Blog written by Connor Gadbois and Marcia Gadbois
Cybersecurity threats are becoming increasingly sophisticated and pervasive in today’s rapidly evolving digital landscape. For asset owners and operators of critical infrastructure, staying ahead of emerging threats and technological advancements is not just a priority—it is a fundamental responsibility.
Gartner projects a 15% increase in cybersecurity spending in 2025, growing from USD 183.9 billion to USD 212 billion. Security services are expected to experience the highest growth, followed by security software, with network security ranking as the third fastest-growing segment. Additionally, Gartner predicts that by 2027, 17% of all cyberattacks and data breaches will involve generative AI. Meanwhile, ABI Research forecasts that the operational technology (OT) cybersecurity market will expand from USD 12.75 billion in 2023 to approximately USD 21.6 billion by 2028, reflecting a Compound Annual Growth Rate (CAGR) of 9.2%.
“Every industrial sector imaginable is embracing some level of digitization and the principles of Industry 4.0. As a result, the potential for cyber threats has increased, driving the demand for robust cybersecurity measures. This market has significant room for growth, as there remains a vast opportunity to expand smart industries,” says Michael Amiri, Senior Industrial Cybersecurity Analyst at ABI Research.
With this in mind, we have identified common cybersecurity threats and best practices to mitigate them. Our goal is to continue this series by highlighting five common threats every couple of weeks until we have covered the 50 most prevalent cybersecurity risks. We hope you find this blog series valuable and look forward to your thoughts and feedback.
The Growing Threat of Phishing in Industrial Automation
Phishing remains one of the most widespread cyber threats, with an estimated 3.4 billion malicious emails sent daily—representing nearly 1.2% of all email traffic. These attacks exploit fraudulent emails, text messages (smishing), phone calls, or websites to manipulate individuals into revealing sensitive information, downloading malware, or compromising their devices.
As a form of social engineering, phishing often involves cybercriminals impersonating trusted entities, such as IT teams, industrial vendors, or government agencies, to deceive victims. Their primary goal is to steal SCADA/HMI login credentials, personally identifiable information, or financial data, potentially leading to operational disruption, data breaches, or unauthorized access to critical automation systems.
Advanced Phishing Attacks Targeting Industrial Systems
Phishing attacks have become more sophisticated, with cybercriminals employing AI-driven deception tactics and leveraging legitimate cloud-based services like SharePoint, OneDrive, and Dropbox to bypass traditional security measures. A Microsoft report highlighted a sharp increase in phishing campaigns using these platforms to steal credentials and infiltrate enterprise networks.
StrelaStealer: A Case Study in Industrial Phishing
In 2024, the StrelaStealer phishing campaign targeted over 100 organizations across the U.S. and Europe, including manufacturing. Attackers sent phishing emails with malicious ZIP attachments, deploying the StrelaStealer malware, which was designed to harvest login credentials from Microsoft Outlook and Mozilla Thunderbird.
Additionally, IBM X-Force identified an ongoing Hive0145 campaign spreading StrelaStealer malware throughout Spain, Germany, and Ukraine. These phishing emails appeared as legitimate invoice notifications and were sent using stolen email credentials, making them highly convincing and difficult to detect.
The Rise of Smishing Attacks in Industrial Environments
The FBI has issued warnings regarding the growing threat of smishing, a combination of SMS (text messaging) and phishing, targeting iPhone and Android users. Smishing attacks often impersonate banks, logistics companies, or government agencies, tricking recipients into clicking malicious links or providing login credentials.
A report from Palo Alto Networks’ Unit 42 research division revealed that cybercriminals have registered over 10,000 domains to carry out text-based phishing scams. Many of these attacks take advantage of Google’s open redirects, directing victims to phishing websites disguised as local businesses or industrial service providers to steal sensitive information.
Impact of Phishing & Smishing on Industrial Automation & SCADA Systems
Phishing and smishing attacks pose significant risks to HMI/SCADA platforms like ADISRA SmartView, potentially compromising critical infrastructure and disrupting operations. Cybercriminals targeting industrial environments may use these tactics to:
– Steal SCADA login credentials by impersonating IT teams or system administrators.
– Deploy malware via malicious links, leading to keyloggers or remote access trojans that can hijack HMI/SCADA applications.
– Exploit phishing scams to gain unauthorized access and manipulate control settings in manufacturing, energy, and water treatment facilities.
– Target system integrators, vendors, or third-party providers in supply chain attacks, creating backdoor access to HMI/SCADA installations.
Mitigation Strategies for ADISRA SmartView & Industrial Users
To defend against these threats, organizations using HMI/SCADA software like ADISRA SmartView must implement a multi-layered cybersecurity strategy:
1) Security Awareness Training – Educate SCADA operators and engineers to recognize phishing and smishing attempts, emphasizing the dangers of malicious links and fake login pages.
2) Multi-Factor Authentication (MFA) – Enforce MFA for ADISRA SmartView logins to mitigate credential theft risks.
3) Email & SMS Security Tools – Deploy advanced filtering solutions to block phishing emails and smishing messages before they reach users.
4) Access Control Policies – Restrict administrative privileges and enforce strict access controls to prevent unauthorized system modifications.
5) Software Updates & Patch Management – Regularly update ADISRA SmartView software and other industrial control systems to patch vulnerabilities that attackers might exploit.
By fostering a cyber-aware culture, leveraging advanced security tools, and implementing best practices, ADISRA SmartView users can protect their SCADA environments from evolving phishing and smishing threats.
Try ADISRA SmartView: Download a free software trial on our website here.
Understanding Ransomware in Industrial Automation
Ransomware has become one of the most disruptive cybersecurity threats in industrial automation. As manufacturing plants, energy grids, water treatment facilities, and other critical infrastructure continue to digitize, cybercriminals are increasingly targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments. These attacks can cripple production lines, compromise safety mechanisms, and cause significant financial and reputational damage.
What is Ransomware?
Ransomware is malicious software (malware) designed to lock access to systems, files, or networks until a ransom is paid. Cybercriminals typically spread ransomware through:
– Phishing emails
– Malicious advertisements
– Infected links
– Compromised websites
– Malicious email attachments
Once inside a system, ransomware can:
– Restrict access to computers or specific files.
– Encrypt files and folders on local drives, external storage, and networked systems, making them inaccessible
– Spread to other systems via USB storage and services on the network.
Victims often remain unaware of an infection until they lose access to critical data or receive a ransom demand. These attacks can have devastating consequences, making strong cybersecurity measures critical for prevention and mitigation.
Recent Ransomware Attacks in Industrial Automation
The LockBit Takedown
In early 2024, law enforcement agencies severely disrupted LockBit, a notorious Ransomware-as-a-Service (RaaS) operation. The FBI seized its servers and released over 7,000 decryption keys to help victims recover their files. LockBit had attacked more than 2,500 victims across 120 countries, including 1,800 in the United States, targeting businesses, hospitals, schools, nonprofits, and law enforcement agencies.
By the time of the takedown, LockBit had extorted at least $500 million in ransom payments and caused billions in additional losses due to operational downtime, lost revenue, and incident response costs.
“No one is safe from ransomware attacks, from individuals to institutions,” said Acting Special Agent in Charge of the FBI Newark Division, Terence G. Reilly. “We will continue to work tirelessly to prevent cybercriminals from profiting off their attacks.”
The Rise of Data Extortion
Beyond traditional ransomware attacks, cybercriminals increasingly use data extortion—stealing sensitive information and threatening to release it unless a ransom is paid. This is often used along with the ransom, where attackers threaten to release more data until the ransom is paid.
One such group, RansomHub, operates as a RaaS provider, renting its infrastructure to affiliates who execute attacks. This model enables even low-skill cybercriminals to launch sophisticated attacks.
The Financial Impact of Ransomware
A study by Illumio and the Ponemon Institute surveyed 2,547 IT and cybersecurity professionals in the U.S., U.K., Germany, France, Australia, and Japan. Their findings reveal the staggering cost of ransomware:
– 25% of critical systems affected by ransomware were down for an average of 12 hours
– The average ransom demand was $1.2 million.
– 51% of organizations paid the ransom, but only 13% fully recovered their data
For some companies, the impact is so severe that it leads to bankruptcy.
Case Study: Stoli Group’s Ransomware-Induced Bankruptcy
In August 2024, Stoli Group, the maker of Stoli vodka, suffered a ransomware attack that crippled its Enterprise Resource Planning (ERP) system. Forced to revert to manual operations, the company faced:
– Inability to generate financial reports for lenders
– Loan defaults and loss of financial support
– Severe operational slowdowns
– Delayed system recovery, expected only by early 2025
– The attack, combined with declining demand and ongoing legal disputes, ultimately led Stoli Group to file for Chapter 11 bankruptcy on November 27, 2024.
Building a Digital Fortress: Protecting Industrial Automation Systems
While no cybersecurity strategy guarantees 100% protection, a layered security approach significantly reduces the risk.
Key Security Layers
– Perimeter Security – Firewalls and intrusion detection systems to block external threats
– Endpoint Security – Antivirus software and real-time monitoring for all connected devices
– Network Security – Segmentation and traffic monitoring to limit lateral movement of malware
– Data Security – Encryption and access controls to safeguard sensitive information
– System Hardening – Regular patching and updates to eliminate vulnerabilities
– Multi-Factor Authentication (MFA) – Prevents unauthorized access
– Managed Security Services – External monitoring and response teams for added protection
Best Practices for Ransomware Prevention
– Implement Regular Data Backups – Follow the 3-2-1 rule (three copies of data, two different media types, one stored offline) to enable rapid recovery
– Invest in Cybersecurity Tools – Firewalls, antivirus solutions, and endpoint detection & response (EDR) tools are essential.
– Train Employees on Cybersecurity Awareness – Regular phishing simulations and training reduce human errors
– Develop an Incident Response Plan – A well-prepared response minimizes downtime and losses
– Limit Access Privileges – The “least privilege” principle restricts users to only the necessary data and systems.
Ransomware remains a persistent and evolving threat in industrial automation. As attacks become more sophisticated and financially devastating, proactive cybersecurity strategies are essential. Organizations can protect critical infrastructure, prevent operational disruptions, and minimize financial losses by implementing strong defenses.
Understanding DoS and DDoS Attacks
Denial-of-Service (DoS) Attack
– A DoS attack originates from a single system or source.
– The attacker overwhelms a server, website, or network with excessive requests, exhausting resources and causing service disruptions.
– Since the attack stems from a single IP address or machine, it is easier to detect and block by identifying and filtering the malicious source.
Distributed Denial-of-Service (DDoS) Attack
– A DDoS attack is far more sophisticated and involves multiple compromised devices—often part of a large botnet.
– These compromised devices, including computers, IoT devices, and cloud servers, are remotely controlled by the attacker to flood the target with traffic.
– The attack originates from numerous locations and IP addresses, so it is more difficult to differentiate real users from bots.
While DoS attacks are more localized and straightforward to stop, DDoS attacks pose a more significant threat due to their scale, distribution, and complexity, making mitigation significantly more challenging.
The Consequences of DDoS Attacks
DDoS attacks can inflict severe damage on networks and lead to substantial financial losses. Some of the key consequences include:
– Loss of revenue: Downtime caused by a DDoS attack can be extremely costly, particularly for businesses that rely on online services.
– Reduced productivity: Employees may be unable to work if their systems are offline or degraded, especially in remote or hybrid work environments that depend on cloud-based infrastructure.
– High recovery costs: Restoring IT systems during and after an attack requires additional time, labor, and resources.
– Damage to brand reputation: Businesses that experience prolonged outages due to DDoS attacks may suffer long-term reputational harm, especially in industries where service availability is critical.
How to Identify a DDoS Attack
Managed service providers (MSPs) and IT teams should monitor for early warning signs of a potential DDoS attack, including:
– Multiple connection requests from the same IP address in rapid succession
– Unusual spikes in website traffic
– A sudden and drastic drop in website speed
– Large-scale site outages
– Large amounts of requests from IP addresses belonging to a cloud provider
Best Practices for Preventing and Mitigating DOS and DDoS Attacks
To safeguard against DDoS attacks, organizations should implement the following cybersecurity measures:
– Migrate mission-critical applications to a separate public subnet or the cloud.
– Use a separate IP address to store public resources.
– Configure firewalls to block SYN flood attacks, which are a type of DoS attack where an attacker overwhelms a server with connection requests without completing the handshake process.
– Optimize web server configurations to withstand high-traffic attacks.
Leverage content delivery networks (CDNs) with DDoS protection to distribute network load.
– Invest in advanced threat detection and response solutions to enable early warning and faster incident response.
– Conduct regular cybersecurity training and simulations for IT staff to prepare for DDoS incidents.
– Develop a comprehensive incident response plan, including IP blocking, rate limiting, and black hole filtering, to minimize downtime.
The Growing Threat to Industrial Automation Companies
As critical components of supply chains, industrial automation companies are becoming prime targets for cybercriminals seeking financial gain, operational disruption, or even physical damage. Denial-of-service attacks are a favored method for crippling these organizations, reinforcing the need for robust cybersecurity defenses to protect operations, data, and business continuity.
By implementing proactive security strategies, businesses can mitigate the risks associated with DDoS attacks and strengthen their resilience against evolving cyber threats.
Man-in-the-Middle (MITM) Attack: A Stealthy Cybersecurity Threat
A Man-in-the-Middle (MITM) attack is a cyberattack where an attacker secretly intercepts and manipulates communication between two parties, often without their knowledge. The attacker can eavesdrop on sensitive data, alter messages, or impersonate one of the parties to steal information or cause disruption. These attacks exploit vulnerabilities in network protocols and can be carried out through various methods, such as IP spoofing, data packet interception, or DNS manipulation.
Types of Man-in-the-Middle Attacks
MITM attacks occur when a hacker positions themselves between a user and an online entity, such as a network, website, or application, to capture sensitive data. Common MITM techniques include:
-IP Spoofing – Attackers alter an IP address to impersonate a trusted entity, tricking users into unknowingly sending data to a malicious actor.
-DNS Spoofing – Cybercriminals redirect users to a fraudulent website that mimics a legitimate one, tricking them into entering sensitive information like login credentials.
-HTTPS Spoofing – Users are misled into visiting a non-secure HTTP website instead of a legitimate HTTPS-protected site, allowing attackers to monitor and steal their data.
– Email Hijacking – Hackers gain unauthorized access to email accounts, often from banks or financial institutions, to manipulate transactions or deceive customers into sending money to fraudulent accounts.
– Wi-Fi Eavesdropping – Attackers set up fake public Wi-Fi hotspots resembling trusted networks, allowing them to intercept users’ online activity and steal personal data.
– SSL Hijacking – Cybercriminals exploit Secure Sockets Layer (SSL) encryption by intercepting HTTPS connections and gaining access to data transfers between users and secure servers.
– Session Hijacking – Also known as browser cookie theft, this attack involves stealing a user’s session ID from web cookies to gain unauthorized access to accounts.
Rising MITM Threats and Cybersecurity Trends
– MITM attacks accounted for 19% of successful cyberattacks this year.
– MITM-compromised emails have increased by 35% since 2021.
– IIoT and smart devices are becoming primary targets for MITM attacks, exposing sensitive data across industrial and consumer applications.
Case Study: MITM Attack on Varta (2024)
In February 2024, Varta, a German battery manufacturer, suffered a significant MITM cyberattack that disrupted operations across five manufacturing plants.
Incident Details:
On February 12, 2024, attackers infiltrated Varta’s IT systems, forcing the company to shut down production and disconnect from the internet to contain the breach.
A task force was immediately formed to assess the damage and restore normal operations with support from cybersecurity experts and forensic analysts.
Varta’s emergency response plan was implemented to protect data integrity and investigate the full extent of the attack.
Key Takeaway:
The attack highlights the increasing vulnerability of industrial automation and manufacturing companies to MITM threats, demonstrating the need for proactive cybersecurity measures to protect critical infrastructure.
How to Prevent Man-in-the-Middle Attacks
Organizations and individuals can reduce the risk of MITM attacks by implementing best practices and security controls, including:
– Prioritize HTTPS connections – Always prioritize HTTPS connections by verifying websites use encryption (indicated by “https://” in the URL and a padlock icon) and avoid entering credentials on non-encrypted HTTP websites.
– Avoid unsecured/public Wi-Fi – Public Wi-Fi networks can be compromised; use VPNs or mobile hotspots to ensure secure browsing.
– Implement Multi-Factor Authentication (MFA) – Even if an attacker steals login credentials, MFA requires an additional verification step, such as a hardware token or biometric authentication, preventing unauthorized access.
– Adopt Network Segmentation – Network segmentation isolates attacks and prevents lateral movement within an organization’s network.
– Encrypt Emails – Secure communication with S/MIME (Secure/Multipurpose Internet Mail Extensions) to encrypt messages and verify sender authenticity.
– Use a Certificate Management System – Automatically monitor SSL/TLS certificates to prevent hijacking caused by expired or weak certificates.
– Enforce Privileged Access Management (PAM) – Restrict access to privileged accounts, ensuring that only authorized personnel have access to critical systems and sensitive data.
Man-in-the-middle attacks pose a serious cybersecurity risk to businesses, individuals, and governments, often leading to data breaches, financial fraud, and service disruptions. As threat actors increasingly target industrial automation and IoT environments, organizations must adopt a proactive cybersecurity strategy to defend against these sophisticated attacks. Implementing encryption, authentication protocols, and zero-trust security frameworks can significantly reduce vulnerabilities and enhance cyber resilience.
Conclusion
The growing sophistication of cyber threats in industrial automation underscores the urgent need for proactive security strategies. As demonstrated by the increasing prevalence of phishing, ransomware, DoS, and MITM attacks, industrial control systems and HMI/SCADA platforms like ADISRA SmartView are prime targets for cybercriminals. The consequences of these attacks extend beyond data breaches and financial losses—they threaten operational continuity, safety, and even national security.
Organizations must adopt a multi-layered cybersecurity approach that includes robust access controls, real-time threat monitoring, regular employee training, and comprehensive incident response plans. As cyber threats continue to evolve, staying informed and vigilant is the key to safeguarding critical infrastructure.
This blog is part of an ongoing series exploring the most common cybersecurity risks in industrial automation. Stay tuned as we continue to highlight emerging threats and best practices for securing your industrial operations. Let us know your thoughts, and feel free to share your experiences in the comments.
Are you ready to try ADISRA SmartViewl? Download ADISRA SmartView today.
ADISRA®, ADISRA’S logo, InsightView®, and KnowledgeView® are registered trademarks of ADISRA, LLC.
© 2025 ADISRA, LLC. All Rights Reserved.