Trellix-2025年运营技术(OT)威胁报告 OPERATIONAL TECHNOLOGY THREAT REPORT_第1页
Trellix-2025年运营技术(OT)威胁报告 OPERATIONAL TECHNOLOGY THREAT REPORT_第2页
Trellix-2025年运营技术(OT)威胁报告 OPERATIONAL TECHNOLOGY THREAT REPORT_第3页
Trellix-2025年运营技术(OT)威胁报告 OPERATIONAL TECHNOLOGY THREAT REPORT_第4页
Trellix-2025年运营技术(OT)威胁报告 OPERATIONAL TECHNOLOGY THREAT REPORT_第5页
已阅读5页,还剩16页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

OPERATIONALTECHNOLOGY

THREATREPORT

November2025

Presentedby

2OperationalTechnologyThreatReport,October2025

EXECUTIVESUMMARY

FromApril1toSeptember30,2025,operational

technology(OT)andindustrialcontrolsystems(ICS)

facedunprecedentedthreatsfromsophisticated

adversaries.Trellixtelemetrydetected272,512OT/ICS-relatedthreatsacross572uniquecustomers,while333ransomwareattacksspecificallytargetedcriticalinfrastructuresectors.

Thethreatlandscaperevealscoordinatedcampaignsbystate-sponsoredactorsandransomwaregroups,withthemanufacturing,transportationandshipping,utilities,andenergy/oilandgassectorsbearingthe

highestrisk.NotablethreatactorsincludeSandwormTeam,Qilinransomware,andspecializedgroupslikeTEMP.Velestargetingsafetysystems.

3OperationalTechnologyThreatReport,October2025

OTTHREATLANDSCAPEOVERVIEW

TheglobalOTthreatenvironmenthasintensifiedsignificantly,

drivenbygeopoliticaltensionsandtheincreasingdigitizationofindustrialsystems.State-sponsoredactorsfromRussia,Iran,andNorthKoreahave

expandedtheirtargetingofcriticalinfrastructure,whileransomwaregroupshavedevelopedspecializedcapabilitiesforOTenvironments.

Manufacturingemergedastheprimarytarget,representing41.5%ofall

detections.Thisconcentrationreflectsthesector’scriticalroleinglobal

supplychainsandofteninadequateOTsecuritymeasures.Transportationandshippingrankedsecondindetectionswith27.6%,andtheutilities,

ThisbreakdownrepresentsthreatsdetectedprimarilywithinIT

energy/oilandgas,andaerospaceanddefenseindustriesaccountedforacombined21.5%ofdetections.

PRIMARYOT/ICSINDUSTRYTARGETS(APRIL1–SEPTEMBER30,2025)

ManufacturingIndustrial

Transportation&ShippingProcessManufacturing

UtilitiesAutomotive

Energy/Oil&GasOther

Aerospace&Defense

OT/ICSIndustrySectors

41.5%

27.6%

8.9%

7.0%

5.6%

2.4%

2.2%

1.3%

3.5%

01020304050

PercentageofDetections

infrastructureoforganizationsoperatinginOT/ICSindustries,ratherthandetectionsfromOTenvironmentsthemselves.Thesedetectionsacrossemail(55.6%),networkperimeter(25.4%),andendpoint(18.5%)environmentsprovidecriticalvisibilityintothreatstargetingindustrialsectors,asITcompromiseoftenservesastheprimaryentrypointforattacksthatcanimpactconnectedOTsystems.

4OperationalTechnologyThreatReport,October2025

Geopoliticalfactorssignificantlyinfluencedtargetingpatterns.Russian-

linkedgroupsfocusedonUkrainianenergyinfrastructure,whileIranian

actorsconcentratedonregionalpetrochemicalfacilities.Theongoing

conflictinUkrainehasacceleratedtheweaponizationofcybercapabilitiesagainstindustrialsystems.

THREATACTORACTIVITY

SandwormTeam(Russia,GRUUnit74455)

Profile

SandwormTeam,alsoknownasBlackEnergy,VoodooBear,orIronViking,

remainsoneofthemostaggressiveandcapablestate-sponsoredthreatactorstargetingOTenvironments.OperatedbyRussia’sGRUMainCenterforSpecialTechnologies(GTsST,Unit74455),Sandwormhasspecializedincyber-physicaldisruptionaspartofRussia’shybridwarfarestrategy.

ActivityandTactics

Between2022and2025,Sandwormdominatedindustrialthreattelemetry,

responsiblefornearlyathirdofobservedOT-relatedintrusions.TheycontinuedsystematiccampaignsagainstUkrainianenergy,telecommunications,and

governmentnetworks,deployingIndustroyer2todisruptpowersubstations,andmultipledestructivewipers—CaddyWiper,NikoWiper,andORCSHRED—toerasesystemdataandimpederestorationefforts.Theiroperationsoften

coincidewithkineticmilitaryactions,suggestingcoordinationbetweencyberandconventionalwarfare.

ImpactandOutlook

Sandworm’scampaignshavedemonstratedarepeatable,modularattackmodelfortargetingICSes,positioningthemasthebenchmarkfornation-state-levelOTthreats.Thegroup’spersistentevolutionofwiperfamilies

andexploitationofbothITandOTprotocolsindicatesongoingR&D

investment.Theiractivityreinforcestheneedforresilience-baseddefense,rapidsystemrestoration,offlinebackups,andout-of-bandcommunicationinconflict-proneregions.

TEMP.Veles/XENOTIME(Russia-linked,SafetySystemsFocus)

Profile

TEMP.Veles,alsotrackedasXENOTIME,isanelite,possiblyRussian-linkedactorbehindtheTRITON(alsoknownasTRISISorHatMan)malware.Theyspecializeincompromisingsafetyinstrumentedsystems(SIS),specificallytheTriconexcontrollersusedtopreventcatastrophicfailuresinindustrialplants.

ActivityandTactics

Theirhallmarkintrusion,againstaSaudiArabianpetrochemicalfacilityin

2017,aimedtoreprogramsafetycontrollerstocausephysicaldamageorlossoflife.Sincethen,TEMP.Veleshasbeenobservedconductingreconnaissanceandpersistenceoperationsinenergyandchemicalfacilitiesworldwide.Theyexploitengineeringworkstationsandsystemintegrators’credentialstomovelaterallyintoOTenvironments.TheiroperationsinvolvemultistageintrusionsblendingITexploitationwithOTprotocolmanipulation,demonstratingdeepprocessunderstanding.

5OperationalTechnologyThreatReport,October2025

ImpactandOutlook

TEMP.Veles/XENOTIMEremainsthemosttechnicallyadvancedOT

adversaryknown,beingtheonlyactortodirectlyattempttosubvertsafetysystems.Theirongoingreconnaissanceactivitysuggestsintenttomaintaincontingencyaccessforpotentialfuturesabotage.Fordefenders,thisgroupunderscorestheimportanceofmonitoringsafetynetworksseparately,

auditingSISfirmwareintegrity,andisolatingengineeringworkstationswithstrictchangecontrol.

QilinRansomwareGroup(Cybercriminal,OT-targetingAffiliateNetwork)

Profile

Qilin(alsoknownasAgenda)representsthenewgenerationofransomware-as-a-service(RaaS)operationsexplicitlyextendingintoindustrial

environments.Whilefinanciallymotivated,theiroperationsincreasinglyexhibitknowledgeofindustrialdependencies,particularlyinenergydistributionandwatertreatmentsectors.

ActivityandTactics

Frommid-2024through2025,Qilinledallransomwareactivityagainst

industrialentities,with63confirmedattacks,includingagainstUganda

ElectricityTransmissionCompanyandseveralwaterutilitiesacrossEurope

andAsia.Theyoftendeploydual-usepayloadscapableofdisruptingbothIT

andOTnetworksbyencryptingsharedengineeringresources,configurationservers,andhistoriansystems.Qilin’suseofAgendaransomwarevariantswithWindowsandLinuxpayloadsallowscross-platformexecutionwithinmixed

environments.RecentlyQilinhasclaimedresponsibilityfortheattackagainsttheAsahibreweryinJapan.

ImpactandOutlook

QilinexemplifiestheblurringofcriminalandOT-focusedthreats,leveraging

ransomwareasbothextortionanddisruptiontools.Theirsuccessunderscoreshowransomwareoperatorsarelearningtoexploitavailability-sensitive

environmentsformaximumleverage.Continuedcross-sectorcollaborationandsharedtelemetrybetweenITSOCsandOTdefendersareessentialtocountertheirexpandingreach.

APT33andAPT34(Iran,OilandGasEspionageandSabotage)

Profile

APT33(Elfin)andAPT34(OilRig)areIranianstate-linkedgroupsactivesince

themid-2010s,bothheavilyfocusedontheenergysectorandregionalrivalsintheGulf.Initiallyknownforcyberespionageandcredentialharvesting,bothgroupshavegraduallyadopteddestructivecomponentsintheiroperations.

ActivityandTactics

APT33hastargetedaviation,petrochemical,andmanufacturingnetworks

toexfiltrateintellectualpropertyandcredentialsforfollow-onaccess.APT34maintainspersistentfootholdsinenergyandgovernmentenvironments

throughphishingandexploitationofweb-facinginfrastructure.Inlater

campaigns,bothgroupsdeployedShamoonandZeroClearewiperstocausedatalossanddowntime.Theirtoolingsuggestsincreasingmaturityand

partialconvergenceintradecraft,withsharedinfrastructureandoverlappingobjectives.MoredetailsontheIraniancybercapabilitiescanbefoundinourpublicresearch.

6OperationalTechnologyThreatReport,October2025

ImpactandOutlook

Iranianoperationshaveevolvedfromopportunisticespionagetostrategiccybercoercion,oftentimedwithgeopoliticaltensions.Thedual-usenatureoftheircampaigns—espionagefollowedbydestruction—makesthem

particularlychallengingtodefendagainst.Enhancedidentitymanagement,networksegmentation,andendpointtelemetryinOTDMZsremaincriticalmitigationlayersfororganizationsintheenergysector.

RecentCampaigns(2025Focus)

•PathWiper(Ukraine,June2025):Adestructivecampaign

targetingUkrainianenergyoperators,possiblylinkedto

Sandworm,designedtomimicransomwarewhilepermanentlyerasingdata.ItreinforcesRussia’scontinueduseofpseudo-

ransomwaretomaskpoliticallymotivatedsabotage.

•BlueLocker(Pakistan,2025):Ransomwareincidentsaffecting

Pakistan’soilandgascompanies.Theoperatorsblendedcriminalandgeopoliticalmotives,leveragingaccessthroughlocalvendorsandexposingthefragilityofthird-partyOTserviceecosystems.

•StaticTundra(Global,2025):AcampaignexploitingunpatchedCiscoIOSvulnerabilitiestogainaccesstotelecommunicationsandmanufacturingnetworks.Believedtobeanadvanced

persistentactorusingcompromisednetworkequipmentasstagingpointsforlateralmovementintoOTsegments.

StrategicContext

From2020to2025,theOTthreatlandscapeshiftedfromisolated,state-

linkeddisruptionstoaconvergedecosystemofstateandcriminalactorswithoverlappingmethodsandtargets.StategroupssuchasSandwormTeam

andTEMP.Velespursuestrategicdisruption,whilehybridandransomware

groupslikeQilinexploitthesamepathwaysforprofit.Therecurringthemes—compromisedremoteaccess,supplychainabuse,anddestructivemalwaredisguisedasransomware—highlighttheurgencyofintegratingthreat

intelligence,OTnetworkvisibility,andsupplieraccountabilityintocriticalinfrastructuredefensemodels.

7OperationalTechnologyThreatReport,October2025

TACTICS,TECHNIQUES,PROCEDURES(TTPS)

ThemostprevalentattacktechniquestargettheIT-to-OTboundary,exploitinginsufficientnetworksegmentation.PowerShellemergedastheprimaryattackvector(96,061detections),followedbyCobaltStrike(85,986detections)for

post-exploitationactivities.

MITREATT&CKforICSMapping

•T1046–NetworkServiceScanning:Industrialprotocoldiscovery

•T1021.002–SMB/WindowsAdminShares:Lateralmovementtoengineeringworkstations

•T1078–ValidAccounts:Compromisedengineeringcredentials

•T1485–DataDestruction:Processdataandsafetysystemtargeting

•T1489–ServiceStop:Safetysystemmanipulation

IT-to-OTpivotingoccursthroughcompromisedengineeringworkstations,

sharedcredentials,andexploitationofremote-accesssolutions.Attackers

leveragelegitimateindustrialprotocols(Modbus,DNP3,IEC61850)toblendmaliciouscommandswithnormaloperations,makingdetectionchallenging.

AdvancedgroupsdeployspecializedtoolslikeIndustroyerfordirectcontrol

ofelectricitysubstationswitchesandTRITONforsafetysystemmanipulation.ThesecapabilitiesrepresentasignificantescalationfromtraditionalIT-focusedattackstooperationscapableofcausingphysicaldamage.

VULNERABILITYANDEXPOSUREINSIGHTS

Legacyindustrialprotocolsremaintheprimaryattacksurface,withModbus,DNP3,andproprietarySCADAprotocolslackinginherentsecurityfeatures.

Human-machineinterfaces(HMIs)andengineeringworkstationsfrequentlyserveaspivotpointsduetodualIT/OTnetworkconnectivity.Toframethe

operationalhierarchy,thisreportreferencestheISA-95/PurdueModel,

whereLevel4/3encompassesEnterpriseandManufacturingOperations

Management(MES)systems,Level2includesSupervisoryControl(HMIsandSCADA),andLevel1/0coversthephysicalcontrollersandsensors(PLCs).

Programmablelogiccontrollers(PLCs)faceincreasingtargeting,particularlySchneiderElectricTriconexsystems(TRITONattacks)andSiemenscontrollers.Remote-accesssolutions,includingVPNsandremotedesktopprotocols,

provideinitialaccessvectorswhenimproperlysecured.

Vendorresponsetimesvarysignificantly,withcriticalOTvulnerabilitiesoftenrequiringextendedpatchingcyclesduetooperationalconstraints.

TheaveragetimefromvulnerabilitydisclosuretopatchdeploymentinOTenvironmentsexceeds180days,comparedto30daysfortraditional

ITsystems.

8OperationalTechnologyThreatReport,October2025

ThemostsignificanttrenddefiningthecurrentOTthreatlandscapeisthe

strategicfocusontheIT/OTboundary.Threatactors,recognizingtheinherentdifficultiesandhighvisibilityrisksofdirectlytargetinglow-levelcontrollers,

areinsteadprioritizingthecompromiseofLevel3andLevel4systemsthatbridgethenetworks.

TheseboundarydevicesandindustrialsoftwareplatformsofferaneasierandmorescalableentrypointthroughcommonIT-likevulnerabilities(suchasRCEinremote-accesstoolsandenterpriseapplications)butyieldhighlykineticOToutcomes—namely,theabilitytomanipulateproductiondata,disablesafetycontrols,orforcewidespreaddisruptionacrossthecontrolplane.Thisdynamicmeansthatperimeterdefenseisnowmorecriticalthaneverformaintainingoperationalintegrity.

ThespecificCVEexamplesdetailedbelowareintendednotasanexhaustivelist,butratherasrepresentativecasesofthehigh-impactvulnerabilities

disclosedandactivelyexploitedduringtheQ2andQ32025period.Theseinstancescollectivelyillustratetheshiftingfocusofmodernthreatactorstowardstrategicpivotpointswithintheindustrialecosystem.

1.ExploitationinPerimeterandRemote-accessDevices

Criticalnetworkinfrastructuredevices—whicharefrequentlyusedtosegmentorprovideremoteaccessintoOTnetworks—wereunderconstantattack.

Exploitingtheseflawsprovidesunauthenticated,root-levelaccesstotheinternalnetwork.

•CiscoASA/FTDZero-DayCampaign(CVE-2025-20333&CVE-2025-

20362):Astate-sponsoredthreatactor,linkedtothe“ArcaneDoor”

activity,activelyexploitedachainofzero-dayvulnerabilitiesinCisco

ASAandFirepowerThreatDefense(FTD)devicesinQ32025.This

campaignprovidedunauthenticatedaccessandremotecodeexecution(RCE)onthefirewallsthemselves,withattackersevenmodifyingthe

devices’firmware(ROMMON)forpersistenceacrossreboots.

OTRiskConnection:Thesedevicesformthenetworkboundary;

compromisingthemmeanstheprimarysegmentationdefenseiscompletelynullified,grantingtheattackerunfetteredaccesstoOTnetworksegmentsforlateralmovementandreconnaissance.Thistranslatesdirectlytolossofnetworkdefense.

•Erlang/OTPSSHRCE(CVE-2025-32433):Thisflaw(CVSS10.0)in

theErlangSSHlibrary—foundinmanynetworkingcomponentsandOT

appliances—allowedanunauthenticatedremoteattackertoexecutecode.ExploitationattemptswereobservedinQ22025targetingexposedports.

OTRiskConnection:ManyhardenedLinux-basedcontrolservers,data

historians,andcommunicationgatewaysinOTenvironmentsrelyon

Erlang/OTPformanagementinterfaces.AnunauthenticatedRCEonthesesystemsprovidesahigh-privilegefootholdinsidethecontrolnetwork,

leadingtopotentiallossofview(tamperingwithhistoriandata)oranimmediatepivotpoint.

9OperationalTechnologyThreatReport,October2025

2.CompromiseofIT-integratedIndustrialSoftware

Vulnerabilitiesinsoftwarethatlinksbusinesssystems(ERP)to

manufacturingprocesses(MES)serveashigh-privilegepivotpointsintothecoreOTenvironment.

•SAPNetWeaverRCEChain(CVE-2025-31324&CVE-2025-42999):ThispairofcriticalvulnerabilitiesinSAPNetWeaver’sVisualComposerwasactivelyexploitedbymultipleransomwareandespionagegroups

(includingQilinandBianLian)throughoutQ22025.

OTRiskConnection:SAPNetWeaveristheprimarysourceforproductionscheduling,billofmaterials(BOM),andqualitycontroldatafeddirectly

intomanufacturingexecutionsystems(MES).Compromisingthisplatformallowsactorstosubtlypoisonordisruptthecoreproductiondata,

potentiallycausingbatcherrors,qualityfailures,orunexpectedoperationalhalts(lossofintegrityandcontrol).

•DassaultDELMIAAprisoRCE(CVE-2025-5086):ThiscriticalRCEflawintheDELMIAAprisoManufacturingOperationsManagement(MOM)

softwarewasaddedtotheCISAKEVcataloginQ32025duetoconfirmedexploitationinthewild.

OTRiskConnection:AsanMES/MOMplatform,Aprisoorchestratestheentirefactoryfloor,trackingassets,labor,andprocessflow.RCEon

thisservermeansanattackergainscontroloverthesystemthatdrivestheindustrialworkflow,leadingtolossofvisibility(spoofingproduction

reports)andthepotentialtoissuemaliciouscommandstocontrolsystems(lossofcontrol).

3.High-riskDirectOTDeviceDisclosures

Thesecriticalflawstargetthecontrollersthemselves,representingthe

inherentriskinvendorproductlinesandthelong-termthreatofunpatchableOTinfrastructure.

•RockwellControlLogixRCE(CVE-2025-7353):AcriticalvulnerabilityinControlLogixEthernetmodulesallowsanunauthenticatedattackerto

gainRCEbyleveraginganunintendedweb-baseddebuggerendpoint.OTRiskConnection:TheEthernetmoduleisthecommunicationsspineofthePLCchassis.GainingRCEheremeansanattackercantamperwithorhaltcommunicationstotheprocessor,facilitatingtheinjection

ofmaliciouslogicordisablingsafetyfunctionalitywithouttheneedforengineeringcredentials.

•RockwellDoSFlaws(CVE-2025-24478&CVE-2025-9166):Multiplehigh-severityflawsthatallowanunauthenticated,remoteattackertotriggeramajornon-recoverablefault(MNRF)oradenialofservice(DoS)conditiononGuardLogixandControlLogixPLCs.

OTRiskConnection:Thisdirectlycompromisesavailability,forcingthe

controllerintoafailedstatethatrequiresaphysicalpowercycletoresolve.Incontinuousprocessenvironments,thisleadstoimmediate,

unscheduledproductionshutdown,materialspoilage,andsignificanteconomicimpact.

10OperationalTechnologyThreatReport,October2025

•ABBASPECTAuthenticationBypass(CVE-2025-53187):Acritical

(CVSS9.8)flawinABBASPECTsystemsthatpermitsanunauthenticatedattackertobypasssecurityandgainadministrativecontrol.

OTRiskConnection:ASPECTisabuildingmanagementsystem(BMS)orcontrolmanagementsystem(CMS).Compromisegrantscontrolover

physicalfacilityinfrastructure(HVAC,ventilation,powermanagement).

Thiscontrolcanbeleveragedforsafetyrisk(e.g.,manipulatingair

pressureinacleanroom)ortofacilitatephysicalintrusionbyunlockingaccesscontrols.

KeyTakeaways

•Zero-TrustVendorAccess:Treatallexternalconnections—includingthosefromlong-termintegratorsorOEMs—asuntrusted.Enforcegranular,time-boundcredentialsandsessionmonitoringforallremotemaintenance.

•SoftwareAssuranceandSBOMVisibility:Requirevendorstoprovide

softwarebillsofmaterials(SBOMs),validatedigitalsignatures,andmonitorfortamperedoroutdatedcomponentsinupdates.

•VendorAccountability:Embedcybersecurityclausesintosupplier

contracts,mandatingsecureupdatepractices,vulnerabilitydisclosure,

andimmediatereportingofincidentsthatcouldaffectOTenvironments.

•NetworkSegmentationandContinuousMonitoring:Ensuresupplier-facinggatewaysareisolatedfromproductionnetworks,andmaintainvisibilityoveroutboundtrafficthatcouldsignalunauthorizeddata

exchangeorcommandactivity.

•SharedThreatIntelligence:Participateinsector-specificinformation

sharing(e.g.,ISACs/ISAOs)toquicklyidentifysupplychaincompromisesimpactingindustrialpeersorupstreamproviders.

HISTORICALCASESTUDIES

1)2024–CyberAv3ngersTargetUnitronicsPLCs(WaterandOtherSectors,U.S.)

Betweenlate2023and2024,anIran-linkedgroupknownasCyberAv3ngers

exploitedinternet-exposedUnitronicsPLCsinthewaterandwastewater

sectorandothersmallindustrialenvironments.AttackersdefacedHMIscreenswithpoliticalmessagesandoccasionallymodifiedPLClogic,highlightingtherisksofdefaultcredentialsanddirectinternetexposure.SeveralU.S.utilities

wereaffected,promptingnationwideCISAandWaterISACadvisories.

Lessonslearned:Eliminatedirectinternetaccesstocontroldevices,change

vendor-defaultpasswords,enforcenetworksegmentationandVPNgatewaysformaintenanceaccess,andcontinuouslymonitorforunauthorizedlogicorconfigurationchanges.

11OperationalTechnologyThreatReport,October2025

2)2022–Industroyer2AttemptonEnergyInfrastructure(Ukraine)

InApril2022,Russia’sSandwormTeamdeployedIndustroyer2,asuccessortothe2016grid-attackingmalware,againstUkrainianhigh-voltage

substations.SwiftdefensiveactionbyCERT-UAandESETpreventeda

blackout.Themalware’smodulardesignanduseofnativeOTprotocols

(IEC-104)demonstratedthatstateactorsretainoffensivecapabilitytodirectlymanipulatephysicalprocesses.

Lessonslearned:Energyoperatorsmusthardensubstationnetworkswithstrictallow-lists,secureserialinterfaces,andactiveprotocolinspection.Jointincident-responseexerciseswithOEMsandnationalCSIRTsremainessentialforrapidcontainmentandrestoration.

3)2021–ColonialPipelineRansomwareIncident(U.S.)

InMay2021,theDarkSideransomwareoperationhitColonialPipeline’s

corporateITsystems,promptingapreemptiveshutdownofOToperationstopreventlateralspread.Thefive-dayoutagedisrupted45percentofEastCoastfuelsupplyandtriggeredafederalemergencydeclaration.ThoughtheOT

networkwasnotdirectlyencrypted,interdependenciesbetweenbusinessandoperationsfunctionsmaderecoverycomplex.

Lessonslearned:BuildresilientinterfacesbetweenITandOT,rehearsemanualoperationsandrestartplans,andensureincidentresponsecanisolateIT

systemswithouthaltingsafeplantfunction.

4)2021–OldsmarWaterUtilityIntrusion(Florida,U.S.)

InFebruary2021,anunknownactoraccessedtheOldsmarwatertreatmentplant’sSCADAHMIviaTeamViewerandbrieflychangedchemicaldosagesettingstounsafelevels.Anoperatornoticedandreversedthechange,

preventingharm.Whilenodamageoccurred,theincidentexposedweakremote-accesscontrolscommoninsmallutilities.

Lessonslearned:Limitremote-controlsoftware,requiremultifactorauthentication,logHMIactivity,andconfigureprocessalarmsforout-of-profilesetpoints.

5)2020–NaturalGasCompressionFacilityRansomware(U.S.)

Inearly2020,ransomwaredisruptedaU.S.naturalgascompressionfacility’scontrolandcommunicationassets,causingatwo-dayshutdownandsupplychaindelays.TheattackspreadfromITintoOTduetoinsufficientnetwork

segmentationandsharedcredentials.

Lessonslearned:ImplementrobustIT/OTsegmentation,regularbackups

forengineeringworkstationsandcontrollerconfigs,andcomprehensiveOTincident-responsedrills.

12OperationalTechnologyThreatReport,October2025

Sectorcontextandtakeaways(2020–2025)

Overthepastfiveyears,attacksonoperationaltechnologyhaveevolvedfromaccidentalITspillovertodeliberatetargetingofcriticalinfrastructurebybothcriminalandstate-sponsoredactors.Energyandwatersectorshavebornethebrunt,withthemesofransomware-drivendisruption,remote-accessabuse,

andsupply-chainweaknesses.

TheUkraineandCyberAv3ngerscasesunderscoreatrendtowardhybrid

warfareandgeopoliticalmessagingthroughcyber-physicaleffects.For

defenders,theimperativesareclear:builddefensibleOTar

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论