There are signals that are not “news”. They don’t explode, they don’t block airports, they don’t broadcast the usual statement with the digital skull and the ransom demand, but they are more discreet, therefore more dangerous. Over the last four years, attacks against ICS and SCADA systems have not only shown a quantitative growth, but above all a change in nature. The question is no longer how many malware are intercepted on industrial computers, but what those that pass through, or those that no longer need to present themselves as traditional malware, try to do.
Let’s take an apparently reassuring fact. In the first quarter of 2025, Kaspersky reported malicious objects blocked on 21.9% of monitored ICS computers, a lower percentage than in the same period of 2024. Well, one might say, but then it is better to avoid the ancient habit of mistaking the symptom for the disease. That number mainly measures the background noise: suspicious files, generic threats, more or less ordinary attempts that also cross industrial environments. However, it does not necessarily measure an attacker’s ability to impact physical processes.
The most worrying trend is another: the attacks are decreasing in level, not in the sense of quality, but of depth because they are moving towards industrial logic. Since 2022, hostile actors have begun developing tools designed to interact with PLCs, HMIs, engineering workstations, industrial protocols, and project files. These are somewhat difficult words, I understand, but they indicate very concrete objects: the devices that control, the screens that show, the stations from which it is configured, the languages with which the machines understand each other.
This is the qualitative leap. For years we have imagined the cyber attack as malware that enters, encrypts files, blocks the service, asks for money. Today, in the most advanced cases, the attacker wants to understand where the switches are, learn which lights to turn on to make people believe that everything is normal when in reality something else is happening: less visible malware, more knowledge of the process.
The FrostyGoop case tells it well. In 2024, this tool, targeting specific devices, was linked to an attack on Ukrainian district heating, resulting in the loss of service to hundreds of buildings. We are no longer in the abstract domain of “compromised data”, but in that of people who notice the problem not because they read a technical report, but because something that was supposed to work stopped doing so and so the Internet stops being another world and becomes a hand touching the radiator.
The same thread runs through the other recent cases. In Mexico, after the IT environment of a water utility was compromised, an attacker used artificial intelligence tools, including Claude, to map the internal network and locate SCADA systems for controlling industrial devices, according to cybersecurity firm Dragos. Not full-blown sabotage, but a rapprochement.
In Poland, the cyber security agency ABW reported intrusions into the ICS systems of five water treatment plants; in some cases the attackers could have modified the operating parameters of the equipment, with risks for the continuity of the service and the water supply. Here too the language tries to reassure us. “Operating parameters” seems like a formula from a technical report. In reality, very simply, it means being able to interfere with the way a system treats water, regulates pumps and maintains an essential service. The distance between an altered setup and a dry tap can be shorter than we would like.
The case of the GNV Fantastic cruise ship brings the same problem to sea. The ferry, stopped in Sète, ended up at the center of a French investigation due to suspicions that someone wanted to allow remote access to the navigation systems. The hypothesis of effective control of the ship is not proven, and this must be said clearly. However, the case signals the fragility of the boundaries between onboard IT, operating systems and navigation. A modern ship is not just a hull, engines and bridge, but now a floating computer system.
In 2025, Dragos observed attackers not only breaking into industrial networks, but mapping control loops, actuators, gateways, HMIs and operational configurations. This is perhaps the most important sentence of all, even if it seems the least spectacular and very cryptic. Mapping a control loop means wanting to understand the cycle with which a process is measured, corrected and kept stable. Studying actuators means being interested in what produces movement. Looking at HMIs means looking at what the operator sees. We are in front of someone who learns.
In 2026, a joint report by CISA, FBI, NSA and other US security agencies reported Iranian attacks against industrial systems exposed on the Internet, involving manipulation of project files. CNN also reported actions against US energy and water sites, resulting in operational and economic disruption and damage. Once again the point is manipulation. If I alter a project file, I change the way a machine is meant to work. If I manipulate a SCADA display, I can change what a human thinks he sees. It is a subtle form of sabotage: not only affecting the machine, but also the trust between man and machine.
Ransomware remains the main accelerator of this fragility. It often arises as an IT incident, perhaps from the usual compromised access, from the usual stolen credential, from the usual perimeter defended with the heroic belief that “it doesn’t happen here anyway”. But then it spreads, blocking production, visibility and operational control. Even when it is not created to directly manipulate an industrial process, it can prevent us from seeing and governing it.
For this reason, continuing to talk about industrial cybersecurity as a question of antivirus, firewall and good intentions is a good way to arrive unprepared. We need true segmentation between systems, reliable inventories, devices not exposed unnecessarily, access control, monitoring of industrial protocols, exercises, degraded operating procedures. Above all, cultural maturity is needed: understanding that we are not protecting computers, but physical processes mediated by computers.
The problem, then, is that attackers are learning to speak the language of the machines, and when someone knows the language, they can not just turn them off, but convince them to do the wrong thing at the worst time.
