exploitation

Remote access is the attack vector that OT security assessments most consistently identify across every sector. The problem is structural: over the past decade, industrial organizations have expanded remote access to OT environments to support operational efficiency, including vendor maintenance, remote monitoring, and engineering support. The security controls applied to that access have not kept pace.

In a typical manufacturing or utility environment, vendor VPN connections have been active for years without regular review. Some connect to vendors who are no longer engaged. Others provide access to the entire OT network segment rather than to the specific assets the vendor needs access to. Credentials are often shared among vendor staff and have not been rotated in years.

How it works in OT:

  • Adversary targets vendor or contractor with OT remote access: Vendors are softer targets than asset owners - smaller organizations with less security maturity but with direct access to high-value OT environments.
  • VPN credentials are harvested through phishing or credential stuffing: Reused passwords and the absence of MFA make credential compromise straightforward.
  • Adversary connects to OT network via legitimate remote access pathway: Because the connection uses valid credentials through an authorized pathway, it does not trigger perimeter-based detection.
  • Adversary operates within the OT network at the access level of the compromised credential: Overly broad remote access permissions mean the adversary can reach far more of the OT environment than the legitimate vendor ever needs.

Priority controls:

  • Secure access gateway with MFA: Every remote session must authenticate through a gateway that enforces MFA. No persistent VPN connections.
  • Just-in-time access provisioning: Vendor access is activated for a specific time window and purpose, and automatically revoked when the session ends.
  • Session recording: All remote sessions involving OT assets are recorded. This is both a deterrent and a forensic resource.

 

Attack Vector 3: Supply Chain Compromise via Third-Party Software and Firmware

Supply chain attacks against OT environments exploit a fundamental trust relationship: that software and firmware delivered by authorized vendors is safe to install. When an adversary compromises an OT vendor's software supply chain, every customer who applies the compromised update becomes a target.

The SolarWinds compromise in 2020 demonstrated the IT side of this vector at scale. In OT environments, the equivalent risk comes through SCADA software updates, PLC firmware packages, and engineering tool updates distributed by ICS vendors. The 2022 Industroyer2 malware, used against Ukrainian energy infrastructure, was delivered through legitimate-looking update packages targeting specific ICS equipment.

How it works in OT:

  • Adversary compromises the build or distribution process of an OT software or firmware vendor: The malicious payload is embedded in a legitimate, digitally signed update package.
  • Asset owner applies the update through normal patch management processes: The compromise enters the OT environment as an authorized action.
  • Payload executes and establishes persistence within the OT environment: Because it arrived via a trusted update mechanism, it is not flagged by signature-based detection tools.

Priority controls:

  • Isolated update staging environment: All OT software and firmware updates are applied to a staging environment first, where behavioral monitoring can observe the update before it reaches production systems.
  • File integrity monitoring on OT servers and engineering workstations: Detects unexpected file modifications or new executables that do not match authorized baseline configurations.
  • Vendor security assessment requirements: CIP-013 for NERC CIP entities and IEC 62443-2-4 for all OT operators require documented supply chain security assessments. Contractually require vendors to notify you of security incidents affecting products you operate.

 

Attack Vector 4: IT/OT Convergence and Lateral Movement from the Corporate Network

The Colonial Pipeline incident in 2021 illustrated this vector more clearly than any security report could. The operator did not shut down the pipeline because OT systems were directly compromised. They shut it down because the IT network was compromised, and they lacked confidence in the integrity of the IT/OT boundary. That uncertainty - not a confirmed OT compromise - cost the US East Coast fuel supply for six days.

IT/OT lateral movement exploits the connections that exist between corporate IT networks and OT operational networks. In most industrial facilities, these connections are more extensive than the official network architecture suggests. Historians pulling data from OT systems, patch distribution servers pushing updates to OT endpoints, and shared Active Directory domains are all pathways from IT to OT that an adversary on the IT network can exploit.

Priority controls:

  • Enforced Industrial DMZ at the IT/OT boundary: All data flows between IT and OT are brokered through a DMZ. No direct connections between IT endpoints and OT systems.
  • OT-native network monitoring: Detection at the IT/OT boundary and within the OT network identifies lateral movement attempts before they reach critical control systems.
  • Separate Active Directory domains or OT identity infrastructure: Shared AD means a compromise of domain administrator credentials in IT may provide access to OT-connected systems. A separate OT identity infrastructure eliminates this pathway.

 

Attack Vector 5: Exposed HMI and SCADA Interfaces on the Public Internet

This is the most preventable attack vector on this list and the one that continues to generate incidents that should not happen. Industrial control system devices - HMIs, SCADA servers, engineering workstations, and PLCs - that are directly accessible via the public internet are a persistent problem across North American critical infrastructure.

Shodan and similar search engines continuously index internet-accessible ICS devices. The devices found include water treatment plant HMIs, building management systems, pipeline monitoring interfaces, and generation control panels. Many have default credentials. Some have known, unpatched vulnerabilities. Access to these devices requires no sophistication - only a Shodan search and a browser.

How to identify your exposure:

  • Conduct an external attack surface scan: Before assuming your OT assets are not internet-accessible, verify it. IT network changes, cloud connectivity additions, and vendor-installed remote monitoring equipment frequently add internet-facing exposure without the security team's knowledge.
  • Audit firewall ingress and egress rules: Overly permissive inbound firewall rules are the most common cause of inadvertent internet exposure of OT assets.
  • Check your third-party vendor connections: Vendors providing remote monitoring services sometimes install their own network equipment, which creates internet-facing access points outside the asset owner's firewall perimeter.

 

RISK

If your HMI or SCADA interface is accessible on the public internet with default or weak credentials, it is not a matter of if, but when it will be accessed by unauthorized parties. It already has been. Shodan bots continuously scan the entire IPv4 address space. Exposure time before the first unauthorized access attempt is measured in hours, not days.

 

Attack Vector 6: USB and Removable Media in Air-Gapped OT Environments

Air-gapping - physically isolating OT networks from all external connectivity - is the most comprehensive network security control available to industrial operators. It is also an incomplete control if removable media is not managed with equal rigor. The most sophisticated ICS malware families ever deployed, including Stuxnet (2010) and Triton (2017), used removable media as part of their delivery or operational mechanism.

In modern industrial environments, air gaps are less common than they appear. True air-gapping is expensive and operationally constraining. But even in facilities with network connectivity, removable media remains a significant vector because it bypasses network-based perimeter controls entirely. A USB drive inserted into a Level 2 engineering workstation delivers its payload directly into the OT environment, regardless of firewall rules.

Priority controls:

  • USB port lockdown on OT endpoints: Group policy or endpoint management enforces that only authorized, registered media can be connected to OT-networked systems.
  • Dedicated media scanning station: All removable media brought into the OT environment, including vendor laptops and USB drives, are scanned at a dedicated malware analysis station before use.
  • Written procedures for removable media: Personnel must understand that the USB drive they brought from home, or the drive a vendor handed them in the parking lot, cannot be inserted into an OT system.

 

Attack Vector 7: Insider Threats - Accidental and Malicious

Insider threats in OT environments take two forms, each requiring different controls. Accidental insider threats - the OT engineer who connects a personal laptop to the control network to run a diagnostic tool, the operator who disables a security control temporarily to resolve a production issue and forgets to re-enable it - are far more common than malicious insider activity. Malicious insider threats are less frequent but typically carry higher consequences because insiders have legitimate access and knowledge of the environment that external adversaries must spend significant time and effort to acquire.

Accidental insider threats:

  • Root cause: Personnel prioritizing operational continuity over security procedures, often because security controls are perceived as obstacles to their work.
  • Control approach: Security controls designed with operational workflows in mind are more consistently followed than those that add significant friction. A secure process for connecting approved diagnostic equipment is more effective than a blanket ban that gets routinely bypassed.

Malicious insider threats:

  • Root cause: Disgruntled current or former employees, compromised credentials used by external actors who impersonate legitimate users, or deliberate sabotage.
  • Control approach: Least-privilege access controls, privileged access management for OT systems, rigorous off-boarding procedures that immediately revoke all access, and behavioral monitoring that flags access patterns outside normal operational activity.

 

Prevention, Detection, and Response Controls Matrix

The table below maps each attack vector to the specific controls that prevent it, detect it, and contain it when prevention fails. Use this as a gap analysis tool against your current OT security program.

 

Attack Vector

Prevention Control

Detection Control

Response Action

Spear-phishing to OT-connected users

Security awareness training, email filtering, and application whitelisting on OT-connected workstations

EDR on IT endpoints, anomaly detection at IT/OT boundary, SIEM alerting

Isolate the affected endpoint, review OT access logs, and verify no lateral movement to OT

Uncontrolled remote access

Secure access gateway with MFA, session recording, time-limited access, no persistent VPN

Session monitoring, anomaly detection for off-hours or unusual remote activity

Terminate session, revoke access, forensic review of the session recording

Supply chain compromise

Vendor security assessments, firmware verification, isolated update staging environment

File integrity monitoring, OT network anomaly detection post-update

Isolate affected systems, engage vendor, compare against known-good baseline

IT/OT lateral movement

Enforced IT/OT segmentation, Industrial DMZ, documented conduit rules

OT-native network monitoring at Level 3, IT/OT boundary traffic analysis

Isolate OT network segment, activate incident response plan, preserve evidence

Exposed internet-facing ICS

Remove direct internet access, deploy a firewall or a data diode at the perimeter

External attack surface monitoring, inbound connection alerting

Immediately restrict access, assess what was exposed, and conduct a forensic review

USB and removable media

USB port lockdown policy, removable media scanning station, and written procedures

Endpoint DLP, USB device logging, anomaly detection for new device connections

Confiscate media, forensic analysis, and assess the scope of potential compromise

Insider threat

Least-privilege access, privileged access management, and off-boarding process review

User behavior analytics, access pattern monitoring, OT session recording

Revoke access immediately, preserve audit logs, engage HR and legal

 

Two observations from this matrix are worth noting. First, OT-native network monitoring appears as a detection control against five of the seven attack vectors. It is the single highest-leverage detection capability in an OT environment and the most common gap in facilities that have not made OT-specific security investments. Second, every attack vector has a response action that requires a pre-existing OT incident response plan. Improvising a response to an active ICS incident is not a viable option when the alternative is halting production.

 

BOTTOM LINE

The attack vectors described in this post are not theoretical. They appear repeatedly in ICS incident investigations across North American manufacturing, energy, utilities, and oil and gas. None of them requires the sophistication of a nation-state to execute. All of them have documented, implementable controls. The gap between knowing what the attack vectors are and having the controls in place to address them is exactly where Arista Cyber works.

 

About Arista Cyber

Arista Cyber provides OT/ICS security assessments, network monitoring deployment, secure remote access implementation, and incident response planning for industrial organizations across North America and Europe. Our work starts with understanding the specific attack vectors your sector faces and the operational constraints that shape how controls must be implemented.

 

Frequently Asked Questions - ICS Attack Vectors and OT Threat Intelligence

Which ICS attack vector is most common in North America right now?

Based on incident data from 2024 and 2025, remote access exploitation and phishing to IT/OT bridge personnel are the two most frequently observed initial access vectors in North American OT incidents. Both are consistently present in ransomware campaigns targeting manufacturing and energy sector organizations. Remote access exploitation is particularly prevalent because the fix - replacing persistent VPN access with a managed secure access gateway - requires a defined program and organizational change management, not just a technology purchase.

Does a true air-gapped OT network eliminate ICS attack vectors?

It eliminates network-based attack vectors, but not all of them. Air-gapped OT environments remain vulnerable to removable media attacks, insider threats, and supply chain compromises that arrive via authorized software and firmware updates. Stuxnet - the most sophisticated ICS malware ever documented - was specifically designed to operate in air-gapped environments through USB propagation. Air-gapping is a strong control, but not a complete security program.

What is MITRE ATT&CK for ICS, and how does it relate to the attack vectors in this post?

MITRE ATT&CK for ICS is a knowledge base of adversary tactics, techniques, and procedures (TTPs) specific to industrial control system environments. It maps how adversaries move through ICS environments from initial access through impact. The seven attack vectors in this post correspond to the Initial Access and Lateral Movement tactic categories in ATT&CK for ICS. The framework is useful for structured threat modeling, red team exercise planning, and detection engineering. It is freely available at attack.mitre.org/matrices/ics.

How quickly can an adversary move from initial IT access to OT impact?

In well-documented cases, adversaries with IT access to an industrial organization have gained access to OT control systems within 24 to 48 hours when IT/OT segmentation is weak. In the 2024 Dragos threat activity analysis, several threat groups demonstrated the capability to move from initial access to Stage 2 of the ICS Cyber Kill Chain - meaning they had achieved the capability to cause physical process impact - within days of initial compromise. Dwell time before impact ranges from hours in opportunistic ransomware campaigns to months in nation-state espionage operations. The detection control that collapses this timeline is OT-native network monitoring that establishes behavioral baselines and alerts on deviations in real time.