SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) have emerged as some of the most critical cybersecurity concerns of this era. While traditional IT systems still face threats like ransomware, the risk posed to SCADA/ICS systems goes beyond individual companies and facilities. A successful attack on a SCADA facility could impact an entire nation’s infrastructure. Imagine the consequences of a cyberattack on an electrical grid, oil pipeline, or water treatment plant — the damage would be catastrophic.

As we consider the potential of future SCADA attacks, it’s crucial to reflect on some of the most significant incidents in history. Although we can’t predict the future, examining these attacks provides insight into how SCADA hacks unfold and their devastating impact on national and regional infrastructure.

1. Stuxnet

The Stuxnet attack is perhaps the most well-known SCADA/ICS incident. This sophisticated cyberweapon targeted Siemens PLC controllers at Iran’s uranium enrichment facility in Natanz. Launched in 2009, Stuxnet was allegedly developed by the U.S. NSA with the goal of disrupting Iran's nuclear program.

The malware exploited three zero-day vulnerabilities in Microsoft Windows to infiltrate the system and tamper with the ladder logic controlling the uranium centrifuges. This caused the centrifuges to malfunction, preventing the enrichment of uranium to the desired levels. Stuxnet remains one of the most advanced SCADA attacks ever, demonstrating just how precise and harmful these attacks can be.

2. Triton/Triconex

Discovered in December 2017, the Triton/Triconex malware was identified on the industrial control systems of a Saudi petrochemical plant. What sets this malware apart is its deadly intent—it was specifically designed to cause harm to human life.

Triton targeted Schneider Electric’s safety instrumented systems (SIS), which are designed to shut down industrial facilities in emergencies. FireEye's analysis suggested that the attack likely originated from Russia’s Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). This attack highlights the frightening reality of SCADA/ICS hacks in cyberwarfare scenarios, where millions of lives could be at risk.

3. BlackEnergy3

Originally created as a DDoS tool, BlackEnergy3 was repurposed to launch a devastating attack on Ukraine's power grid in 2014. The attackers used a vulnerability in Microsoft Office (CVE-2014-4114) to gain access to the control systems of an electrical utility.

Once inside, they compromised the Human Machine Interface (HMI) and manipulated the breakers, plunging large parts of Ukraine into darkness amid the conflict in Eastern Ukraine. The attack on Ukraine's power grid underscores the potential for SCADA malware to disrupt critical infrastructure during times of political turmoil.

4. Shamoon

Shamoon, which targeted Saudi Aramco in 2012, had a different focus from other SCADA attacks. Instead of disrupting industrial processes, Shamoon aimed to steal and wipe data, replacing it with an image of a burning U.S. flag.

Although it attempted to spread from the corporate network to the SCADA environment, strong network segmentation prevented further damage. Shamoon is widely believed to have been the work of Iranian hackers, marking another chapter in the cyber conflict between Iran and Saudi Arabia.

5. New York Dam

In 2013, Iranian hackers gained access to the SCADA controls of a small dam in New York State. Although they didn’t cause significant damage, this incident was a clear test of what vulnerabilities could be exploited. The attackers infiltrated the system through a cellular modem connected to the internet, but fortunately, the dam was under maintenance, limiting their control.

This event serves as a reminder of the dangers of keeping SCADA systems connected to the internet. Many facilities have since opted to go offline to avoid such risks.

6. Kemuri

While many SCADA/ICS breaches go unreported, one incident disclosed by Verizon in 2016 was named “Kemuri” to protect the company’s identity. Attackers managed to compromise the water treatment systems at this facility, gaining access to PLCs that controlled the chemical processes used to treat drinking water.

Although the attackers did not cause significant harm, the incident highlighted the potential dangers of cyberattacks on water treatment plants. If they had more detailed knowledge of the system, the consequences could have been disastrous.

7. CrashOveride (Industroyer)

CrashOveride, also known as Industroyer, is the first malware specifically designed to attack electrical grids, using protocols like IEC 101, IEC 104, and IEC 61820, which are common in electricity distribution.

The malware’s modules can open circuit breakers on Remote Terminal Units (RTUs) and prevent them from being closed, even manually. By de-energizing substations, CrashOveride could cause widespread power outages. It’s a chilling example of how cyberattacks could cripple national economies during wartime.

8. German Steel Mill

In 2014, a German steel mill suffered a cyberattack that initially compromised its business network before infiltrating its SCADA systems. While the attackers’ identities remain unknown, they demonstrated deep knowledge of the mill's operations, causing multiple system failures and narrowly avoiding a catastrophic disaster.

This attack, only revealed in an anonymous German government report, emphasizes how many SCADA attacks go unreported and unnoticed by the public.

9. Night Dragon

Unlike other attacks on this list, Night Dragon focused on information theft rather than operational disruption. In 2010, attackers targeted oil, energy, and petrochemical companies, stealing valuable data such as financial reports and bidding strategies.

Although relatively unsophisticated, this attack underscored the energy sector’s vulnerability to cyber threats and highlighted the potential for future, more destructive attacks targeting control systems.

Conclusion

SCADA and ICS systems are vital to any nation's economy, yet they remain highly vulnerable to cyberattacks. In future conflicts, cyberwarfare will almost certainly include attempts to disable critical infrastructure, potentially crippling entire economies. Although many SCADA attacks go unreported, the ones that are known offer a glimpse of what future cyberwarfare might look like.

Author: David Freire - Sales Representative and Editor at Black Hat

Editor: Jordan Rodgers - Lead Technologist at Black Hat