Cyberattack on a Production Line: Step-by-Step Scenario and OT Security Lessons

Introduction: a scenario based on real incidents

The following scenario is a fictional but realistic reconstruction of a cyberattack on a factory producing automotive components. Every element is based on techniques and tactics observed in real incidents — attacks on Norsk Hydro, Toyota/Kojima, JBS Foods and dozens of smaller manufacturers.

The goal is not to scare, but to educate — understanding the attack kill chain allows identifying points where it can be disrupted.

Company profile: FactoryTech Ltd. — 400 employees, 3 production lines, Siemens S7-1500 systems, WinCC SCADA, MES, SAP ERP. Revenue: EUR 80M. NIS2 classification: important entity.

Day 0: Reconnaissance — the attacker gathers intelligence

A ransomware group (BlackCat/ALPHV) conducts passive reconnaissance:

• LinkedIn: identifying automation engineers, IT admins, OT suppliers
• OSINT: subdomain scanning, leaked credentials from historical breaches
• Shodan/Censys: identifying internet-facing devices (open RDP ports, VPN)

Finding: A web VPN panel (Fortinet) without MFA, an old service account with a password leaked in a 2023 breach.

What could have prevented this: MFA on all remote access, dark web monitoring for credential leaks, regular access audits.

Day 1: Entry — VPN compromise

The attacker logs into the VPN using leaked credentials. No MFA allows entry. They land on the corporate network with service account privileges.

First actions:

• Launching a Cobalt Strike beacon on an internal server
• Active Directory scanning — identifying privileged accounts
• Password hash extraction from memory (mimikatz/LSASS dump)

Why the SOC didn’t detect it: VPN login from a local IP looked normal. No behavioral analytics — the service account had never scanned AD before, but nobody was monitoring for this.

What could have prevented this: MFA on VPN, unusual service account behavior monitoring, EDR on servers.

Days 2-5: Lateral movement in IT

The attacker escalates privileges:

• Kerberoasting — cracking the hash of a Domain Admin account
• Logging into additional servers: file server, backup server, historian server
• Network topology identification — finding the 10.20.x.x network (OT) alongside the IT 10.10.x.x network
• Identifying engineering workstations (dual-homed: 10.10.x.x and 10.20.x.x)

The attacker’s key discovery: The historian server (Siemens WinCC OA) has an interface in IT (10.10.50.10) and OT (10.20.50.10). No firewall between them.

What could have prevented this: IT/OT segmentation with firewall, DMZ for historian server, lateral movement monitoring, PAM (Privileged Access Management).

Day 6: The IT → OT jump

The attacker uses the dual-homed historian server as a bridge:

1. RDP to historian server (Domain Admin account)
2. From historian server — RDP to engineering workstation on OT network
3. On the engineering workstation: TIA Portal with open S7-1500 projects

The attacker now has access to:

• 3 engineering workstations controlling all lines
• WinCC SCADA system — process visualization and control
• 24 Siemens S7-1500 PLC controllers

The alarm that didn’t fire: Login to the engineering workstation occurred at 2:30 AM, outside engineer working hours. But nobody was monitoring login times on the OT network.

What could have prevented this: Firewall between IT and OT, jump server instead of dual-homed historian, OT station login monitoring, after-hours login alerts.

Day 7: Data exfiltration

Before launching ransomware, the group exfiltrates data:

• TIA Portal projects (company IP — controller programs)
• Recipes and production parameters from MES
• Customer data and contracts from SAP
• Technical documentation from file server

Data transferred via encrypted tunnel to an external server. ~180 GB over 12 hours.

What could have prevented this: DLP (Data Loss Prevention), outbound traffic anomaly monitoring, restricting outbound traffic from OT network.

Day 8 (Friday, 10:00 PM): The attack — ransomware launch

The attacker chooses Friday night — minimal staff, maximum time before detection.

On the IT network (10:00-10:30 PM):

• Ransomware launched from Domain Controller
• Encrypted: file server, backup server (online backups!), application servers
• SAP ERP unavailable

On the OT network (10:30-11:00 PM):

• Ransomware spreads through the historian server
• Encrypted: engineering workstations, MES server, operator HMI stations
• PLC controllers not encrypted (S7-1500 runs on its own firmware) — but the visualization and management layer is lost

Production impact (11:00 PM):

• Operators lose process visibility — HMI screens black
• Line 1 (injection molding): PLC continues last cycle, but without HMI the operator cannot see what is happening
• Line 2 (assembly): robotics stops after losing MES communication
• Line 3 (testing): quality system offline — products cannot pass tests

Shift operator at 11:15 PM sees black screens, attempts restart — system demands ransom. Calls the manager.

Days 9-11: Crisis management

Saturday morning

• Management informed of the incident
• Physical disconnection of IT from OT cables (should have been done earlier!)
• IR (incident response) firm called in
• Contact with national CSIRT (NIS2 obligation — 24h)

Damage assessment

• 3 production lines down — no HMI, MES, quality system
• SAP ERP unavailable — unable to process orders
• Online backups encrypted — no offline PLC configuration backups
• Data stolen — publication threat (double extortion)

Ransom demand

• EUR 2.5 million in Bitcoin
• Deadline: 7 days, then data publication and doubled amount

Days 12-25: Recovery

What took the longest?

1. Engineering workstation restoration (3 days) — Windows reinstall, TIA Portal, calibration
2. PLC integrity verification (5 days) — did the attacker modify controller programs? No golden config baseline = comparison impossible
3. MES and historian restoration (4 days) — loss of last month’s production data
4. SAP verification (7 days) — data consistency, reconciliation with physical warehouse state

Costs

• Production downtime: 14 days at significant daily losses
• Contractual penalties: delivery delays to OEM
• IR and recovery costs: substantial
• Lost orders: customers moved to competitors
• NIS2 penalty (potential): up to 1.4% of turnover
• Total: tens of millions in losses

The company did not pay the ransom. Data was published.

Lessons and recommendations

What would have prevented the attack?

1. MFA on VPN — the attacker would not have entered the network (cost: minimal)
2. IT/OT segmentation with DMZ — historian server in DMZ, not dual-homed
3. SOC with OT monitoring — detection of lateral movement and 2:30 AM login

What would have limited the damage?

4. Offline backups of PLC configurations and golden config baseline — fast restoration
5. OT IR plan — coordinated IT/OT disconnection without additional damage
6. Segmentation within OT — ransomware would not have spread across all lines

What to implement now?

7. OT security audit — understand current state
8. Eliminate dual-homed devices — quick win
9. MFA on all remote access — quick win
10. Offline PLC configuration backup — quick win

This scenario does not have to become your reality. Schedule an OT security audit — we will identify vulnerabilities before attackers do.

---

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

• Cybersecurity for Manufacturing & Industry