Introduction: anatomy of an attack on energy infrastructure
The following scenario presents a realistic cyberattack on a mid-size Polish energy distribution operator. The scenario combines tactics used in real attacks — including elements of DynoWiper (December 2025), Industroyer (2016), and techniques from Sandworm and Volt Typhoon groups.
The goal is to show how each attack stage exploits typical energy infrastructure weaknesses — and at which points effective defense could stop it.
Victim: EnergiaPol S.A. — a regional distribution operator, 15 energy substations, headquarters with IT and OT systems, 500 employees.
Week 0: Reconnaissance
The attackers (an APT group linked to foreign intelligence) begin with OSINT reconnaissance. They analyze public data: automation system tenders (public procurement), employee profiles on LinkedIn (OT engineers, IT admins), conference presentations revealing SCADA systems used (Siemens WinCC) and controllers (Siemens S7-1500), network diagrams visible in social media photos from employees.
The attackers identify key individuals: Jacek K. — lead OT engineer (responsible for engineering workstations), Anna M. — Active Directory administrator, SerwisOT Ltd. — external vendor servicing controllers.
Defense point #1: Security awareness training, social media policy, limiting information in public procurement.
Week 2: Initial access — spear-phishing
The attackers send a personalized email to Jacek K., the lead OT engineer. The email appears to be from Siemens regarding a critical firmware update for S7-1500, with a crafted PDF containing an exploit. Jacek opens the attachment on his workstation connected to the corporate IT network.
The exploit installs a backdoor communicating with the C2 server through an encrypted HTTPS channel, masquerading as traffic to legitimate cloud services. The backdoor operates in memory (fileless), leaving no traces on disk.
Defense point #2: EDR on workstations, attachment sandboxing, sender verification, OT-specific anti-phishing training.
Weeks 3-4: Privilege escalation and IT lateral movement
The attackers use the backdoor on Jacek’s workstation for IT network reconnaissance. They discover Active Directory, map users and groups. They use living-off-the-land tools (PowerShell, WMI) to move through the network without triggering alarms.
They exploit an Active Directory vulnerability (Zerologon or similar) and gain Domain Admin privileges. They now have access to every system on the IT network, including servers managing VPN and jump servers to the OT network.
They steal passwords from Jacek K.’s account — including the OT VPN password that Jacek stored in his browser password manager. They identify the jump server to the OT network and the schedule of engineers’ remote sessions.
Defense point #3: AD segmentation and monitoring, PAM (Privileged Access Management), MFA for all privileged accounts, login anomaly monitoring.
Weeks 5-6: Crossing from IT to OT
The attackers wait for a regular maintenance window when Jacek logs into the OT network via VPN. Simultaneously, they initiate their own session with his credentials — in the chaos of regular maintenance work, an additional session doesn’t raise suspicion.
They cross through the industrial DMZ (which at EnergiaPol is configured too permissively — “any” rules on several ports). They gain access to an HMI engineering workstation on the Operations/Supervisory network.
From the engineering workstation, they map the OT network topology — identifying 15 substations, the SCADA server (Siemens WinCC), historian (OSIsoft PI), and S7-1500 PLC controllers at each substation.
Defense point #4: Restrictive IT/OT segmentation with protocol-level rules, VPN-to-OT connection monitoring, alerts on unusual remote sessions.
Weeks 7-8: OT reconnaissance and destruction preparation
The attackers spend two weeks in quiet OT network reconnaissance. They download configurations from PLC controllers (TIA Portal project files). They study control logic — setpoints, alarms, safety interlocks. They identify the historian server and backup system.
They prepare the payload — modified PLC projects that when loaded will change controller operating parameters and remove original process safety interlocks. Simultaneously, they prepare a wiperware component to destroy the SCADA server, historian, and backups.
Defense point #5: PLC configuration change monitoring, alerts on project reads from controllers, OT traffic anomaly detection.
Zero hour: The attack
Friday, 10:00 PM — the attackers launch the attack during minimum staffing.
10:00-10:05 PM — Phase 1: Wiperware. Simultaneous wiperware execution on SCADA server, HMI stations, historian, and backup server. Overwriting partition tables, destroying bootloaders, wiping configuration backups.
10:05-10:15 PM — Phase 2: PLC manipulation. Loading modified projects onto substation PLC controllers. Changing safety setpoints, disabling process alarms, manipulating transformer operating parameters.
10:15-10:30 PM — Phase 3: Communication disruption. Overwriting OT network switch configurations. Severing communication between headquarters and substations. Operators lose visibility and control over infrastructure.
Impact: Operators see black screens — SCADA systems are down. They cannot remotely monitor or control substations. Process safety interlocks on PLC controllers are disabled — systems operate outside normal parameters. Recovery requires physical visits to each substation and manual controller reprogramming.
Response: what should happen
First hour — Detection and classification. SOC (if it exists) detects mass communication loss with OT systems. Incident classification as P1 — critical, threat to energy supply continuity. IR plan activation for OT scenario.
Hours 1-4 — Containment. Isolating IT from OT networks (if not already isolated by attackers). Physical isolation of substations from OT network. Switching to manual control at substations with personnel on-site. CSIRT notification (NIS2: 24h for initial report).
Hours 4-24 — Assessment and triage. Identifying destruction scope — which systems destroyed, which intact. Recovery prioritization — first substations powering critical infrastructure (hospitals, water utilities). Launching forensics on preserved logs.
Days 1-7 — Recovery. Restoring controller configurations from offline backups (if they exist). Verifying each controller’s firmware integrity before restart. Gradually restoring automation with continuous monitoring. Full CSIRT reporting (NIS2: 72h for detailed report).
Lessons: how to prevent this scenario
IT/OT segmentation — DMZ with rigorous rules, zero direct IT↔OT connections. Every point in this scenario where attackers crossed between networks is where segmentation could have stopped them.
SOC with OT monitoring — OT network traffic monitoring would have detected attacker reconnaissance, PLC configuration read attempts, and unusual connections.
Offline configuration backups — regular controller configuration copies on offline media. Without them, recovery from wiperware takes weeks instead of days.
MFA and PAM — multi-factor authentication for OT access and privileged access management would have prevented use of Jacek K.’s stolen credentials.
PLC change monitoring — alerts on any firmware or controller project change outside approved maintenance windows.
How nFlo protects against this scenario
OT/ICS security audits — identifies every weakness exploited in this scenario: segmentation gaps, missing OT monitoring, weak access management.
SOC as a Service — 24/7 monitoring covering IT and OT, detecting lateral movement, OT traffic anomalies, and controller manipulation attempts.
Red Team — simulating this scenario under controlled conditions, verifying defense readiness at every stage.
Incident Response — ready IR plan for OT scenarios, trained team, and recovery procedures.
Schedule a free consultation — we’ll check if your infrastructure is resilient against this attack scenario.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
