← All Updates
EDUCATIONJuly 7, 2026

5 Manufacturing Attacks Every OT Security Team Should Study

Five manufacturing cyber incidents — German Steel Mill, EKANS, Mirai, JBS, Verkada — the shared IT-to-OT pattern, and how to test detection against each one.

Manufacturing has been the most attacked industry for 5 years in a row, and attacks grew more than 50% last year alone.

This article walks through five manufacturing OT security incidents from 2014 to 2021, shows the single pattern they share, and explains how to turn each one into a detection you can actually test.

It is written for OT engineers, SOC analysts and security leads who protect production environments.

The Pattern: Attack Enters IT, Damage Lands In OT

None of the five incidents below started on the plant floor.

Every one entered through the IT side — a phishing email, an exposed account, a default password — and the damage landed in production.

In every case some form of segmentation existed on paper.

Paper stopped nothing, because nobody watched what actually crossed the boundary.

That is the core problem this article is about.

Not missing tools.

Missing verification.

The Five Incidents

German Steel Mill, 2014. A phishing email compromised the office network. Attackers pivoted into the SCADA environment and disrupted controls so that a blast furnace could not be shut down properly. The result was massive physical damage — one of the first public cases where an email destroyed heavy industrial equipment.

The catchable signal: a new client communicating with the PLC network across the IT/OT boundary.

EKANS (Snake), 2020. Ransomware written with industrial awareness. Before encrypting, it works through a kill list of ICS processes — historian services, HMI runtimes, engineering tools — so production freezes before the IT team even sees encryption start.

The catchable signal: process stop events on HMI and engineering workstations, hosts that in most plants have no endpoint logging at all.

Mirai variants, 2020. Default passwords on IIoT devices turned factory cameras and sensors into botnet nodes and pivot points. These devices lived in an ownership gap — not managed as IT assets, not treated as OT assets.

The catchable signal: new outbound connections from device VLANs.

JBS Foods, 2021. Ransomware hit the IT network of the world's largest meat producer and plants stopped on three continents. The detail worth studying: parts of OT were shut down as a precaution, because nobody could establish fast enough whether the OT side was affected.

That is a visibility failure with the same production cost as a real compromise.

Verkada, 2021. One exposed admin account gave outsiders a live view into 150,000 cameras, including factories and warehouses.

The catchable signal is almost embarrassing: an admin login from a new source. One log source, one rule.

Why Containment Takes 42 Days

Industry numbers put the average time to contain a ransomware incident in a plant at around 42 days.

Organizations with working OT visibility contain the same class of incident in about 5 days.

Same attackers, same malware families — an 8x difference.

The difference is not which vendor is installed.

It is whether the detection chain — boundary traffic, controller state events, workstation logs, alert routing — was ever exercised against a real attack before the incident.

A rule that has never fired against real traffic is a hypothesis, not a control.

From Reading To Testing

Reading incident write-ups is the start, not the goal.

Each of the five cases above maps to a concrete, testable detection: boundary crossing to the PLC network, ICS process stops, new connections from device segments, IT-to-OT cascade visibility, admin logins from new sources.

Labshock is a platform for learning and testing OT cybersecurity through hands-on labs and realistic industrial environments.

We packed these five incidents into a PDF that opens the Monitoring Manufacturing track: you read the incident, then rebuild the detection for the same attack technique against live protocol traffic in a lab — real PLCs, real network, real events in your SIEM.

Testable. Not documented.

Try It Yourself

  • Start free: github.com/zakharb/labshock — the lab runs locally with Docker, no cloud.
  • Loginward is the free starter zone; the manufacturing environments live in Netfields.
  • Get the 5-incidents PDF and the Monitoring Manufacturing track at labshocksecurity.com.
  • Questions, or want to compare detection approaches: discord.gg/bpmaQFfW76
LABSHOCK SECURITY — OT SECURITY MUST BE TESTABLE, NOT DOCUMENTED