Skip to content
Knowledge base Updated: February 5, 2026

From the CNC machine to the cloud: The 7 most common attack vectors on production floors

Imagine your factory as a fortress. You've invested in solid walls and a main gate. But have you thought about all the other hidden entrances? About the service tunnel through which maintenance workers pass? About the small window in the pantry? About the deliveries that enter without inspection? At

Łukasz Szymański Łukasz Szymański

Today’s connected factory is a complex ecosystem in which the world of physical machines constantly intersects with the world of digital data. This convergence, while driving innovation and productivity, has simultaneously created an unprecedented number of potential avenues of entry for cybercriminals. Attackers no longer need to push through major corporate firewalls. Instead, like water, they are looking for the smallest crack, the weakest point, to penetrate the heart of operations - the operational technology (OT) network.

Understanding these avenues, called attack vectors in professional terminology, is the absolute foundation for building an effective defense strategy. Relying on one-size-fits-all security is like trying to protect a fortress that has ten gates by placing a guard at only one of them. Mature security requires taking a holistic view and securing all potential entry points, from the most obvious to those hidden and often ignored.

The purpose of this article is to shed light on the seven most common vectors used by attackers that lead to compromised production environments. We will analyze how seemingly innocuous, everyday activities - from plugging in a flash drive to opening an email to a visit from an outside service technician - can become the beginning of a catastrophic incident.

Shortcuts

Why are attackers increasingly choosing factories as their target?

The motivation of cybercriminals is simple and brutally pragmatic: they go where the money is and where it can be made with the least risk. The industrial sector has become an ideal target for them for several reasons. First, time pressure. Every minute of factory downtime generates huge, easily quantifiable financial losses, making manufacturing companies much more willing to pay ransom quickly. Second, a lower level of maturity. Many industrial companies are just beginning their journey in the world of OT cyber security, making their defenses often weaker than in the financial or technology sectors. Third, the direct impact on the physical world. The ability to stop production or sabotage gives attackers powerful leverage in negotiations.

📚 Read the complete guide: Cloud Security / AWS: Bezpieczeństwo chmury publicznej - AWS, Azure, best practices

How can an unsecured USB port on a CNC machine become a gateway to the entire network?

This is one of the most classic and still extremely effective attack vectors against environments that appear isolated. A CNC machine operator or maintenance technician needs to upload a new control program or update software. The simplest way to do this is to use a flash drive. However, this USB drive may have previously been used at home, in another factory or found in a parking lot. It only needs to have been plugged into an infected computer for at least a moment to become a carrier of malware. The moment it is plugged into a USB port on the machine’s HMI panel, the malware moves into the OT network, often bypassing all layers of network defense. It’s the digital equivalent of a Trojan horse, which we ourselves bring inside our fortress.

What role does phishing targeting engineers play in production attacks?

While engineers and production personnel may not be the target of typical mass phishing campaigns, they are the target of much more dangerous, personalized attacks (spear phishing). Attackers conduct reconnaissance, identifying key people in the maintenance or automation department, and then send them crafted messages that look authentic. This could be an email purporting to be from a machine manufacturer with an “urgent software update,” a fake notification from a SCADA system, or a message from a colleague asking to review a “new technical diagram.” Clicking on a link or opening an attachment in such a message can lead to the theft of credentials or the installation of malware on the computer of an engineer, who often has privileged access to the entire OT network.

Is traditional remote VPN access to SCADA systems still secure?

Providing remote access for employees and service companies is a necessity today. However, many companies still rely on traditional, simple VPN solutions that, once authenticated, give users broad access to the entire network as if they were physically sitting in the office. This approach is extremely risky. If the laptop of a remote user who connects via VPN is infected, the malware also gains full access to the internal network and can spread freely across it. Moreover, if the VPN credentials (login and password) are stolen, the attacker gains an open highway straight into the heart of our infrastructure.

Why is an outside service technician’s laptop one of the biggest hidden threats?

A third-party service technician’s or integrator’s laptop is one of the biggest, and most difficult to control, threats. It’s a device over which we have no control - we don’t know what its security status is, whether it’s regularly updated and, most importantly, what other networks it’s been connected to recently. Such a laptop is a “digital traveler” that may have picked up all sorts of malware from other infected factories along the way. When a service technician, acting in good faith, connects such a computer directly to our OT network to diagnose a PLC, he may inadvertently introduce a “digital plague” into the network.

Are un-updated Windows 7/XP systems still an open gateway for attackers?

Many production networks still run computers (HMI stations, SCADA servers) based on old operating systems that have not been supported for years, such as Windows 7, Windows XP and even older ones. From an operational perspective, “since they work, we don’t move them.” From a security perspective, any such system is an open door. These systems have hundreds of known, publicly documented and critical vulnerabilities for which there are and will be no fixes for a long time. For an attacker, finding a Windows 7 computer on the network is like finding a safe whose code is written on a note taped to the door. Taking control of such a system is often trivially easy and provides the hacker with an ideal beachhead for further operations inside the network.

How do attackers exploit unsecured industrial protocols such as Modbus?

Many of the fundamental communication protocols on which industrial automation is based (e.g. Modbus, S7, DNP3) were designed decades ago, in the”air gap” era. Their main focus was reliability and speed, not security. As a result, most have no built-in authentication or encryption mechanisms. They operate on the principle of full trust - any device that can send a correctly formulated command is treated as trusted. An attacker who gains access to the OT network can easily send false commands (e.g., “stop the motor,” “change the recipe”) to the PLCs, and the PLCs will execute them without any verification.

How does a PLC connected to the cloud become an attractive new target?

The deployment of the Industrial Internet of Things (IIoT) and the direct connection of machines and sensors to cloud platforms opens up huge analytical opportunities, but it also creates a whole new attack vector. Each such device becomes a border point that must be individually secured. An unsecured IIoT gateway that communicates with PLCs in an OT network on one side and a platform in a public cloud on the other can become a bridge through which attackers penetrate from the internet straight into the heart of the shop floor. Compromising the cloud platform can give hackers the ability to send malicious commands to the entire fleet of machines connected to it.

What are living-off-the-land attacks in the OT environment?

This is a sophisticated technique in which attackers, after gaining initial access to a network, try to operate in a maximally covert manner, using only those tools and protocols that already legitimately exist in a given environment. Instead of installing their own, easily detectable malware, they use standard administrative tools (like PowerShell in Windows) and legitimate industry protocols to move around the network and accomplish their goals. Such an attack is extremely difficult to detect because, from the perspective of monitoring systems, the traffic looks like normal, legitimate operational activity.

How does the attack chain (kill chain) on the factory - from the entrance to the target - look like in practice?

An attack on a factory is rarely a single event. It’s a process, called a kill chain, consisting of several stages. It usually begins with reconnaissance, or gathering information about the target. This is followed by gaining initial access using one of the described vectors (such as phishing). Once inside the network, the attacker proceeds to the lateral movement phase, i.e. slow movement from system to system, in search of key resources and escalation of privileges. The ultimate goal is to achieve the mission objective, which can be data theft, sabotage or ransomware deployment.

On average, how much time does it take an attacker to take control of an OT network?

The time it takes to take control (known as “breakout time”) can vary widely, but in unsecured, flat networks it is alarmingly short. After gaining initial access (e.g., by clicking on a phishing link), automated hacking tools can spread across a network and encrypt key systems in just a few hours. In the case of more sophisticated, targeted attacks, the reconnaissance and lateral movement phase can last for weeks or months, during which the attacker operates in stealth to best learn the environment before the final strike.

What logs and indicators of compromise (IoC) are worth monitoring to detect traces of an intruder as soon as possible?

Early detection is the key to limiting damage. In an OT environment, in addition to standard logs from Windows systems and firewalls, it is crucial to monitor world-specific events. Particular attention should be paid to unauthorized attempts to modify PLC programs, controller mode changes (from RUN to PROG), unusual queries in industrial protocols or sudden spikes in network traffic. Aggregation and analysis of these logs in a central SIEM system allows much faster detection of anomalies that may indicate an ongoing attack.

How do you do a basic self-service safety verification of key machinery?

Even without advanced tools, you can perform a simple, basic verification. Start with an inventory: do you know what version of the operating system is running on your HMI? Check to see if the manufacturer’s default passwords are still being used on key systems. Use simple, free tools like Nmap (in a controlled and careful manner!) to see what network ports are open on your machines - any unnecessary open port is a potential gateway. Such simple “hygiene” can significantly improve security.

Summary of attack vectors

VectorDescription of the threatKey remedy1. USB mediaTransferring malware on infected flash drives.”Clean carrier” policy and quarantine stations.2. phishingPersonalized e-mails phishing for engineers’ credentials.”security awareness” training and advanced mail protection.3. remote accessUnsecured VPN connections giving broad access to the network.Implementation of the MFA and minimum entitlement rule (PAM).4. service technicians’ laptopsIntroducing external threats on uncontrolled equipment.Control procedures for third-party companies and “clean” laptops.**5. old systems (Legacy)**Exploiting known unpatched vulnerabilities in Windows XP/7.Network segmentation and virtual patching (IPS).6 OT protocolsSending false, unauthorized commands to controllers.OT network monitoring and deep packet inspection (DPI).7. IIoT / CloudAttack on unsecured sensors and gateways connected to the Internet.Dedicated segmentation and hardening of edge devices.

How does nFlo help identify and secure attack vectors in your production infrastructure?

At nFlo, we understand that effective defense starts with thinking like an attacker. Our methodology is based on proactively identifying and shutting down all potential avenues of entry into your OT network before the real criminals do. We conduct comprehensive penetration tests and architecture audits, during which our ethical hackers simulate real attack scenarios in a controlled manner, using all the vectors described above. The result of our work is not just a list of vulnerabilities, but a strategic roadmap that shows which “gates” should be strengthened first. We also help implement specific solutions that close these gates - from designing a secure architecture based on segmentation, to implementing monitoring systems, to creating secure work procedures for your employees and external partners.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Cloud Cybersecurity

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist