Security Risks and Best Practices for Industrial and Energy OT Systems
Operational technology (OT) environments, including industrial control systems (ICS) and energy infrastructure such as solar farms, are increasingly exposed to cyber threats due to expanded connectivity and legacy protocols. Attackers are exploiting insecure-by-design protocols like Modbus, which are commonly used in solar panel systems and other industrial assets, to remotely manipulate devices and disrupt operations. Research highlights that with open ports and free tools, threat actors can quickly identify and control exposed OT assets, such as string monitoring boxes in solar farms, leading to rapid and large-scale power disruptions. The use of AI-driven automation further accelerates reconnaissance and exploitation, outpacing traditional human monitoring and response capabilities.
To mitigate these risks, security experts recommend a combination of pragmatic, low-disruption controls tailored for operations teams. These include segmenting networks, enforcing robust access controls, and integrating OT telemetry into observability stacks to improve visibility and resilience. Maintaining high data hygiene in IIoT environments is also critical, as clean and reliable telemetry reduces false positives, supports accurate predictive models, and enables faster root cause analysis. Securing programmable logic controllers (PLCs) and other critical OT components is essential not only for data protection but also for ensuring physical safety and operational continuity, as compromised devices can lead to equipment damage or safety hazards.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Alerts issued over exposed Modbus services in solar environments
Real-world alerts were issued warning about exposed Modbus services and the risks created by permissive firewall rules and insecure configurations in internet-connected solar power environments. The alerts emphasized the potential for remote, undetected manipulation of operational states.
Report details rapid manipulation risk for internet-exposed solar panel systems
A report described how attackers can use common tools such as Nmap, mbpoll, and modbus-cli to enumerate and manipulate exposed solar string monitoring boxes within minutes, potentially disrupting energy production and stressing inverters. It also highlighted weak segmentation between IT and OT and warned that AI-driven automation could accelerate attacks at scale.
Researchers observe large-scale scanning and exploitation of exposed Modbus devices
Cato Networks researchers observed large-scale reconnaissance and exploitation attempts against internet-exposed Modbus-enabled operational technology, including solar infrastructure components such as string monitoring boxes. The activity relied on exposed TCP port 502 and insecure Modbus communications rather than zero-day exploits.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
IIoT Data Hygiene: How Clean Telemetry Improves Reliability
securitysenses.com
Open sourceSecuring PLCs in OT Environments: Practical Steps for Ops Teams
securitysenses.com
Open sourceHackers Can Manipulate Internet-Based Solar Panel Systems to Execute Attacks in Minutes
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Risks and Security Imperatives for Industrial Control Systems and Critical Infrastructure Data
Industrial control systems (ICS) and critical infrastructure organizations are facing an escalating threat landscape due to the convergence of operational technology (OT) and information technology (IT), which has eroded traditional security boundaries. As ICS environments become increasingly interconnected with corporate IT networks, they are exposed to a broader array of sophisticated cyber threats, including those from nation-state actors. The consequences of a successful cyberattack on ICS can be severe, ranging from equipment failure and production halts to environmental disasters and threats to human safety. The Colonial Pipeline incident, which resulted from a single compromised password, demonstrated how a digital breach can disrupt physical operations and supply chains, affecting millions of people. In addition to direct attacks on ICS, critical infrastructure organizations must contend with the proliferation of unmonitored data across collaboration platforms such as SharePoint, Google Drive, Exchange, Gmail, Teams, Slack, and Box. This 'back-office clutter' creates a vast, largely ungoverned attack surface that is increasingly targeted by sophisticated adversaries. Sensitive documents, including CAD files, PDFs, and chat transcripts, are often left unclassified and unmonitored, making them attractive targets for cybercriminals. Security leaders have traditionally focused on patching and segmenting OT systems, but the rapid growth of data sprawl in enterprise collaboration tools now demands equal attention. The ease of spinning up new sites and channels for business operations has led to petabytes of data scattered across thousands of locations, often without adequate oversight. This situation is exacerbated by the fact that attackers can exploit these unmonitored environments to gain access to critical systems or sensitive information. The need for robust ICS cybersecurity is now a top priority, as the risks extend far beyond data loss to include operational disruption and public safety hazards. Organizations are urged to implement comprehensive monitoring, classification, and governance of both OT and IT environments to mitigate these risks. The evolving threat landscape requires a shift from traditional, static security measures to dynamic, intelligence-driven approaches that can adapt to new attack vectors. Failure to address these challenges could result in significant operational, financial, and reputational damage for industrial organizations. The integration of continuous monitoring and incident response capabilities is essential to detect and respond to threats in real time. As cyber threats continue to evolve, the security of ICS and the management of enterprise data sprawl must remain at the forefront of critical infrastructure protection strategies. The lessons from past incidents underscore the urgent need for a holistic approach to cybersecurity that encompasses both the physical and digital assets of industrial organizations.
Mar 21, 2026
OT and Smart Factory Cybersecurity Risk in Industrial Environments
Industrial and manufacturing organizations continue to face significant **operational technology (OT)** security risk as connected control systems, IoT devices, and legacy infrastructure expand the attack surface. A Siemens Energy report cited by *TechRepublic*, based on Ponemon Institute survey data, found that **77%** of respondents said an OT security compromise in the past 12 months led to loss of confidential information or operational disruption, while **52%** said a successful exploit against their industrial control systems is likely within the next year. Respondents also estimated that **41%** of OT attacks go undetected, with many organizations taking more than a month to detect incidents and an average of seven months to recover. The broader picture is that smart factories are still struggling with basic cyber resilience as modernization outpaces security controls. In an interview with *Help Net Security*, Packsize CSO Troy Rydman said unmanaged **IoT** devices, outdated legacy systems, and human-targeted attacks such as phishing and social engineering remain major weaknesses in factory environments. He also highlighted the persistent tradeoff between production uptime and security requirements, underscoring that industrial operators are still balancing business continuity with the need to reduce exposure across connected devices and older operational systems.
Apr 2, 2026
Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that **operational technology (OT)** environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 **Ukraine power grid** disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to **misused remote access and stolen credentials** (including the **Colonial Pipeline** shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments. Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate **“living-off-the-plant”** techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
Mar 21, 2026