Well folks, we’re finally here—this is the final blog of our CISO’s guide to red teaming series. Where has the time gone? Over the past two months, we’ve looked at red teaming from a CISO’s perspective in several different categories. In our last installment of the series, I’m looking at red teaming in the manufacturing and industrial sectors.
Manufacturers and industrial companies (including those with OT environments, such as factories, energy/utilities, chemical plants, and other industrial control system setups) face threats that span both traditional IT and industrial control realms. Nation-state military and intelligence units are a top concern, especially for critical infrastructure and defense industrial base manufacturers. These adversaries may seek to conduct cyber-sabotage or espionage. For example, Russian and Iranian state-linked groups have been known to target electric grids, factories, and pipelines. (The Sandworm group from Russia infamously caused blackouts in Ukraine, and other groups have deployed ICS-tailored malware like Industroyer and Triton to disrupt industrial safety systems.) China-based actors (e.g., the recently cited Volt Typhoon in the context of U.S. utility intrusions) focus on long-term espionage in supply chains, implanting malware that can exfiltrate intellectual property (like proprietary manufacturing processes, formulas, or blueprints). Aside from nation-states, ransomware gangs have increasingly targeted industrial firms, recognizing that downtime in production can cost millions and force quick ransom payments. The Colonial Pipeline attack of 2021 (by a criminal group) demonstrated how even purely financially motivated hackers can cause national-level disruptions by hitting an industrial operation. Such gangs might not directly understand ICS, but by compromising corporate IT and then impacting OT (or simply encrypting corporate data crucial to operations), they exert pressure.
Corporate espionage by competitors is also a risk in manufacturing. Adversaries might steal design specs or product plans to gain a market edge. Insiders and contractors pose unique risks, since many industrial environments rely on maintenance engineers or third-party vendors who have deep access (e.g., to PLCs or HMIs on a plant floor) and often use shared credentials or outdated remote access mechanisms. Another emerging threat is hacktivists or extremist groups with environmental or political motivations targeting industrial facilities (for instance, attempting to breach a chemical plant to protest pollution). While less common, the impact of such an event could be severe (safety and environmental damage). Overall, manufacturing/OT environments are characterized by high consequences for breaches (e.g., physical safety and huge financial losses from downtime) but often legacy technology and weak security on the OT side. Many ICS devices were not built with security in mind, and the process of patching them can be slow due to uptime requirements. This makes them attractive targets if attackers can get past the typically strong physical perimeter.
In industrial settings, a CISO’s red team engagement is usually designed to bridge the gap between IT and OT security and see if an adversary can traverse from a corporate network into operational domains.
A classic objective is to simulate an IT-to-OT pivot attack. A red team might start on the enterprise network (maybe by compromising an employee’s Windows laptop or an OT engineer’s VPN credentials) and then attempt to move into the production network that controls machinery. This tests whether network segmentation is truly effective and whether OT-specific anomalies (like someone scanning or accessing a PLC controller) would be noticed. If successful, a red team may demonstrate how it could alter or halt an industrial process (in a safe, controlled way). For example, it might show that it could have shut down a factory line or tweaked a formula in a chemical plant. Such a finding is eye-opening, often prompting immediate action to tighten network security zones between IT and OT (e.g., deploying unidirectional gateways, better jump hosts, or strict access controls).
Another objective is to gain access to sensitive design and manufacturing data. This might involve targeting where proprietary data is stored (e.g., the servers that hold CAD designs, manufacturing process recipes, or SCADA configuration files). A red team will attempt to exfiltrate this intellectual property, emulating an espionage campaign. This tests data security controls and the ability of a security team to detect large or unusual data exports from industrial R&D networks. Red teams also often test ransomware propagation in an industrial scenario. For example, after gaining initial access, can they move laterally and deploy simulated ransomware on file shares or operator workstations across multiple plant locations? This checks whether an organization has proper isolation between sites and good incident response for coordinated attacks. Proper isolation is crucial because many manufacturers have distributed plants—an attacker hitting several at once could amplify impact.
Physical and social engineering tests are very relevant to manufacturing as well. A red team may attempt a physical intrusion into a plant or data center by impersonating maintenance staff or contractors. Its goal could be to see if it can plug into an on-site network. A successful test here might show that an outsider could walk into a facility, connect a laptop to an OT network switch or engineering workstation, and inject malicious code. Although dramatic, this is not an unrealistic scenario, given documented cases of insiders and contractors inadvertently or maliciously introducing malware via a USB in critical infrastructure. The objective is to prod at those “human” and “process” layers: Are security guards and badge systems in place? Do employees challenge unknown personnel? Are there strict policies for removable media? Often, industrial organizations pride themselves on strong physical security, but a red team might discover gaps (perhaps a remote site with lower security or night shift procedures being lax).
Finally, industrial red teaming should exercise the incident response process with an OT twist. Many incident response teams are used to IT incidents. However, handling a potential ICS compromise is another level of complexity, usually involving coordination with operations/engineering teams. A red team debrief might include a tabletop component (“How would we coordinate with plant managers if this had been real?”). The overall aim is to ascertain the effectiveness of not only technical controls LIKE firewalls and EDR on engineering laptops but also cross-domain processes (e.g., does the SOC have visibility into OT networks? Is there an asset inventory of OT devices to know what’s critical?). Testing and improving these areas can greatly reduce the chance of a successful attack.
That’s a wrap! Thanks for sticking with me over the past couple of months. I’d love to chat with you more about how you could use red teaming in your organization. Sign up for a demo today.