The operational technology (OT) landscape, once considered an isolated bastion, is now firmly in the crosshairs of sophisticated cybercriminals. Industrial automation systems (ICS) and their underlying computers, critical to everything from manufacturing to utilities, are facing an escalating barrage of attacks leveraging malicious scripts and cunning phishing pages. This isn’t just about data theft; it’s about potentially disrupting essential services and compromising physical infrastructure. As security analysts, understanding these evolving tactics is paramount to protecting the bedrock of our industrial world.

The first half of 2025 has seen a concerning shift: threat actors are increasingly abandoning traditional attack vectors in favor of web-based assaults. This strategic pivot exploits long-standing vulnerabilities within OT environments, including legacy interfaces, weak authentication protocols, and notoriously outdated software. The implications are severe, and the need for robust defense mechanisms has never been more urgent.

The Rise of Web-Based Attacks on ICS

For years, the perceived air gap and proprietary nature of ICS often gave a false sense of security. However, as OT systems become more interconnected with enterprise networks and the internet for remote access and data analytics, new doorways for attackers have opened wide. Threat actors are now exploiting these connections to deliver their payloads. The ease of crafting convincing phishing lures or injecting malicious scripts into web interfaces makes these methods highly attractive.

The reliance on legacy protocols and interfaces further exacerbates the problem. Many industrial control systems were designed in an era before pervasive cyber threats, lacking modern security features. This design choice, coupled with the difficulty and cost of patching or upgrading systems that require 24/7 uptime, creates a fertile ground for exploitation.

Common Attack Vectors and Exploited Weaknesses

Understanding the specific tactics employed by these threat actors is crucial for developing effective countermeasures. They are not simply casting a wide net; their attacks are often tailored to the unique characteristics of OT environments.

• Malicious Scripts: Attackers embed JavaScript or other scripting languages into compromised websites or deliver them via phishing emails. When an ICS operator accesses these malicious pages, the script can execute, potentially leading to system compromise, data exfiltration, or the deployment of further malware.
• Phishing Pages: Highly convincing fake login pages for ICS management systems, VPNs, or internal corporate portals are used to steal credentials. Once acquired, these credentials grant attackers direct access to sensitive ICS networks and systems.
• Exploiting Legacy Interfaces: Many ICS components still rely on older web servers or administrative interfaces with known vulnerabilities. These might include unpatched Apache or IIS servers, or proprietary web interfaces with default credentials or easily guessable passwords. For instance, a common theme for vulnerabilities like CVE-2022-26377 involves web server flaws that could lead to remote code execution.
• Weak Authentication: Multi-factor authentication (MFA) is often absent in OT environments, making traditional username/password combinations an easy target for brute-force attacks or credential stuffing, especially if those credentials have been exposed in other breaches.
• Outdated Software: The challenge of patching OT systems means that critical security updates are often delayed or simply not applied. This leaves vulnerabilities open for exploitation, such as those found in older versions of SCADA software or operating systems. For example, unpatched versions of Windows Server or Linux distributions running ICS applications can present critical entry points, akin to the impact of unpatched vulnerabilities like CVE-2021-34484.

Remediation Actions for Securing ICS Environments

Addressing these threats requires a multi-layered and strategic approach, combining technical controls with operational best practices. Here are key remediation actions:

• Implement Robust Network Segmentation: Isolate ICS networks from enterprise IT networks wherever possible. Utilize firewalls and Intrusion Detection/Prevention Systems (IDPS) with strict rules to control traffic between segments.
• Enforce Strong Authentication and MFA: Mandate multi-factor authentication for all remote access to ICS, as well as for administrative interfaces and critical internal systems. Implement strong password policies and regularly audit user accounts.
• Regular Patching and Vulnerability Management: Establish a rigorous patching schedule for all OT software, operating systems, and firmware. While challenging, prioritize critical security updates. Conduct regular vulnerability assessments and penetration testing specifically targeting ICS environments.
• Educate and Train Personnel: Industrial operators are often the first line of defense. Provide comprehensive cybersecurity awareness training, focusing on phishing recognition, safe browsing habits, and reporting suspicious activities. Phishing simulations can be highly effective.
• Deploy Web Application Firewalls (WAFs): For internet-facing ICS web applications and human-machine interfaces (HMIs), deploy WAFs to detect and block malicious web requests, including script injection attempts and other OWASP Top 10 vulnerabilities.
• Utilize Secure Remote Access: Replace outdated remote access methods with secure VPNs or zero-trust network access (ZTNA) solutions that incorporate strong encryption and authentication.
• Monitor Network Traffic: Implement specialized OT-aware Network Detection and Response (NDR) solutions to monitor traffic for anomalous behavior, unauthorized connections, and indicators of compromise. Look for traffic patterns that deviate from normal industrial operations.
• Regular Backup and Disaster Recovery: Implement comprehensive and regularly tested backup and disaster recovery plans for all critical ICS data and configurations. Ensure backups are stored securely and are isolated from the operational network.

Detection and Analysis Tools

Leveraging the right tools is essential for early detection and thorough analysis of these sophisticated attacks. Here are some categories and examples:

Tool Category	Purpose	Examples / Considerations
Network Detection & Response (NDR) – OT Specific	Monitors ICS network traffic for anomalies, unauthorized protocols, and known attack patterns.	Nozomi Networks Guardian, Claroty Continuous Threat Detection, Dragos Platform
Vulnerability Scanners	Identifies unpatched software, misconfigurations, and known vulnerabilities in ICS components and integrated IT systems.	Tenable.ot, Nessus (with OT plugins), SCADAfence Platform
Security Information and Event Management (SIEM)	Aggregates and analyzes security logs from various sources (firewalls, IDS, ICS components) to detect sophisticated attacks.	Splunk, IBM QRadar, Microsoft Sentinel (requiring OT-specific connectors)
Web Application Firewalls (WAF)	Protects internet-facing web applications from common web exploits (e.g., SQL injection, XSS) and bot attacks.	Imperva WAF, Cloudflare WAF, F5 BIG-IP ASM
Endpoint Detection & Response (EDR) / Antivirus	Detects and responds to malicious activity on ICS workstations and servers (where compatible and allowable).	CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint (with careful OT integration)
Phishing Simulation & Awareness Training	Trains employees to identify and report phishing attempts; assesses organizational susceptibility.	KnowBe4, Cofense, Proofpoint Security Awareness Training

Conclusion

The convergence of IT and OT has undeniably brought efficiencies, but it has also opened the door to new and complex cyber threats. The increasing reliance on web-based attack vectors – malicious scripts and phishing pages – to compromise ICS computers highlights a critical vulnerability in many industrial environments. Proactive defense, stringent security controls, continuous monitoring, and robust employee training are no longer optional; they are fundamental requirements for safeguarding our critical infrastructure. The battle to secure industrial automation systems is ongoing, and vigilance, coupled with strategic implementation of security best practices, will determine our success.

For more detailed information, consult the original report: Threat Actors Attacking ICS Computers With Malicious Scripts and Phishing Pages.