1 / 26

2023
Threat
Report

ICSSTRIVE
&
Waterfall Security
Solutions

Copyright © 2023 Waterfall Security Solutions

 2 / 26

Executive Summary
The Waterfall / ICSSTRIVE annual threat report documents public reports of deliberate cyber
attacks – not instrument errors or human errors and omissions – attacks that caused physical
consequences in process manufacturing, discrete manufacturing, and critical industrial
infrastructures. These attacks with physical consequences turned from a theoretical problem in
the 2010-2019 decade, into a very real problem this decade. In 2022, these attacks increased
140% over the previous year and impacted over 150 industrial operations. At this rate of growth,
we expect cyber attacks to shut down 15,000 industrial sites in 2027, that is: in less than five
years.
Hacktivist attacks that deliberately cause physical consequences are increasing – 2022 saw six
such attacks, the largest of any year in history. Of the remaining attacks, the vast majority are
ransomware, and in most ransomware attacks, only the IT network was impaired, not the OT
network. None the less, in all ransomware attacks we track, there were physical consequences,
either because physical operations relied on crippled IT systems for minute-by-minute operations,
or because ransomware victims did not trust the strength of their OT security systems and so shut
down operations “in an abundance of caution.”
Looking forward, we predict that because of the steadily increasing number of critical
infrastructure outages, governments in many jurisdictions will order critical infrastructure owners
and operators to implement dramatically stronger cybersecurity measures. Worse, we note that
natural language artificial intelligence tools such as ChatGPT have the potential to enhance cyber
attack capabilities and so materially accelerate the growth of cyber attacks with physical
consequences. On the other hand, we also observe that the new Cyber-Informed Engineering
initiative has the potential to materially improve the strength of OT security postures, even in the
face of nation-state-grade ransomware and AI-powered cyber attacks.
Finally, as an aid to interested readers and other researchers, Appendix A includes a
comprehensive list of all cyber attacks with physical consequences in the industries we track since
2010, with links to public resources describing the attacks.
 3 / 26

Contents
Executive Summary ....................................................................................................................2
Introduction .................................................................................................................................4
What We Track ........................................................................................................................4
OT Incidents with Physical Consequences in 2022 .....................................................................5
With Physical Consequences ..................................................................................................5
Near Misses ............................................................................................................................6
Threat Analysis ...........................................................................................................................8
Attack Trends ..........................................................................................................................8
Threat Actors ...........................................................................................................................8
Hacktivism ...............................................................................................................................8
Criminal Ransomware .............................................................................................................9
Geography ..............................................................................................................................9
Industries...............................................................................................................................10
Key Takeaways ......................................................................................................................... 11
Attack Sophistication ............................................................................................................. 11
IT Dependencies in OT .......................................................................................................... 11
External Dependencies .........................................................................................................12
Predictions ................................................................................................................................14
Use of Artificial Intelligence for Stage 2 in the ICS Cyber Kill Chain .......................................14
Enhanced Global Response and Legislation .........................................................................14
Emergence of Engineered Cybersecurity ..............................................................................15
Summary ..................................................................................................................................16
Appendix A – 2010-2022 Data Set ............................................................................................17
Appendix B – Acknowledgements .............................................................................................25
 4 / 26

Introduction
The ICSSTRIVE and Waterfall Security Solutions 2023 Threat Report documents credible public
disclosures of cyber attacks with physical consequences to operational technology (OT) in
discrete manufacturing and process industries world-wide in all of 2022. In 2022, we saw 57
attacks that met these strict criteria, an increase of more than 150% over the preceding year. Most
of these attacks were ransomware targeting IT networks but resulted nevertheless in
consequences for physical operations in the victim organizations.
This report documents these and other findings from attacks recorded in 2022. We also look at
the most important developments in cyber defenses throughout 2022. Defensive tools and
techniques are developing rapidly, and modern defenses must be deployed more widely to affect
overall trends in production outages and other physical consequences.

What We Track
This report is the result of Waterfall Security Solutions’ cooperation with ISSSource and their
ICSSTRIVE OT incident repository. This report is focused on cyber attacks with physical
consequences in:

• Discrete manufacturing: operations that combine small parts into larger manufactured
objects, such as automobiles or laptop computers,
• Process industries: industries where physical operations can me modeled as a
continuous process; transforming raw materials into a more useable form, as in mining
or refining, and
• Critical industrial infrastructure: industrial operations that are essential to society and the
economy, and deserving of special protection like transportation, power, and utilities.
We do not track cyber attacks with physical consequences in other industries, such as
telecommunications outages, canceled surgeries at hospitals, or most retail store shutdowns. We
also do not track general cyber attacks on the financial sector or governments, their agencies, or
their militaries unless they involve an element of industrial automation for physical processes. It
is not that these attacks are not important — they are. We confine our tracking and analysis to
the industries that we do, because it is these industries with which the authors are most familiar.
That said, drawing a line through any continuum involves making what may seem arbitrary
distinctions. Right or wrong, for this year we do not report on retail grocery store outages, even
though we do report on food & beverage (human consumables) manufacturing. We do, however,
report on gas station outages, because such outages are generally considered part of the
"downstream" oil & gas industry. We do report on electric power distribution outages, because
power distribution is considered critical infrastructure and a process industry, even though electric
distribution is also arguably electricity retailing. Similarly, we do report on both postal system
outages, and power and gas distribution outages. We report on postal system outages because
the postal system is a transportation system. While both the post and distribution utilities are
government-owned in most jurisdictions, we do not report on other government service outages,
such as tax departments, the courts of law, or financial systems.
 5 / 26

OT Incidents with Physical Consequences in 2022

With Physical Consequences
The research team for the 2023 report found that fifty-seven (57) incidents out of 218 incidents
on the ICSSTRIVE website resulted in physical consequences and matched our inclusion criteria.
A more detailed version of this list is included as part of Appendix A.

2022 Industry OT Incident Description

Jan Transport Bay & Bay Transportation — 1.5 weeks production lost while all systems taken offline and remediated
Jan Process Mfg CPH Chemie & Papier — Newsprint paper producer: 6 days of downtime, lost 8,400 tons in paper output
Jan Food & Bev KP Snacks — Production halted, delayed deliveries 2 months, and capped orders while existing stocks consumed
Jan Oil & Gas Mabanaft & Oiltanking — Both units declared Force majeure: halted loading and unloading of fuel & bulk oil at the ports
SEA-Tank & SEA-Invest — Ops. at all ports in Europe and Africa impacted. SEA-Tank terminal in Antwerp cannot
Jan Oil & Gas unload fuel at port.
Feb Oil & Gas Evos — Delays in unloading fuel at three ports: Terneuzen (Netherlands), Ghent (Belgium), and Birzebbuga (Malta)
Feb Transport Swissport — 22 flights, cargo, and freight services delayed or canceled for 20 min
Feb Transport JNPCT — Diverted incoming vessels and halted in-progress loading/unloading at port
Feb Transport Expeditors — Operations shut down for 3+ weeks as they cannot ship freight or manage customs processing
Feb Discrete Mfg Caledonian Modular — Lost production was a contributing factor in the company's insolvency the following month
Feb Discrete Mfg Bridgestone — 10 days lost production, and workers sent home at all 23 tire plants in the Americas
Feb Transport Belarus Railway — Rail routing and switchgear disabled by hacktivists – trains halted in Minsk, Orsha, and Osipovichi
Kojima Industries & Toyota — Shut down all 14 Japanese Toyota-owned vehicle plants 1 day, resulting in 10K unit
Feb Discrete Mfg production loss
Rosetti Energy — Deactivated all electric vehicle charging stations between Moscow and St. Petersberg along the M-11
Feb Power motorway
H.P. Hood Dairy — Shut down production for 1 week – forced disposal of all dairy product: orders, and deliveries
Mar Food & Bev canceled
Hellenic Post — 17-day nation-wide disruption to all mail, financial, and bill payment services processed through the
Mar Transport Greek Post
Mar Food & Bev TAVR — Production halted and a “significant economic loss recorded”
Apr Transport Bulgarian State Post — 2+ week outage of 26 national postal services, including deliveries
Apr Transport Costa Rican Customs Service — National Customs systems outage of > 1 month cause shipments to slow to a trickle
Apr Transport Sunwing Airlines — 5+ day outage of check-in systems delays 188 flights & strands or delays thousands of passengers
May Discrete Mfg AGCO — Production shutdown for 15+ days at the start of planting season, sent workers home
May Transport SpiceJet — 5+ hour outage where planes are grounded or delayed
Foxconn Baja California — Operations affected by disrupting production for 2 weeks, then forced production capacity
May Discrete Mfg adjustment
May Discrete Mfg CMC Electronics — Disrupted operations to a key supplier of avionics to Canada's Department of National Defense
Jun Transport Yodel — Millions of customers face parcel delivery delays
Jun Food & Bev Apetito / Wiltshire Food Farms — 5-day halt to food deliveries destined for vulnerable Meals-on-Wheels customers
Macmillan Publishers — Unable to ship orders, with several months of delivery backlogs reported at regional
Jun Discrete Mfg warehouses
Jun Metals & Min Khuzestan Steel Co. — Equipment damage due to fire and production halted
Jun Process Mfg Knauf — 3+ weeks production shutdown – existing orders delayed, and all new orders cancelled
Jul Discrete Mfg Eglo — Shut down production, order processing and shipping for 12 days
Jul Discrete Mfg Semikron — Production halted and not fully restored for months after the incident
Aug Transport Ontario Cannabis — 5-day province-wide halt to delivery & distribution of the government-controlled cannabis supply
Aug Discrete Mfg Bombardier (BRP) — 1 week production shutdown, and halts all sales orders and fulfillment
Apex Capital / TCS Fuel — 1-week impact to small trucking businesses relying on TCS Fuels for refilling trucks and
Aug Transport paying operators
Novosibirsk TMS — 2+ days traffic chaos, due to traffic scheduling system being disabled then damaged, to hamper
Sep Transport restoration
Yandex Taxi — 3+ hours traffic chaos in Moscow, caused by attack that dispatched all Yandex Taxi's cars to the same
Sep Transport location
Sep Food & Bev Läderach — 67-day interruption to production, logistics and administration
Sep Power Electricity Company of Ghana — 5+ days of power outages for pre-paid commercial and residential customers
Oct Food & Bev HiPP — Production shut down for days, and 1000 employees sent home
Stimme Mediengruppe — Printing operations shut down and employees sent home, also impacted other regional
Oct Discrete Mfg publishing partners
Oct Metals & Min Aurubis — Production and delivery halted, and employees sent home at the Buffalo, NY plant
 6 / 26

Oct Transport Danish Rails — Trains shut down, for several hours, at state-owned and largest rail operator
Oct Process Mfg Cartonnerie Gondardennes — Shut down prod. for 3 days and workers sent home until systems decrypted
Nov Transport Jeppesen — Jeppesen's flight planning tools shut down, causing multiple airline carriers to suffer flight delays
Nov Discrete Mfg Uponor — Shut down production and deliveries for 1 week, then reduced capacity for 2+ weeks
Nov Discrete Mfg PGT Innovations — Impacted manufacturing at 2 plants and contributed to $12m quarterly revenue loss
Nov Food & Bev Maple Leaf Foods — Disrupted ops. and services at multiple sites
Nov Transport Taxis Coop Québec — 2.5 hours dispatch system outage in the early morning hours
Nov Discrete Mfg EMA — 6+ day production line outage, and employees sent home
Nov Transport Communauto — 1-day ops. outage to ride-sharing services
Prophete — 3–4-week operational shutdown with interruption of invoicing and delivery services caused company
Nov Discrete Mfg insolvency
Nov Food & Bev Cobolux — 1 day production loss; Estimated €400K - €500K in damages and restoration costs
Dec Discrete Mfg UNOX — 2-day production shutdown
Dec Food & Bev Fruttagel — 4+ day production shutdown
Empresas Públicas de Medellín (EPM) — Water distribution outage for 28k pre-paid customers; company had water
Dec Water trucked in
Dec Discrete Mfg Technolit — Operations shut down and employees sent home
Dec Metals & Min CMCC — 5 days pre-emptive shutdown, followed by 4 days of reduced production

Some of the year's highest-profile and most noteworthy incidents include:

• Outages at widely known businesses, including fourteen of Toyota's automobile

manufacturing plants, twenty-three of Bridgestone Tire's plants, and outages at Maple Leaf
Foods and Macmillan Publishers,
• Flight delays for tens of thousands of air travelers in four separate attacks,
• Physical operations impacted in four attacks on metals and mining, with one of the attacks
resulting in a fire and material equipment damage,
• Malfunctions of loading and unloading of cargo containers, fuel, and bulk oil for half a dozen
seaports on three continents, and
• Contributing to the bankruptcy of two victim organizations.
While none of these incidents made front page news the way we saw with the Colonial Pipeline
incident in 2021, 2022 did see these high-profile critical infrastructure sites impacted with physical
consequences.

Near Misses
While the core focus of the Threat Report is physically consequential OT cyber incidents, there
were several near misses that are worth examining for deeper insights into the nature of threats
to critical industrial infrastructure. We define near misses as cyber attacks that had the potential
for physical consequences if the circumstances of the attack had been slightly different. Six
noteworthy near misses that met our criteria were:
 7 / 26

2022 Industry Near Miss Description

Seliatino Agrohub — Hacktivists tried to spoil 40K tons of frozen meat products in the Moscow region by changing
Food &
Feb temperature setpoints from -24 to +30 °C, but the attack is detected by operations, settings put back, and networks
Bev disconnected
Seven Indian State Load Despatch Centres (SLDCs) — An 8 month long, Chinese state-sponsored attack on Indian
Apr Power load distribution centers in the Ladakh region ultimately fails, amid an ongoing border dispute between the two nuclear
powers
Anonymous Electric Utility — ESET and CERT-UA determined with high confidence that Unit 74455 of Russia's GRU
Apr Power (a.k.a. Sandworm) targeted high-voltage substations in Ukraine with Industroyer2 malware, but the attack was detected
and stopped while in progress
DTEK’s Kryvorizka Power Plant — A combined kinetic and cyber attack on Ukraine’s grid -- where both Russian missile
July Power strikes and an attempted cyber attack by threat group XakNet on the plant’s OT network -- ultimately fails to destabilize the
grid
South Staffs Water & Thames Water — Cl0p ransomware gang breaches IT & OT systems at South Staffs Water in the
Aug Water UK, but in a strange mix-up attempts to double-extort Thames Water, elsewhere in the country. Neither water utility suffers
OT consequences
Secretariat of Infrastructure, Communications and Transportation (SICT) — Cyber attack shuts down IT systems at
Mexico’s agency that licenses commercial truck operators, threatening impair international trade and halt operations for
Oct Transport truckers with expiring permits. An emergency decree to extend all permits and papers to December 31 st and subsequent
lack of media reports on the issue suggests the issue was resolved by the New Year.

These incidents were noteworthy because:

• Five of the six attacks intended to damage industries such as the power grid, international
transport and trade, and the food supply and were ideologically or politically motivated, not
just financially motivated,
• Three of the six were nation-state attacks on the power grid between adversaries with
sizable militaries and in two cases nuclear weapons capabilities,
• One attack, on an unnamed Ukrainian electric utility, deployed a sophisticated new malware
called Industroyer2, that was subsequently well documented and studied by industrial cyber
security experts, and
• All these attacks targeted critical infrastructure, which means they sought to sabotage
operations or endeavors essential to the well-being of societies and economies.
The April 8th, 2022, Industroyer2 attack on an undisclosed electric utility company in Ukraine is
deserving of some elaboration. While the attack was detected and stopped before physical
operations were impacted, the circumstances were major news. This is because the threat actors
were credibly identified as the Sandstorm group – Unit 74455 of Russia's GRU – by experts at
Slovakia’s ESET and the Ukrainian government’s Cyber Emergency Response Team (CERT-UA).
In this nation-state attack, Sandstorm attempted to cause a blackout in Ukraine by deploying a
brand-new malware, an evolution over the previous Industroyer (aka CrashOverride) malware
deployed by the same threat group six years prior. Industroyer2 is highly configurable and can be
recompiled for each new victim and environment. Because this malware does not contain a
mechanism useful for targeted ransomware, but instead is specifically tailored to target ICS power
grid infrastructure, this incident stood out in a year where ransomware dominated.
 8 / 26

Threat Analysis
Attack Trends
Figure (1) shows 2022’s attack numbers in the context of attacks meeting the same criteria from
2010 onwards. The graph shows that in the decade from 2010-2019, such attacks were a largely
theoretical problem. In that decade, there were many reported attacks on industrial operations,
but almost all were cyber-espionage attacks that stole information, not cyber-sabotage attacks
that impaired operations. Governments were concerned that espionage attacks demonstrated
material weaknesses in industrial defenses, but owners and operators were by and large less
concerned about becoming a target or suffering any material impact to their operations.
This changed in the current decade. Since 2020, public reports of cyber attacks with physical
consequences in our focused industries have more than doubled annually. This is exponential
growth. The number of impacted sites is
growing at roughly the same rate as more
than 150 sites were impacted this year.
However, there are larger variations in the
number of impacted sites from year to
year than in the number of attacks
impacting those sites. At the current rate,
the number of attacks and the number of
affected sites are increasing roughly ten-
fold every 2.5 years. If this trend
continues, we can expect a 100-fold
increase in attacks and impacted sites in
Figure (1): Consequential Cyber Attacks
2027 vs 2022.
This is arguably a “state change” in the global cyber threat environment. Given the trend since
the beginning of the decade, it appears very unlikely that we will ever return to a year like 2013
where there was no cyber attack with physical consequences, or 2018 where there was only the
one such attack.

Threat Actors
While public reports of these attacks generally contain few
detail about the perpetrators, figure (2) illustrates what we
do know about the threat actors. In 17% of 2022’s attacks,
the nature of the threat actor was not identified or reported
in the public record. What was reported was that a cyber
attack caused outages or consequences and to whom.
Another 74% of the attacks were ransomware and the
remaining 9% were by hacktivists. In looking at these
incidents with physical consequences, none showed clear
evidence of material state sponsorship.

Hacktivism
2022 was the year that attacks by hacktivists became
consequential to physical operations, comprising over 1 in Figure (2): Attack Type
every 10 attacks (11%). Contrast this with 2021, where
 9 / 26

there was only a single incident of hacktivists causing physical consequences to an industrial
target: the attack on Iran Rails. None of 2022’s hacktivist attacks had a financial demand attached.
Rather, each hacktivist group had a political or ideological agenda and set out to disrupt critical
infrastructure or services in every case.
All six hacktivist incidents fall into two on-going conflicts: one incident reflects the conflict between
Iran and Israel, and the others were part of the Russo-Ukrainian conflict. Of the total, four attacks
disrupted transportation industry operations (rails, public transportation, or taxi services), one
targeted a steel mill and caused a fire and equipment damage, and the last targeted EV charging
stations belonging to a power utility. While there there were additional reports of attacks on Russia
and Belarus by the hacktivist group Team One Fist, the only information available on these attacks
was reports from the attackers themselves. If credible corroborating reports become available, a
future threat report will update the attack list to include these incidents.

Criminal Ransomware
In 2022, 42 ransomware attacks were identified with physical consequences in discrete
manufacturing, process industries and industrial critical infrastructure. That is nearly as many as
the 47 such attacks in all previous study years combined (2010-2021). Of the known ransomware
attacks in 2022, 17 (40%) are attributed to a known ransomware type or group. Attribution by the
numbers was (6) by BlackCat or ALPHV; (2) each by Conti, Lockbit, Hive, and Black Basta; and
(1) each to Black Byte, RansomEXX, and LV.
Most ransomware attacks in this report caused operational shutdowns not deliberately, but
because either IT systems that were essential to continued operation of OT systems were crippled
by the attack, or because the victim organization chose to shut down operations to prevent the
spread of ransomware to those systems in “an abundance of caution.”
Note that in the last decade, only two (2) cases on record did not have a public attribution of the
threat actor. A general trend through last year was that more victims are choosing not to disclose
information or details about the cyber attack they suffered. In some cases, these incidents were
only disclosed by third parties with first-hand knowledge of the attack. Given that two companies
cited one of these attacks as a factor in their insolvency, and that increasingly ransomware gangs
employ double or triple extortion techniques, it makes sense that organizations are being more
tight-lipped. Victim motivation to avoid public disclosure can include refusing to give criminals the
upper hand in any possible ransom negotiations and protecting themselves from legal and
regulatory consequences.

Geography
Figure (3) is one perspective on the geographic distribution of victim sites. Attributing a geography
to each of these cyber attacks is problematic, because so many victims had multiple affected sites
in multiple geographies and jurisdictions. Appendix A attributes a geography to each according to:

• If sites in only one country were affected, we list that country.

• If sites in many countries were affected, we list the country of the victim's head office.
 10 / 26

While numerous public reports detail

widespread IT-style cyber attacks on Ukrainian
targets, no such attacks in 2022 had physical
OT consequences that qualify for this threat
report. It is important to recall two near-miss
attacks on Ukraine's power grid. This may
indicate that the cyber landscape mirrors the
situation on the battlefield, with Ukrainian
defenses successfully countering OT cyber
attacks, disabling and uncovering OT malware
such as Industroyer2 before they reached their
intended targets.

Figure (3): Geographical Distribution in 2022 Conversely, Russia and its allies experienced
multiple attacks with physical consequences in
2022. Besides the March 24th ransomware attack on TAVR, most of these attacks were politically
motivated rather than financially driven, and are identified as hacktivist attacks in this report.

Industries
Figure (5) illustrates the year's industry
breakdown. Transportation, discrete
manufacturing, and food & beverages
are 2022’s top three victim targeted
industries, the same as the previous
year. One possible reason for this
distribution is that “discrete
manufacturing” is in fact not one
industry but many, and market
research suggests that there are at
least as many discrete manufacturing
sites on the planet as the sum of all
critical industrial infrastructure and
process manufacturing sites. It is
therefore perhaps not surprising that Figure (5): Breakdown by Industry Distribution
this collection of industries suffers a
comparable fraction of outages due to cyber attacks. We will look at finer differentiation of this
sector in future reports.
Another factor contributing to industry targeting may be IT/OT interdependencies. In the
transportation industry, IT systems are often essential to minute-by-minute operations, because it
is the IT systems that track packages, containers, and contents. In a large fraction of ransomware
attacks, IT networks are the first networks compromised, and the first networks whose contents
and systems are encrypted and impaired. Thus, industries whose physical operations and OT
automation systems are heavily dependent on IT systems are more likely to suffer physical
consequences when ransomware enters their IT networks.
Note: we look deeper at IT / OT interdependencies later in the report.
 11 / 26

Key Takeaways
Attack Sophistication
When we observe cyber attacks with physical consequences more than doubling annually, it is
no surprise that authorities all over the world are issuing new guidance and even new regulations.
In last year's Waterfall / ICSSTRIVE threat report, we observed that the most sophisticated
ransomware groups were using attack tools and techniques that less than 5 years ago were being
used exclusively by nation-state threat actors. This year’s US National Cybersecurity Strategy
document confirms this conclusion:

Once available only to a small number of well-resourced countries, offensive

hacking tools and services, including foreign commercial spyware, are now
widely accessible. These tools and services empower countries that
previously lacked the ability to harm U.S. interests in cyberspace and enable a
growing threat from organized criminal syndicates.
Therefore, at least some of what we see nation states doing to each other today, we should expect
ransomware criminal groups to be doing to anyone with money within less than five years. In
addition, as nation-state-grade attacks in the hands of ransomware criminals target an ever-
widening swatch of industrial operations, the US national strategy recommends that we must
change how we think about cybersecurity, concluding:

A single person’s momentary lapse in judgment, use of an outdated password,

or errant click on a suspicious link should not have national security
consequences. Our collective cyber resilience cannot rely on the constant
vigilance of our smallest organizations and individual citizens.
This recommendation captures the need for increased security, for new perspectives on security
and for new approaches to implementing cybersecurity measures.

IT Dependencies in OT
When we see transportation systems failing because ransomware attacks impair IT networks, it
is no surprise that the TSA is targeting IT/OT interdependencies explicitly in its new directives.
TSA Security Directive 2021-02C is the latest directive for pipelines and is very similar to the new
TSA Security Directive 1580/82-2022-01 that applies to rail systems. The approach to
cybersecurity that the TSA created in response to the Colonial Pipeline attack seems to be turning
into the template for directives the TSA is issuing to other industries.
Both directives include strong language for the IT/OT interface and for IT/OT dependencies. Both
TSA directives start by defining network and system criticality in terms of the worst-case
consequences of cyber compromise. The directives then require specific security measures at
the IT/OT criticality boundary. Worst-case consequences of compromise on OT networks tend to
be physical – production downtime, equipment damage or worse. Worst-case consequences on
IT networks tend to be business consequences – clean-up costs, the theft of proprietary data and
Personally Identifiable Information (PII) leakage lawsuits. At the connection between these two
networks with very different kinds of consequences, the TSA requires very specific security
measures:
 12 / 26

• OT networks must continue operating at “necessary capacity,” even when IT networks are
compromised,
• Owners and operators must eliminate all OT dependencies on IT services and if they
cannot, must document residual dependencies and compensating measures to the TSA,
• Owners and operators must eliminate all OT to IT domain trust relationships, and if they
cannot, must develop policies to manage the risks due to those dangerous trusts, and
• OT networks must be designed so that they can be isolated from IT networks during incident
response procedures.
In discussing these directives with industry stakeholders throughout the last 12 months, it has
become clear that it can be very difficult to eliminate all OT dependencies on IT systems. However,
we cannot simply ignore any dependencies that must remain. Instead, we must recognize that IT
systems that are essential to continued physical operations are in fact reliability-critical
components. These reliability-critical systems may be hosted on the IT network instead of the OT
network but must be managed and secured as if they were OT systems. For example:

• If a pipeline depends on a custody transfer and billing system in IT: modify our customer
contracts so that if we must declare force majeure, custody transfer billing enters an
“approximation” mode. The OT system caches all billing-relevant data in a historian or other
repository until the billing system recovers and can reconcile accounts.
• If a passenger rail system depends on customers having access to a ticketing system, then
host the entire ticketing system on a virtual machine, keep a known-good copy of the VM
stored where attackers cannot reach it, and log ticket purchase transactions to write-once
media. Then if the IT network fails, we can promptly restore the ticketing system and replay
the transaction logs to restore functionality.
• If a factory needs new production orders and specifications to execute against when the
current production run is complete, then keep a queue of 7-10 days of such orders stored in
the OT system in case the IT system is compromised.
Note: if quick recovery of an IT system is essential, such as in the ticketing example above, we
must also eliminate dependencies that the reliability-critical IT system may have on other external
systems. For example, we should remove critical systems from management by the main Active
Directory system, so that if the main IT AD system is impaired, then the critical ticketing system
can come up and function correctly even without the rest of the IT network functioning.

External Dependencies
2022 saw 14 Toyota plants shut down because Kojima Industries, a Toyota supplier, was shut
down by a ransomware attack. News reports indicated that the Toyota plants shut down because:

• Just-in-time manufacturing meant that Toyota had no inventory of Kojima’s parts and so
Toyota factories had no choice but to stop production for lack of those parts, and
• Just-in-time coordination software at Toyota and throughout the Toyota supply chain had
connections to the compromised Kojima network and systems, Toyota and most of the
connected manufacturers shut down in “an abundance of caution” while they were inspected
for copies of the ransomware.
A more general lesson therefore is about dependencies on external systems and suppliers. If a
supplier cannot deliver goods or services essential to physical operations at a manufacturer or
other industrial operation, then the affected operation must shut down. And if a supplier or cloud
 13 / 26

services provider with connections into a manufacturer is compromised, then again that
manufacturer and in fact every industrial operation with connections to that compromised provider
risks an “abundance of caution” shutdown. Whether a client of the compromised supplier or
service shuts down depends of course on the strength of cybersecurity at each client.
 14 / 26

Predictions
Use of Artificial Intelligence for Stage 2 in the ICS Cyber Kill Chain
In November 2022, ChatGPT was released, and since then artificial intelligence tools have
become mainstream. Simultaneously, other tools based on Large Language Models (LLMs) have
emerged, targeting various activities. It is expected that attackers will incorporate these tools into
their offensive arsenals. We also predict that these tools will be used to create OT malware for
Stage 2 of the ICS kill chain – the payload – to achieve physical consequences.
Creating OT payloads that are able to bring about consequences more serious than a shutdown
of physical operations is challenging. To date, such payloads have been crafted exclusively by
nation-state actors able to hire personnel with deep engineering expertise. Moreover, many OT
environments differ significantly across industries and even across sites within the same
organization. This means that even engineering-sophisticated attackers may spend months
studying a specific environment to launch an effective attack. Malware with payloads targeting OT
systems is rare, and only STUXNET, HAVEX, BlackEnergy, Industroyer, CrashOveride, TRISIS,
and PipeDream are known examples.
The emergence of AI tools that offer in depth knowledge on various subjects increases the risk
that AI could potentially create these payloads on demand, creating payloads for Stage 2 that
involve more intricate actions which could result in nation-state grade physical consequences.

Enhanced Global Response and Legislation

The predictable reaction for a government when the safety of its citizens is involved is to enact
legislation to reduce the impact of the threat. As discussed earlier, the US TSA issued new
regulations for the nation’s most important pipelines less than two months after the Colonial
Pipeline outage. With consequential cyber attacks increasing ten-fold every 2.5 years, it is
inevitable that there will be additional attacks causing outages of high-profile critical
infrastructures throughout the next half decade. Owners and operators should expect
governments in many jurisdictions to issue new cybersecurity regulations because of this trend,
as those governments become aware of the state change in the threat environment.
We are already seeing governments expressing a need for change. The first pillar of the Biden-
Harris National Cybersecurity Strategy for example, is to defend critical infrastructure and
essential services from attacks, while the new NIS2 legislation in Europe is an effort intended to
harmonize cybersecurity policies for all European nations.
We expect the impact of these initiatives on OT cybersecurity programs to include:

• An increased focus on segmenting critical OT systems from IT networks to prevent

consequences based on IT dependencies and “abundance of caution” shutdowns,
• New legislation requiring more transparency when reporting attacks and their resultant
consequences – NIS2 already requires that an early warning must be issued within 24
hours, followed by an incident notification within 72 hours, and a complete incident report
within one month, and
• Wider collaboration, both at the state and international levels, with the creation of new
organizations to oversee the response to global attacks, such as the newly established
European Cyber Crisis Liaison Organization Network (EU-CyCLONe).
 15 / 26

We expect the future of cybersecurity regulation for OT networks in at least critical industrial
infrastructure to focus on preventing outages and recovering more quickly from outages, rather
than protecting information.

Emergence of Engineered Cybersecurity

The publication of the US Department of Energy’s Cyber-Informed Engineering (CIE) Strategy
was another highlight of 2022. That strategy recognizes that, in a world where very sophisticated
and consequential cyber attacks are becoming the norm, and attacks with physical consequences
are more than doubling annually, the engineering profession has powerful tools available to
address physical risks due to cyber attacks. For example:

• Safety engineering: spring-loaded, over-pressure valves and other mechanical safeties can
make over-pressure explosions and other safety consequences physically impossible –
eliminating those consequences as cyber risks.
• Digital protection: digital circuits with gate arrays and ASICs but no CPUs can carry out
complex equipment-protection and other functions, and the function of these digital circuits
cannot be subverted by a cyber attack.
• Network engineering: monitor-only IIoT networks can protect against compromised cloud
systems, and unidirectional gateway technology can protect against any external
compromise penetrating to a protected system: this class of protection can enable
monitoring of industrial systems, without introducing risks of cyber-sabotage to those
systems.
All these approaches are unique to the engineering profession – where is an over-pressure valve
in the NIST Cybersecurity Framework for example? Or in the IEC 62443 standards? And unlike
conventional IT-grade protections, the CIE approach yields defenses that are engineering-grade
and can be empirically modeled to work predictably and consistently for decades, even when
under attack, and even as the attacks evolve into the future.
 16 / 26

Summary
In short, key take-aways from the 2022 data set and analysis include:

• Industrial cybersecurity has transformed from a mostly theoretical problem last decade to a
very real and rapidly growing problem this decade,
• Cyber attacks with physical consequences in the industries we track are increasing
exponentially – if this rate of growth persists, we will see at least 4,500 incidents per year,
affecting over 15,000 industrial sites by the end of 2027,
• Most of these attacks are ransomware, but hacktivists are increasing their activities,
• The transportation industry suffered the greatest number of attacks this year, with many of
those attacks involving OT dependencies on IT systems,
• The US TSA has issued new directives for rails that mirror their 2021 pipeline directives, and
many of the measures in these directives directly target IT/OT connections and IT/OT
interdependencies,
• Large language-model-based tools, such as ChatGPT, have the potential to significantly
enhance the capabilities of attackers in orchestrating cyber attacks with physical
consequences,
• We should expect new regulations and legislation in many jurisdictions as cyber attacks
increasingly impact national security and the daily lives of citizens, and
• The new CIE strategy shows promise for developing an engineering body of knowledge for
designing out cyber risk to physical operations and public safety.
The industrial security threat environment suffered a significant transformation after 2020 –
attacks with physical consequences are now increasing exponentially. The US administration has
already reacted to the first symptoms of this transformation by modifying their defensive
strategies. Other authorities world-wide will have no choice but to follow suit in the years ahead.
 17 / 26

Appendix A – 2010-2022 Data Set

The following is a detailed listing of all cyber attacks with physical consequences in our tracked industries in the public record, from the beginning
of 2010 to 2022’s year end. Estimates of the number of sites affected, and impact costs are lower bounds where we report the lowest reasonable
numbers that are supported by public reports of the incident.

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2010 Stuxnet Iran Process Mfg. Nation State 1 Destroyed 1000 centrifuges at Plant was infected by the Stuxnet worm in a targeted https://en.wikipedia.org/
07-15 Natanz attack designed to disrupt Iran's nuclear enrichment wiki/Stuxnet
program
2012 Iran's main oil export terminals Iran Oil & Gas Nation State 6 Shutdown 6 terminals 6 terminals ops. affected by Flame malware. News bbc.com/news/world- iranprimer.usip.org/blog/
04-22 outlets confirm outage, despite Iran downplaying the middle-east-59062907 2021/nov/02/israel-iran-
attack's effects cyber-war-gas-station-
attack
2012 Unknown Power Plant USA Power Unknown 1 Delayed turbine restart (thus 10 plant PCs were infected by Mariposa malware us-
10-? power generation) by 3 weeks variant, transmitted through a USB stick. Occurred cert.gov/sites/default/file
during scheduled shutdown for maintenance s/Monitors/ICS-
CERT_Monitor_Oct-
Dec2012.pdf
2014 German steel mill Germany Metals & Unknown 1 Caused "massive damage" to Sophisticated attack using spear phishing and ICS bbc.com/news/technolo
12-22 Mining plant equipment knowledge to disable the control system, causing an gy-30575104
uncontrolled shutdown of the blast furnace
2015 Prykarpattyaoblenergo, Ukraine Power Nation State 32 Power outage lasts up to 6 hours First publicly known attack on a power grid occurs en.wikipedia.org/wiki/20 arstechnica.com/inform
12-13 Chernivtsioblenergo, and affecting 230K people when threat actor Sandworm deploys BlackEnergy 3 15_Ukraine_power_grid ation-
Kyivoblenergo malware into the utility's network _hack technology/2016/01/first
-known-hacker-caused-
power-outage-signals-
troubling-escalation
2016 Pivnichna substation, Kyiv Ukraine Power Nation State 1 Power outage for 20% of Kyiv for Sandworm suspected in deploying Industroyer (also: en.wikipedia.org/wiki/20 arstechnica.com/inform
12-17 over 1 hour CrashOverride) malware, by exploiting a vulnerability 16_Kyiv_cyberattack ation-
in Siemens SIPROTEC relays technology/2017/06/cra
sh-override-malware-
may-sabotage-electric-
grids-but-its-no-stuxnet
2017 Renault-Nissan France, Discrete Mfg. Ransomware 5 Shutdown plants in Douai, WannaCry ransomware, spread by the ExternalBlue industrialcybersecurityp
05-12 Slovenia, Sandouville, Slovenia, Pitesti, and exploit, hit 5 plants for 1 day ulse.com/facilities/throw
Romania, Chennai for 1 day back-attack-wannacry-
India ransomware-takes-
renault-nissan-plants-
offline
2017 AP Moller-Maersk / Gateway India Transportation Ransomware 1 Shutdown operations at the JNPT JNPT's GTI container terminal depends on Maersk's timesofindia.indiatimes.
06-27 Terminals India (GTI) GTI Terminal systems located in the Hague, which fell victim to a com/india/indias-largest-
Petya ransomware attack container-port-jnpt-hit-
by-
ransomware/articleshow
/59346704.cms
2017 Countless Global All Nation State 1 $10B Outages throughout many NotPetya malware, created by Russian actors wired.com/story/notpety
06-27 industries: one incident, countless targeting Ukraine, spreads indiscriminately through a-cyberattack-ukraine-
victims networks using the EternalBlue exploit, permanently russia-code-crashed-
encrypting data the-world
2017 Unknown Petrochemical Plant Saudi Arabia Oil & Gas Nation State 1 Shutdown one plant, twice Triton malware employed to infect and reprogram theguardian.com/techno
08-? Triconex safety systems. This triggered an automatic logy/2017/dec/15/triton-
shutdown, alerting operations. Occurred twice hackers-malware-
attack-safety-systems-
energy-plant
2017 AW North Carolina USA Discrete Mfg. Ransomware 1 $1M Shutdown ops. for 4 hours, and Just-in-time transmission component supplier to industrialcybersecurityp apnews.com/article/nc-
08-16 caused a ripple delay effect in the Toyota, Honda and others is hit by ransomware that ulse.com/threats- state-wire-north-
auto supply chain slipped through firewall and AV software defenses vulnerabilities/throwbac america-us-news-ap-
k-attack-aw-north- top-news-north-carolina-
carolina-attack-shows- e316bd63f21a4fd181b3f
dangers-of- b4a8dd7a5ba
ransomware-and-just-in-
time-manufacturing
 18 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2018 Taiwan Semiconductor Taiwan Discrete Mfg. Ransomware 3 $255M Shutdown operations at Tainan, WannaCry ransomware caused the outage. Supplier itpro.com/security/3162
08-03 Manufacturing Co (TSMC) Hsinchu, and Taichung; Lost 3% in installed software on some machines accidentally 9/tsmc-cyber-attack-
quarterly revenue infected with the malware, without running AV was-apparently-caused-
by-wannacry
2019 Unknown gas pipeline USA Oil & Gas Ransomware 1 Shutdown pipeline for 2 days Attackers used spear phishing to gain initial access to securityweek.com/opera
?-? the IT network, then pivoted into the OT network due tions-us-natural-gas-
to poor segmentation. Then, they planted ransomware facilities-disrupted-
ransomware-attack
2019 Norsk Hydro Norway Metals & Ransomware 170 $71M Halted production at 170 sheet Infected by the LockerGoga ransomware, initially news.microsoft.com/sou
03-18 Mining aluminum plants spread at Norsky Hydro through phishing emails on rce/features/digital-
the IT network transformation/hackers-
hit-norsk-hydro-
ransomware-company-
responded-transparency
2019 City Power Johannesburg South Africa Power Ransomware 1 Power outage for 250k customers Ransomware encrypts the IT system, preventing twitter.com/CityPowerJh bbc.com/news/technolo
07-26 and delayed restoration customers on pre-paid plans from purchasing b/status/115427777795 gy-49125853
electricity, and hampering line crews’ efforts to restore 0093313
localized blackouts
2019 Pilz Germany Discrete Mfg. Ransomware 1 Shutdown systems, reverted to Slowdown due to impaired order tracking, due to drivesncontrols.com/ne
10-13 manual ops., and slowed BitPaymer ransomware attack ws/fullstory.php/aid/619
production for 1 week 1/Pilz_is_recovering_fro
m_a__91major_92_rans
omware_attack.html
2019 RavnAir Alaska USA Transportation Ransomware 1 Canceled Dash-8-100 flights for 24 Canceled Dash-8 flights because a cyber attack theregister.com/2020/01
12-20 hours caused outage of the Dash-8 maintenance system /02/ravnair_ransomware
and its backup, which is required for flight _dhc_dash_8
2020 Picanol Belgium, Discrete Mfg. Ransomware 3 €1M Shutdown manufacturing plants for Picanol is a manufacturer of weaving machines, and picanolgroup.com/en/inv
01-13 Romania, 1 weeks, and sent workers home their manufacturing plants are heavily automated. estors/press-
China Financial impact amounts paid for external experts releases/press-release-
cyber-attack-update-
january-31-2020
2020 Toll Group Australia Transportation Ransomware 1 Shutdown systems and reverted to Australian-based global logistics company suffered a zdnet.com/article/deliver zdnet.com/article/toll-
01-31 manual ops. targeted ransomware attack, and shutdown ies-stranded-across- group-shuts-down-it-
automation in an abundance of caution australia-as-toll- systems-in-response-to-
confirms-ransomware- cybersecurity-incident
attack
2020 Miltenyi Biotech Germany Discrete Mfg. Ransomware 28 Impaired global order processing Mount Locker ransomware impacted manufacturer bleepingcomputer.com/
02-02 for 2 weeks and distributor of biotechnology & COVID-19 news/security/biotech-
products. 150 GB data was exfiltrated and 1GB research-firm-miltenyi-
leaked publicly biotec-hit-by-
ransomware-data-
leaked
2020 KHS Bicycles USA Discrete Mfg. Ransomware 1 Delayed shipments for 2 days Could not process B2B orders and ship bikes bicycleretailer.com/indu
02-24 following a ransomware attack over the weekend stry-
news/2020/02/25/khs-
bicycles-systems-
hacked-distributor-halts-
shipments#.YG3-
wC1h3ox
2020 EVRAZ manufacturing USA & Discrete Mfg. Ransomware 2 Shutdown operations at several After an attack on IT systems, production was halted cbc.ca/news/canada/sa globalnews.ca/news/66
03-04 Canada plants, and sent 900+ workers at least two sites in Canada. IT systems depend on skatchewan/evraz- 40313/evraz-regina-
home for 3+ days OT and "necessary to ensure standards and regina-shut-down- cyberattack-layoffs
traceability" ransomware-attack-
1.5487017
2020 Shahid Rajaee port Iran Transportation Nation State 1 Halted port terminal, abruptly and Sophisticated attack by Israel and retaliation for Iran's timesofisrael.com/6- timesofisrael.com/cyber-
05-09 inexplicably attacks on Israeli water systems in April, which were facilities-said-hit-in- attacks-again-hit-
caught and defeated in real-time irans-cyberattack-on- israels-water-system-
israels-water-system-in- shutting-agricultural-
april pumps
2020 Fisher & Paykel Appliances New Zealand Discrete Mfg. Ransomware 1 Shutdown appliance Victim of the Netfilim ransomware group. They stuff.co.nz/business/121
06-04 manufacturing and distribution refused to pay and suffered a large data leak 849569/appliance-
ops. repairer-in-the-dark-
after-ransomware-
attack-on-fp-appliances
2020 Honda Japan, Discrete Mfg. Ransomware 4 Shutdown global plant Victim of EKANS ("Snake") ransomware that spread icsstrive.com/incident/h telegraph.co.uk/technol
06-09 Turkey, UK, manufacturing ops. for 4 days and to at least 4 plants. The malware spread from IT onda-manufacturing- ogy/2020/06/09/hondas-
USA delayed vehicle shipments servers to the control network suggesting poor attack global-factories-brought-
network segmentation standstill-cyber-attack
2020 Lion Australia Food & Ransomware 45 Shutdown brewery operations for Hit by two separate REvil ransomware attacks weeks zdnet.com/article/lion- smh.com.au/technology/
06-09 Beverage 2+ weeks apart, during the early months of the Covid-19 warns-of-beer- cyber-crisis-deepens-at-
pandemic shortages-following- lion-as-second-attack-
ransomware-attack bites-beer-giant-
20200618-p5540c.html
 19 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2020 X-FAB Germany, Discrete Mfg. Ransomware 6 Shutdown all plants: down 2 X-FAB is a leading MEMS analog/mixed-signal chip businesswire.com/news/
07-05 France, weeks at 5 sites, and 1 week for fab and fell victim to a Maze ransomware attack home/20200705005045/
Malaysia, another en/X-FAB-Affected-by-
USA Cyber-Attack
2020 Tower Semiconductor Israel Discrete Mfg. Ransomware 2 Shutdown "several" plants Tower Semi manufactures integrated circuits, and has cisomag.com/tower-
09-06 2 plants in Israel, 2 in the USA, and 3 in Japan. semiconductor-
Further details were not made public cyberattack
2020 Bluescope Steel Australia Discrete Mfg. Ransomware 2 Shutdown production, and Ransomware infection was first detected in their USA- abc.net.au/news/2020-
09-15 reverted to manual operations for based subsidiary, but the attack eventually impacted 05-15/bluescope-steel-
some processes global production ops. cyber-attack-shut-down-
kembla-
ransomware/12251316
2020 IPG Photonics USA Discrete Mfg. Ransomware 2 Shutdown global parts The Oxford, MA based industrial, medical, and military icsstrive.com/editorials/r bleepingcomputer.com/
10-17 manufacturing and shipping laser manufacturer was hit by RansomExx malware ansomware-hits-ma- news/security/leading-
laser-maker us-laser-developer-ipg-
photonics-hit-with-
ransomware/
2020 Société de transport de Canada Transportation Ransomware 1 $2M Shutdown on-call, door to door, Montreal's transit service was hit by RansomExx cbc.ca/news/canada/mo stm.info/en/press/news/
10-19 Montréal (STM) paratransit services for nearly a ransomware, and they refused to pay the $2.8 mil ntreal/stm-refused-to- 2020/the-stm-
week demanded pay-2-8-million- completes-cyber-attack-
ransomware-attack- investigation
1.5782838
2020 Steelcase USA Discrete Mfg. Ransomware 1 $60M Shutdown all plants for 2 weeks; Office furniture maker the victim of a Ryuk bleepingcomputer.com/ mibiz.com/sections/man
10-22 delayed $60m in shipments to the ransomware attack that shutdown global order news/security/steelcase ufacturing/cyberattack-
4th quarter management, manufacturing, and distribution systems -furniture-giant-hit-by- delays-60-million-in-
ryuk-ransomware-attack shipments-for-
steelcase-as-pandemic-
continues-to-batter-
office-furniture-orders
2020 Dr Reddy's Laboratories India, UK, Discrete Mfg. Ransomware 5 Shutdown production at 5 plants A week after agreeing to produce the Sputnik V businessinsider.in/india/ thehindu.com/business/I
10-22 Brazil, and stocks fell 3% Covid-19 vaccine for final trials, Dr Reddy's was news/dr-reddys-shares- ndustry/oct-22-data-
Russia, USA subject to a ransomware attack fell-over-3-the-drug- breach-involved-a-
maker-isolated-all-data- ransomware-attack-dr-
service-centers-after-a- reddys/article32962438.
cyber- ece
attack/articleshow/7880
6238.cms
2020 Stelco Canada Discrete Mfg. Unknown 1 Shutdown steel production, The company has reported the incident to law insurancebusinessmag.
10-25 temporarily enforcement and did not give further details. com/ca/news/cyber/stel
co-reveals-information-
systems-were-
subjected-to-a-criminal-
attack-237287.aspx
2020 Symrise Germany Discrete Mfg. Ransomware 1 Shutdown production out of The flavor and fragrance manufacturer was hit by a bleepingcomputer.com/ handelsblatt.com/untern
12-13 abundance of caution Cl0p ransomware attack news/security/flavors- ehmen/industrie/mdax-
designer-symrise-halts- konzern-hacker-legen-
production-after-clop- symrise-lahm-warum-
ransomware-attack der-fall-besonders-
schwerwiegend-
ist/26718680.html
2020 Forward Air USA Transportation Ransomware 1 Shutdown operations and delayed Hades ransomware gang attack impacted both IT and freightwaves.com/news/ freightwaves.com/news/
12-15 shipments for a week OT systems leading to delivery delays which may news-alert-forward-air- news-alert-forward-airs-
impact financial results reveals-ransomware- systems-coming-back-
attack-warns-of- online
revenue-hit
2021 Westrock USA Discrete Mfg. Ransomware 1 Forced manual ops, reduced After the packaging manufacturer was hit by ir.westrock.com/press-
01-23 production by 85K tons, and ransomware, they shutdown systems in an releases/press-release-
delayed shipments abundance of caution, which impacted production and details/2021/WestRock-
shipment volumes Provides-Update-on-
Ransomware-Incident-
8dfde2fca/default.aspx
2021 Palfinger AG Europe, N. & Discrete Mfg. Ransomware 31 Lost nearly 2 weeks crane The world's largest crane manufacturer. All global bitdefender.com.au/blog
01-26 S. America, production at all plants plants were affected. /hotforsecurity/worlds-
Asia largest-crane-maker-
suffers-global-cyber-
attack-operations-at-a-
halt
2021 Beneteau SA France Discrete Mfg. Ransomware 2 Shutdown for 3-4 weeks at several Boat manufacturer hit by ransomware, impacting OT. boatindustry.com/news/
02-18 plants Production shutdown or delayed at "several sites". 36934/beneteau-2021-
Wiped out 2021 growth, according to CEO. growth-almost-
evaporated-in-cyber-
attack
 20 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2021 Molson Coors USA, Food & Ransomware 13 $120M Disrupted brewery production and Took all systems offline to contain the spread. By end bleepingcomputer.com/ securityweek.com/mols
03-11 Canada, UK Beverage shipments, delaying 120-$140m in of the month was still dealing with delays and news/security/molson- on-coors-cyberattack-
earnings disruptions coors-brewing- storms-could-cost-
operations-disrupted-by- company-140-million
cyberattack
2021 Sierra Wireless Canada Discrete Mfg. Ransomware 1 Halted production at all IoT, cellular, and wireless device manufacturer with isssource.com/sierra-
03-20 manufacturing sites an unknown number of manufacturing sites wireless-hit-by-
ransomware-attack
2021 Asteelflash Group SA France Discrete Mfg. Ransomware 20 Shutdown multiple printed circuit A leading Electronics Manufacturing Services (EMS) icsstrive.com/incident/re
03-25 board plants company suffered a REvil ransomware attack vil-ransomware-shut-
down-multiple-plants-at-
asteelflash
2021 JBI Bike USA Transportation Ransomware 11 Delayed shipments for 7+ days A wholesale bicycle and parts distributor, with 11 bicycleretailer.com/indu
04-01 warehouses, where only some were back up a week stry-
after the attack news/2021/04/07/jbi-
back-online-limited-
capacity-after-
ransomware-
attack#.ZBip3PbMKdY
2021 Bakkier Logistiek Netherlands Transportation Ransomware 1 Disrupted new orders, delayed Caused shortages of packaged cheese at retail icsstrive.com/incident/ra
04-04 shipments to retail outlets for 5 nsomware-attack-at-
days bakker-logistiek-caused-
cheese-shortage-in-
dutch-supermarkets
2021 Colonial Pipeline USA Oil & Gas Ransomware 1 $4.4M Shutdown pipeline for 6 days and DarkSide ransomware behind attack on the largest icsstrive.com/incident/co
05-07 paid a $4.4M ransom gasoline pipeline in USA, triggering widespread lonial-pipeline-ops-shut-
gasoline shortages in US Northeast down-after-
ransomware-attack
2021 Ardagh Group UK Process Mfg. Ransomware 1 $34M Slowed production and delayed Metal and glass beverage packaging facilities isssource.com/eu-
05-20 shipments remained operational, but some processes reverted to packaging-maker-hit-by-
manual operation causing shipment delays cyberattack
2021 JBS SA Australia, Food & Ransomware 5 Several large meatpacking plants Plants in Nebraska, Colorado, Texas, Brooks, and cbc.ca/news/business/jb
05-30 Canada, Beverage shut down and sent workers home Australia canceled production shifts s-meat-cyberattack-
USA 1.6048942
2021 Iran Rails Iran Transportation Hacktivist 1 Impaired service by Targeted by the Predatory Sparrow group, infected nytimes.com/2021/08/1 theguardian.com/world/
07-09 reprogramming signs and wiping with wiper malware, and reprogrammed rail signage 4/world/middleeast/iran- 2021/jul/11/cyber-
computers causing “unprecedented chaos” trains-cyberattack.html attack-hits-irans-
transport-ministry-and-
railways
2021 Transnet South Africa Transportation Ransomware 4 Declared Force Majeure and Transnet said ports at Durban, Ngqura, Port Elizabeth reuters.com/article/us-
07-22 halted operations for 7 days and Cape Town were affected transnet-cyber-
idUSKBN2EZ0RQ
2021 New Cooperative USA Agriculture Ransomware 1 Delayed grain receipts & BlackMatter ransomware attack impacted grain icsstrive.com/incident/ia
09-17 shipments, & shutdown fertigation transactions during harvest season. Systems were -ag-cooperative-hit-in-
optimization system pre-emptively shutdown to stop the spread ransomware-attack
2021 Crystal Valley Cooperative USA Agriculture Ransomware 1 Shutdown for 4 days and reverted During harvest season were unable to mix fertilizer, icsstrive.com/incident/ra
09-19 to manual ops. fulfil livestock feed orders, and switched to manual nsomware-attack-
ops for receiving grain by issuing paper receipts forces-agricultural-grain-
firm-in-minnesota-to-
take-systems-offline
2021 Weir Group UK Discrete Mfg. Ransomware 1 £20M Disrupted manufacturing, When the attack was detected, "systems promptly icsstrive.com/incident/w
09-21 engineering, and shipping responded by shutting down core operations." Loss eir-group-ransomware-
projected at £20-30m incident
2021 Ferrara USA Food & Ransomware 2 Shutdown operations and delayed Candymaker suffered production shutdowns prior to cyberscoop.com/candy- manufacturing.net/home
10-09 Beverage shipments for more than two Halloween, but had only resumed production in corn-hack-halloween /news/13165782/ferrero
weeks "select facilities" two weeks later -to-acquire-ferrara-
candy-company
2021 Schreiber Foods USA, Food & Ransomware 30 Shutdown production and delivery Large cheese and yogurt manufacturer could not cyberscoop.com/schreib wisfarmer.com/story/ne
10-22 Europe, S. Beverage for 5 days, and disrupted dairy receive, produce, or ship dairy product due to an er-foods-cyber-event- ws/2021/10/26/schreibe
America supply chain attack on their plants and distribution centers ransomware-agriculture- r-foods-hit-cyberattack-
food plants-
closed/8558252002
2021 Madix Inc USA Discrete Mfg. Ransomware 2 Shutdown production, sent Manufacture of store fixtures halted at both newsbreak.com/news/2
11-? employees home Goodwater and Eclectic plants 435633463049-
ransomware-attack-at-
alabama-manufacturing-
plants-send-hundreds-
of-employees-home-
with-no-specified-date-
of-return
 21 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2021 Diamond Comic Book USA Transportation Ransomware 1 Delayed retail shipments by 2-4 Diamond is a top distributor for Marvel, Dark Horse, icsstrive.com/incident/ra
11-07 Distributors days, twice and Image comics. Scheduled orders were nsomware-attack-at-
temporarily halted after a ransomware attack the diamond-comic-
prevented delivery. distributors-disrupts-
retailer-shipments
2021 Estrella Damm Brewery Spain Food & Ransomware 2 Shutdown production for 5 days at Had this occurred in the summer, consequences icsstrive.com/incident/b
11-08 Beverage all breweries (impacted bottling) would have been more severe as stocks only last 3 arcelonas-damm-
days brewery-ransomware-
attack
2021 Nortura Norway Food & Ransomware 2 Production halted at several sites Shutdown meat processing plants after a ransomware icsstrive.com/incident/n web.archive.org/web/20
12-21 Beverage for more than a week attack, with one report of animals destined for orwegian-food- 220701083242/norwayt
slaughter being diverted to competitors producer-hit-in- oday.info/news/slaughte
cyberattack r-pigs-sent-to-a-
competitor-after-the-
data-attack-on-nortura
2021 Amedia Norway Discrete Mfg. Unknown 1 Shutdown printing presses for 1.5 Norway's largest local news publisher was forced to icsstrive.com/incident/n
12-28 days shut down their presses after an unspecified cyber orway-media-company-
attack shut them down. amedia-hit-in-
cyberattack
2022 Bay & Bay Transportation USA Transportation Ransomware 1 Lost 1.5 weeks of production Hit by Conti ransomware, and systems taken offline freightwaves.com/news/ icsstrive.com/incident/m
01-01 and remediated minnesota-trucking- n-trucking-and-logistics-
company-hit-in-2nd- company-hit-by-
ransomware-attack ransomware-attack-
again
2022 CPH Chemie & Papier Holding Switzerland, Process Mfg. Ransomware 1 6 days of downtime; lost 8,400 Newsprint, packaging, and lightweight coated paper euwid- icsstrive.com/incident/h
01-07 Germany tons in paper output (LWC) producer in Perlen and Müllheim was forced paper.com/news/market ackers-paralyze-only-
into a controlled shutdown after a cyber attack s/cph-to-restart- newsprinting-facility-in-
operations-in-perlen- switzerland
and-muellheim-by-
tomorrow
2022 Kenyon Produce (KP) Snacks UK Food & Ransomware 1 Halted production, delayed Hit by Conti ransomware, the snack maker "cannot foodprocessing.com/ind isssource.com/ransomw
01-28 Beverage deliveries for 2 months, & capped safely process orders or dispatch goods." Orders will ustrynews/2022/hackers are-attack-at-uk-snack-
orders be capped while existing stocks consumed -cripple-kp-snacks provider
2022 Marquard & Bahls subsidiaries Germany Transportation Ransomware 11 Declared force majeure, halted BlackCat (ALPHV) ransomware halted loading and bbc.com/news/technolo icsstrive.com/incident/g
01-29 Mabanaft & Oiltanking operations for 2 weeks unloading of fuel and bulk oil at port, and had a minor gy-60215252 erman-oil-tank-farm-
impact on automotive fuel distribution in Germany shut-down
2022 SEA-Tank & SEA-Invest Group Belgium, Transportation Ransomware 24 Halted operations at all European Every SEA-Tank or SEA-Invest port terminal in isssource.com/oil- icsstrive.com/incident/oil
01-30 Africa and African ports Europe and Africa could not unload fuel due to a terminals-in-europe- -terminals-in-europe-
reported BlackCat (ALPHV) ransomware attack suffer-cyberattack suffer-cyberattack
2022 Evos Group Malta, Transportation Unknown 3 Delayed unloading fuel at 3 ports: Cyber attack delayed loading and unloading of fuel insurancejournal.com/n icsstrive.com/incident/m
02-02 Belgium, Terneuzen, Ghent, and and bulk oil at port for the storage logistics company. ews/international/2022/0 alta-oil-terminal-run-by-
Netherlands Birzebbuga The Malta operation was just recently acquired from 2/03/652169.htm evos-one-of-several-
Oiltanking european-facilities-hit-
by-a-cyberattack
2022 Swissport Switzerland Transportation Ransomware 1 Delayed 22 flights, cargo, and BlackCat (ALPHV) ransomware attack forced icsstrive.com/incident/ra spiegel.de/netzwelt/web
02-03 freight services for 20 min Swissport to revert to manual ops and backup nsomware-attack-at- /swissport-
procedures swiss-airport-services- hackerangriff-stoert-
firm zeitweise-flugbetrieb-in-
der-schweiz-a-
44285ac8-ad73-42ea-
b751-91559c2ff4c8
2022 Jawaharlal Nehru Port India Transportation Ransomware 1 Diverted incoming vessels and Management Information System (MIS) knocked out theloadstar.com/ransom icsstrive.com/incident/ra
02-21 Container Terminal (JNPCT) halted in-progress by ransomware at JNPCT, one of five marine facilities ware-attack-hits-nhava- nsomware-attack-
loading/unloading at port at the Nhava Sheva container gateway sheva-container- cripples-indian-port-
terminal container-terminal-jncpt
2022 Expeditors USA Transportation Ransomware 1 $60M Shutdown operations for 3+ weeks Cannot ship freight or manage customs processing, bleepingcomputer.com/ icsstrive.com/incident/ex
02-22 thereby halting ops. The financial cost to restore news/security/expeditor peditors-intl-hit-by-
systems and in lost business was significant s-shuts-down-global- ransomware-attack
operations-after-likely-
ransomware-attack
2022 Caledonian Modular UK Discrete Mfg. Ransomware 1 Shutdown manufacturing ops. Modular building manufacturer's lost production theconstructionindex.co. https://https://icsstrive.c
02-24 output due to the attack was a major factor in the uk/news/view/jrl-buys- om/incident/cyberattack-
company's March insolvency caledonian-modular-out- significantly-reduced-
of-administration caledonian-modulars-
operating-capability/
2022 Bridgestone N. & S. Discrete Mfg. Ransomware 23 10 days lost production, and Lockbit ransomware prompted the shut down all icsstrive.com/incident/tir icsstrive.com/incident/tir
02-27 America workers sent home, at all 23 tire plants in the western hemisphere, in an abundance of e-manufacturer- e-manufacturer-
plants in the Americas caution, and begin recovery bridgestone-hit-in- bridgestone-hit-in-
ransomware-attack ransomware-attack
2022 Belarus Railway Belarus Transportation Hacktivist 1 Halted trains in Minsk, Orsha, and The Belarusian "Cyber Partisans" encrypt and disable bqprime.com/amp/techn
02-28 Osipovichi routing and switching devices, stranding trains at ology/belarus-hackers-
station, to slow Russian troops transiting to the allegedly-disrupted-
Ukrainian front trains-to-thwart-russia
 22 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2022 Kojima Industries, Toyota, Hino, Japan Discrete Mfg. Ransomware 14 Shutdown all Japanese auto and When 3rd party supplier Kojima was hit by isssource.com/toyota-
02-28 & Daihatsu truck plants for 1 day, and lost ransomware, Toyota chose to shut down all their halts-production-after-
production of 10K units Japanese plants in an abundance of caution cyberattack-on-supplier
2022 Rosetti Energy Russia Power Hacktivist 2 Deactivated all EV charging Hacktivists remotely disable all electric vehicle icsstrive.com/incident/ru
02-28 stations between Moscow and St. charging stations along the M-11 motorway, and ssian-electric-vehicle-
Petersberg reprogram displays criticizing President Putin chargers-hacked-on-
m11-highway-as-
political-protest
2022 H.P. Hood Dairy LLC USA Food & Unknown 13 Shutdown production 1 week, Cyber attack prompted taking Hood's 13 plants offline boston.com/news/local- icsstrive.com/incident/d
03-11 Beverage disposed all dairy product, in an abundance of caution, and could not receive news/2022/03/18/most- airy-plant-operations-
canceled orders & deliveries materials to manufacture dairy products hood-plants-up-and- offline-no-milk-at-
running-after-cyber- schools-in-new-england
event
2022 ELTA (Hellenic Post) Greece Transportation Ransomware 1 Disrupted postal services for 17 Unpatched vulnerability led to reverse shell & therecord.media/greece icsstrive.com/incident/ra
03-20 days, nationally ransomware deployment, disrupting all mail, financial, s-national-postal- nsomware-attack-halts-
and bill payment services processed through the service-restoring- public-postal-services-
Greek Post systems-after- in-greece
ransomware-attack
2022 TAVR Corporate Group Russia Food & Ransomware 1 Shutdown production and TAVR makes 50K tons of meat and sausage in icsstrive.com/incident/o
03-24 Beverage recorded a "significant economic Rostov-on-don, close to the Ukraine border. A rep perational-impact-after-
loss" assessed the event as “meticulously planned and cyberattack-at-tavr-
significant sabotage” food-processing-group-
in-russia
2022 Bulgarian State Post Office Bulgaria Transportation Ransomware 1 2+ week outage of 26 national Russian-originated ransomware attack to the euractiv.com/section/pol icsstrive.com/incident/co
04-16 postal services, including Bulgarian Post, where attackers moved laterally into itics/short_news/russian mplete-state-postal-
deliveries all IT and OT systems affecting all 26 offered services -style-hackers-ruin- system-outage-in-
bulgarian-post-office bulgaria
2022 Costa Rican Customs Service Costa Rica Transportation Ransomware 1 Slowed shipments for > 1 month, Small part of a massive Conti and Hive ransomware fas.usda.gov/data/costa icsstrive.com/incident/co
04-17 and shutdown Customs' systems attack on Costa Rica's government, and container -rica-costa-rica- sta-rica-declares-
freight shipments to slow to a trickle at the port of customs-delays-affect- national-emergency-in-
Limón imports response-to-
ransomware-attack
2022 Sunwing Airlines Canada Transportation Unknown 1 Shutdown check-in systems, delay Discount holiday carrier's passengers stranded during infosecurity- icsstrive.com/incident/ch
04-18 or cancel 188 flights the busy Easter long weekend, where “a system that magazine.com/news/cy eck-in-systems-offline-
is running all the time, which never fails, was hacked" berattackers-hit- for-days-at-sunwing-
sunwing-airlines airlines
2022 AGCO USA & Discrete Mfg. Ransomware 1 Shutdown majority of production in Attack on major tractor and equipment manufacturer theregister.com/2022/05 icsstrive.com/incident/ra
05-05 Europe for 15+ days, and sent workers occurs at the start of planting season, during peak /09/farm_machinery_gia nsomware-attack-at-
home global demand for new equipment and parts from nt_agco_hit agco
dealers
2022 SpiceJet India Transportation Ransomware 1 Grounded or delayed planes for 5+ "Attempted ransomware" attack on SpiceJet caused icsstrive.com/incident/sp
05-25 hours major delays for air travellers, causing a cascading icejets-low-cost-airline-
effect on future flight schedules in-india-systems-and-
operations-impacted-by-
ransomware-attack
2022 Foxconn Baja California Mexico Discrete Mfg. Ransomware 1 Disrupted production for 2 weeks, Lockbit gang ransomed the plant in Tijuana, which therecord.media/foxcon isssource.com/foxconn-
05-31 & forced production capacity supplies most of California's brand-labeled consumer n-mexico-factory- recovering-from-
adjustment electronics. 2nd time in 2 years this plant was hit by operations-gradually- ransomware-attack-
ransomware returning-to-normal- again
after-ransomware-attack
2022 CMC Electronics Canada Discrete Mfg. Ransomware 1 Disrupted and delayed ops. BlackCat (ALPHV) ransomware encrypted systems itworldcanada.com/articl icsstrive.com/incident/al
05-31 and "disrupted operations" to a key supplier of e/canadian-military- phv-ransomware-gang-
avionics of Canada's Department of National Defense provider-suffered- attacks-canadian-
ransom-attack-says- defense-contractor
news-report/487654
2022 Yodel UK Transportation Unknown 1 Delayed parcel delivery for millions Suspected but unconfirmed ransomware attack shuts bleepingcomputer.com/ icsstrive.com/incident/mi
06-22 of customers down critical operations, including delivery tracking, news/security/yodel- llions-of-yodel-
for millions awaiting home delivery of goods and parcel-company- customers-in-uk-face-
services confirms-cyberattack-is- parcel-delivery-delays
disrupting-delivery
2022 Apetito (parent of Wiltshire UK Food & Ransomware 1 5-day halt to food deliveries, and Hive ransomware hits Meals-on-wheels serving icsstrive.com/incident/a
06-25 Food Farms) Beverage rebuilt systems institutions and the vulnerable. Apetito reverted to petitos-security-
manual procedures, and a complete system rebuild to systems-breached-in-
restore ops sophisticated-
cyberattack
2022 Macmillan Publishers UK, USA Discrete Mfg. Ransomware 2 Halted orders & shipments; Ransomware attack on a major publisher closed icsstrive.com/incident/cy
06-25 backlogged regional warehouses offices in NYC and London, disrupting order berattack-forces-
for months processing, and causing months of delivery backlogs macmillan-publishers-
at regional warehouses to-take-operations-
offline-and-close-
physical-offices
 23 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2022 Khuzestan Steel (KSC), Iran Metals & Hacktivist 1 Damaged equipment and halted Predatory Sparrow group claimed responsibility set timesofisrael.com/large- icsstrive.com/incident/kh
06-27 Mobarakeh Steel (MSC), & Mining production at the KSC plant. the KSC plant on fire and posted CCTV of the incident cyberattack-on-iranian- uzestan-steel-hit-in-
Hormozgan Steel (HOSCO) on twitter. Any potential damages to MSC and industrial-sector-targets- cyber-attack-production-
HOSCO remain unconfirmed three-steel-plants halts
2022 Knauf UK Process Mfg. Ransomware 2 Shutdown production for 3+ After a BlackBasta ransomware attack, Knauf pre- techmonitor.ai/technolo icsstrive.com/incident/la
06-29 weeks; Delayed existing and emptively shut down to facilitate recovery and gy/cybersecurity/knauf- rgest-building-material-
canceled all new orders forensics, and operated both plants manually cyberattack-blackbasta- producer-attacked-by-
ransomware black-basta
2022 Eglo Austria Discrete Mfg. Ransomware 1 Shutdown production, order Lighting manufacturer's CEO confirmed the diepresse.com/6167688 icsstrive.com/incident/h
07-18 processing and shipping for 12 ransomware attack, but noted that no ransom note /tiroler- ackers-paralyzed-
days had been received by the time they begun recovery leuchtenhersteller-eglo- computer-system-at-
von-cyber-angriff- austrian-light-
getroffen manufacturer-eglo
2022 Semikron-Danfoss Germany Discrete Mfg. Ransomware 8 Shutdown production for months A power-electronics semiconductor maker for ICS, bleepingcomputer.com/ icsstrive.com/incident/se
07-29 EVs and wind turbines suffered a LV ransomware news/security/semicond mikron-holding-
attack, and was not fully restored months after the uctor-manufacturer- production-after-cyber-
incident semikron-hit-by-lv- attack
ransomware-attack
2022 Ontario Cannabis Retail Canada Transportation Unknown 1 Halted delivery & distribution Through the OCS crown corporation, the provincial cbc.ca/news/canada/tor icsstrive.com/incident/us
08-05 Corporation (OCS) province-wide for 5 days government of Ontario controls and regulates the onto/ontario-cannabis- -supply-chain-
supply of cannabis to all retail stores store-1.6549657 cyberattack-affects-
ontario-cannabis-retail-
corporation-ocs-
deliveries
2022 Bombardier Recreational Austria, Discrete Mfg. Ransomware 4 Shutdown production and halted RansomExx gang published all files (30 GB) bleepingcomputer.com/ icsstrive.com/incident/br
08-08 Products (BRP) Canada, order fulfillment for 1 week exfiltrated from BRP after they refused to pay the news/security/ransomex p-suspends-operations-
Finland, USA ransom. The malware infection was traced to a x-claims-ransomware- following-ransomware-
service provider. attack-on-sea-doo-ski- attack
doo-maker
2022 Apex Capital / TCS Fuel USA Transportation Ransomware 1 Shutdown ops. for 1 week BlackByte ransomware on TCS Fuel impacted small- icsstrive.com/incident/sy
08-13 business truckers, who were unable to fuel their stem-outage-at-apex-
trucks or access funds to pay their owner-operators capital-affects-medium-
and-small-size-trucking-
companies
2022 Novosibirsk City Transport Russia Transportation Hacktivist 1 Shutdown and disrupted public Pro-Ukrainian activists Team OneFist causes traffic ibtimes.com/russians- icsstrive.com/incident/n
09-02 Traffic Management System transportation for 2+ days chaos, by halting and damaging the public transit novosibirsk-forced- ovosibirsk-
scheduling system and signage, so as to prevent pound-pavements- transportation-system-
quick recovery team-onefist-paralyzes- attacked-by-pro-
traffic-exclusive- ukranian-hacker-group
3611628
2022 Yandex Taxi Russia Transportation Hacktivist 1 Disrupted Moscow traffic for 3+ Hacktivists caused traffic chaos, in an attack that icsstrive.com/incident/ch theverge.com/2022/9/3/
09-03 hours simultaneously dispatched all Yandex's Taxi cars to aos-in-moscow-traffic- 23335694/hackers-
the same location, resulting in a massive traffic jam caused-by-yandex- traffic-jam-russia-
taxis-software-hack moscow-ride-hailing-
app-yandex-taxi
2022 Läderach Switzerland Food & Ransomware 1 Halted production, logistics and A ransomware attack on the chocolate maker causes icsstrive.com/incident/o
09-05 Beverage administration for 67 days a long-term outage, and impacts logistics. After perations-impacted-at-
Läderach refuses to pay the ransom, all data is leaked swiss-chocolate-
manufacturer-laderach
2022 Electricity Company of Ghana Ghana Power Ransomware 1 5+ days of power outages for pre- A ransomware attack disables ECG's billing system icsstrive.com/incident/ra
09-26 (ECG) paid customers and the IT network, leaving commercial and nsomware-attack-at-
residential customers in the dark and unable to electric-company-of-
purchase power ghana-left-customers-
without-power-for-days
2022 HiPP Germany Food & Unknown 1 Production shutdown for days, and Pfaffenhofen, Bavaria based baby food manufacturer, csoonline.com/de/a/hipp icsstrive.com/incident/ot
10-05 Beverage 1000 employees sent home which sells worldwide, was hit by an attack which -gehackt,3674208 -systems-impacted-by-
shutdown both IT and OT systems cyberattack-at-hipp-a-
german-baby-food-
manufacturer
2022 Heilbronner Stimme & Stimme Germany Discrete Mfg. Ransomware 1 Shutdown operations and sent Printing presses halted after a ransomware attack, bleepingcomputer.com/ icsstrive.com/incident/ra
10-14 Mediengruppe employees home; impacted stopping distribution of the Heilbronner Stimme and news/security/ransomw nsomware-attack-
regional partners other regional publications printed under contract are-attack-halts- cripples-printing-
circulation-of-some- systems-at-german-
german-newspapers newspaper
2022 Aurubis AG Germany, Metals & Unknown 1 Production and delivery halted, Europe's largest copper smelter admitted to isolating hackread.com/copper- icsstrive.com/incident/w
10-28 USA Mining and employees sent home, in from the internet, and operating manually, but local producer-aurubis- orlds-largest-copper-
Buffalo, NY news in Buffalo reported their copper wire plant was cyberattack smelter-largely-
shutdown maintains-operations-
after-cyberattack
2022 Danish Rails (DSB) / Supeo Denmark Transportation Ransomware 1 Shutdown train service for several Denmark's largest rail operator halted due to cyber isssource.com/trains-
10-29 hours attack on 3rd party Supeo who were unable to offer halted-in-denmark-after-
their critical, real-time safety data to train drivers cyberattack
 24 / 26

Threat OT / Physical
Date Victim Region Industry Sites Cost Incident Summary References
Actor Consequences
2022 Cartonnerie Gondardennes France Process Mfg. Ransomware 1 Shutdown production for 3 days, This cardboard maker avoided paying a ransom as lavoixdunord.fr/1250765 icsstrive.com/incident/h
10-31 and workers sent home systems were decrypted by a local journalist and /article/2022-11-07/le- ackers-shut-down-
cyber expert Damien Bancal piratage-cartonnerie- production-at-
gondardennes- cartonnerie-
decrypte-par-damien- gondardennes-in-france
bancal-journaliste
2022 Jeppesen, a Boeing subsidiary Global Transportation Ransomware 1 Delayed flights at multiple airlines Ransomware shutdown 6 Electronic Flight Bag (EFB) icsstrive.com/incident/cy ops.group/blog/jeppese
11-02 & impacted flight planning for 14 apps & services provided by Jeppesen, increasing berattack-attack-at- n-ransomware-attack-
days pilot's workloads in flight planning and navigation boeing-subsidiary- update
causes-widespread-
flight-disruptions
2022 Uponor Oyj Finland Discrete Mfg. Ransomware 1 Shutdown production for 1 week, The manufacturer of HVAC, plumbing, and icsstrive.com/incident/o
11-05 then reduced capacity for 2+ infrastructure products shutdown all OT systems as a perational-shutdown-at-
weeks precaution, and restoration took weeks uponor-intelligent-
plumbing-climate-
solutions
2022 PGT Innovations USA Discrete Mfg. Ransomware 2 $12M Impacted production at 2 plants, A ransomware attack impacted 2 window and door icsstrive.com/incident/ra
11-05 and contributed to a $12m loss manufacturing plants in Florida, and contributed to nsomware-attack-at-
$12m quarterly revenue loss window-and-door-
manufacturer-pgt-
innovations
2022 Maple Leaf Foods Canada Food & Ransomware 1 Disrupted operations and services BlackBasta lists Maple Leaf as one of its victims on just- icsstrive.com/incident/sy
11-06 Beverage at multiple sites the dark web, but Maple Leaf releases little else about food.com/news/canadas stem-outage-at-maple-
the attack other than the impact to ops -maple-leaf-foods-hit- leaf-food-manufacturer-
by-cyberattack in-canada
2022 Taxis Coop Québec Canada Transportation Ransomware 1 Shutdown taxi dispatch system for Ransomware breached Taxi Coop Quebec's ride ici.radio- icsstrive.com/incident/ta
11-17 2.5 hours in the early morning hailing back-end systems, so staff pre-emptively shut canada.ca/nouvelle/193 xi-ride-hailing-service-
down all servers and began recovery 3690/taxi-coop-quebec- in-quebec-hacked
cyberattaque-
informatique
2022 Europea Microfusioni Italy Discrete Mfg. Ransomware 1 Shutdown production line for 6+ EMA, a precision investment casting leader, was hit icsstrive.com/incident/cy
11-17 Aerospaziali (EMA) days, and sent employees home by ransomware production lines were shutdown. 40 berattack-shuts-down-
techs and specialists were sent in to assist operations-at-precision-
casting-foundry-
europea-microfusioni-
aerospaziali
2022 Communauto Canada Transportation Unknown 1 Shutdown ride-sharing operations A cyber attack prevented users from starting or icsstrive.com/incident/cy
11-21 & services for 1 day ending a ride, during an existing industry shortage of berattack-hits-
vehicles, frustrating users struggling to reserve a car communauto-
operations-already-
struggling-with-
frustrated-customers
2022 Prophete / VSF Germany Discrete Mfg. Ransomware 1 Shutdown operations for 3+ weeks Ransomware attack meant that parts did not arrive, icsstrive.com/incident/d
11-25 Fahrradmanufaktur, Rabeneick and lead to insolvency and bicycles were not fully assembled and delivered. owntime-caused-by-
and Kreidler Additional shareholder injections could not be secured cyberattack-final-straw-
triggering bankruptcy for-german-bicycle-
manufacturer
2022 Cobolux Luxembourg Food & Ransomware 1 €400K 1 day production loss; Estimated Ransomware attack made it impossible to continue icsstrive.com/incident/pr
11-25 Beverage €400K - €500K in damages and operating, because meat products could not be oduction-halted-at-
restoration costs labeled, a regulated and food safety requirement meat-processing-
factory-in-luxembourg
2022 UNOX Italy Discrete Mfg. Unknown 1 Shutdown production for 2 days Hit by a cyber attack, the company activated icsstrive.com/incident/ita
12-10 emergency procedures, suspended production as a lian-oven-manufacturer-
safety measure, and initiated "appropriate checks" suspends-production-
after-cyberattack
2022 Fruttagel Italy Food & Ransomware 1 Shutdown production for 4+ days A BlackCat (ALPHV) ransomware attack on Fruttagel icsstrive.com/incident/pr
12-11 Beverage halted production and prevented customer deliveries. oduction-outage-after-
Ransom goes unpaid so Blackcat leaked all 720GB of massive-ransomware-
exfiltrated data attack-at-italian-fruttagel
2022 Empresas Públicas de Medellín Colombia Water Ransomware 1 Trucked in water for 28k A BlackCat (ALPHV) ransomware attack shut off isssource.com/ransomw
12-13 (EPM) customers on pre-paid service water for 28K customers unable to pre-pay for are-attack-at-colombian-
plans service, due to an OT dependence on IT and billing utility
systems
2022 Technolit GmbH, in Germany Discrete Mfg. Unknown 1 Shutdown operations and sent A German manufacturer and distributor of welding icsstrive.com/incident/cy
12-22 Grossenlüder employees home supplies and products was shutdown by an unknown berattack-at-technolit-
cyber attack gmbh-employees-sent-
home
2022 Copper Mountain Mining Canada Metals & Ransomware 1 Shutdown operations for 5 days CMCC shutdown mining ops out of an abundance of isssource.com/copper-
12-27 Corporation (CMCC) Mining (pre-emptive), then reduced caution, after an attack possibly enabled by miner-hit-in-
production for 4 days passwords leaked on the dark web weeks earlier ransomware-attack
 25 / 26

Appendix B – Acknowledgements
Waterfall Security Solutions and ICSSTRIVE would like to recognize and thank the many people
who contributed materially to this report:
Andrew Ginter,
VP Industrial Security | Waterfall Security Solutions
Gregory Hale
Editor & Founder | Industrial Safety and Security Source
Rees Machtemes
Director of Industrial Security | Waterfall Security Solutions
Monique Walhof
Consultant | Industrial Safety & Security Source
Jesus Molina
Director of Industrial Security, Waterfall Security Solutions
Courtney Schneider
Cyber Policy Research Manager, Waterfall Security Solutions
We would also like to thank the many news outlets who report on cybersecurity, and the incident
repositories we specifically searched for public incident disclosures and other information,
including:
https://icsstrive.com
https://konbriefing.com/en-topics/cyberattacks.html
https://cybersecurityventures.com/intrusion-daily-cyber-threat-alert
https://cybersecurityventures.com/ransomware-report
https://cloudian.com/ransomware-attack-list-and-alerts
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
https://www.itgovernance.co.uk/blog/category/monthly-data-breaches-and-cyber-attacks
https://securityaffairs.co/wordpress/category/ics-scada
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
https://spin.ai/resources/ransomware-tracker/
https://cybersecurityventures.com/intrusion-daily-cyber-threat-alert/
26 / 26