Why State Actors Are Targeting Industrial Control Systems

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks form the backbone of industrial and critical infrastructure. They regulate how electricity flows across power grids, how water is treated and distributed, how oil pipelines operate, and how factories produce essential goods.
That’s precisely why nation-state actors, from Russia, China, Iran, North Korea, and beyond, have increasingly set their sights on these systems. A state actor is an individual, group, or organization that acts on behalf of a government to advance its political, economic, military, or strategic interests. Let’s break down why ICS systems have become prime targets, how states exploit them, and what that means for global security.

Examples of Nation-State Actors Targeting Industrial and OT Systems

Volt Typhoon (China)

Linked to the People’s Republic of China, Volt Typhoon has infiltrated multiple critical infrastructure and operational technology (OT) networks across the United States. The group relies on living-off-the-land techniques, using legitimate administrative tools, to avoid detection. Investigations revealed that the attackers exploited system vulnerabilities to obtain privileged credentials, enabling them to move laterally within networks and disrupt essential services. Reports indicate that Volt Typhoon maintained stealthy access to some U.S. networks for as long as five years before discovery.

Sandworm (Russia)

The Russian state-sponsored group known as Sandworm, affiliated with the country’s military intelligence unit (GRU), was behind the 2015 cyberattack on Ukraine’s power grid. The attackers exploited vulnerabilities in the MicroSCADA control software to issue unauthorized commands to remote substations, successfully interrupting power distribution.

CyberAv3ngers (Iran)

Iran’s CyberAv3ngers, a hacking group associated with the Islamic Revolutionary Guard Corps (IRGC), has increasingly shifted its focus to industrial and infrastructure targets. The group is known for exploiting Israeli-developed Unitronics PLC/HMI devices to compromise water facilities in the United States. Earlier, in 2021, the same actors conducted revenge attacks that disabled more than 4,000 gas stations in Iran, marking one of the most disruptive cyber incidents in the country’s history.

Andariel (North Korea)

The North Korean threat actor known as Andariel has conducted global espionage campaigns aimed at organizations in the United States, the United Kingdom, and South Korea. Although primarily focused on intelligence collection for military purposes, the group’s methods resemble those used in OT attacks. Their tactics include living-off-the-land techniques and the deployment of remote access Trojans to extract sensitive data, manipulate systems, and compromise elements of critical national infrastructure.

Why State Actors Target Industrial Control Systems

Strategic Pre-Positioning

Many nation-state cyber intrusions do not result in immediate disruption or visible damage. Instead, these actors often aim to quietly establish long-term footholds within industrial control and operational networks. Once inside, they maintain persistent access, sometimes for years, without triggering alarms or altering normal operations. These dormant intrusions serve several strategic purposes. First, they enable surveillance, allowing attackers to continuously collect intelligence about system configurations, operational behaviors, and existing defenses. Second, they support preparation, as attackers can plant malware or backdoors that can be swiftly activated during times of geopolitical tension or conflict. Third, they serve as a form of deterrence, signaling to adversaries that their critical infrastructure could be disrupted or disabled if provoked. Nations could stockpile access to critical global infrastructure to build a hidden cyber arsenal.

Cyberwarfare Below the Threshold of War

Traditional military aggression often leads to open conflict and retaliation. Cyber operations, on the other hand, fall below that “threshold of war.” By infiltrating control systems, states can project power, signal capability, or prepare for future sabotage, without firing a missile. These intrusions allow them to achieve strategic objectives, testing defenses, planting backdoors, or showcasing deterrence, all while maintaining plausible deniability.

Economic and Industrial Espionage

Beyond disruption, many ICS attacks focus on stealing trade secrets and industrial designs. State-sponsored groups target manufacturing facilities, energy companies, and engineering firms to obtain proprietary technologies, everything from turbine control logic to process automation blueprints. For nations looking to accelerate industrial development or reduce dependence on foreign technology, stealing rather than inventing offers a faster, cheaper path to competitiveness.

How Nation-State Actors Penetrate ICS Environments

Exploiting IT/OT Convergence

The biggest change in the industrial landscape is the interconnection of IT and OT networks.
As companies connect factory systems to corporate networks for analytics, remote monitoring, and efficiency, they inadvertently expose legacy equipment to the internet. Nation-state hackers exploit this convergence. They breach the IT network through phishing, stolen credentials, or vulnerable VPNs, then move laterally into the OT layer, where ICS assets reside. This “IT-to-OT pivot” was the playbook behind several high-profile attacks, including the Colonial Pipeline ransomware incident, where an IT breach led to an operational shutdown out of precaution.

Supply Chain Compromise

Instead of attacking the target directly, advanced threat actors often infiltrate trusted vendors, the companies that provide ICS software updates, maintenance, or monitoring services. By compromising these suppliers, attackers can silently insert malware or backdoors into software updates.

Social Engineering

Nation-state campaigns rely heavily on social engineering. Operators, engineers, and contractors often have privileged access to control systems, and they can be tricked through spear-phishing or fake maintenance requests. Even a single compromised laptop connected to an engineering workstation can provide the foothold an attacker needs to upload malicious logic or extract sensitive configurations.

Exploiting Legacy and Unpatched Systems

Industrial systems are built for longevity, not agility. Some still run on outdated firmware. Because downtime in factories and power plants is costly, organizations often delay patches, giving adversaries ample opportunity to exploit known vulnerabilities. Nation-state actors understand this operational reality and tailor their exploits to old, unsupported systems that defenders rarely monitor.

Protecting Industrial Control Systems

While nation-state threats are complex, organizations can significantly reduce risk by adopting layered defenses:

• Segmentation: Strictly separate IT and OT networks using firewalls and one-way data diodes.
• Access Control: Enforce multi-factor authentication for all remote or vendor access.
• Monitoring: Deploy OT-aware intrusion detection systems that can parse industrial protocols.
• Incident Response Planning: Conduct joint IT/OT tabletop exercises.
• Vendor Management: Audit supply chains and enforce security requirements for ICS vendors.
• Regular Assessments: Patch where possible, or use compensating controls where not.

Conclusion

Nation-state attacks on industrial control systems represent a new era of digital conflict, where cyber operations can achieve strategic, economic, and political objectives without traditional warfare. ICS environments sit at the heart of national power. Protecting these systems requires a shift in mindset, from viewing cybersecurity as an IT/OT issue to recognizing it as a matter of national defense.