Malware is software that runs unauthorized operations on a target system. In OT environments, the relevant taxonomy is not the IT split between viruses, worms, and trojans — it is the short list of known ICS-specific malware families and the class of IT malware that reaches OT through convergence paths.
ICS-specific malware — the reference cases
Four families define what purpose-built OT malware looks like:
Stuxnet (2010). Targeted Siemens Step 7 PLC programming software and the controllers running Iranian uranium-enrichment centrifuges. Exploited four zero-day vulnerabilities and used stolen code-signing certificates. Modified PLC logic to damage equipment while reporting normal operation to monitoring systems. First public evidence that malware could produce physical destruction.
Industroyer / CrashOverride (2016). Attacked the Ukrainian power grid. Included native protocol modules for IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA. Opened substation breakers using the grid's own protocols, not exploits. Designed to operate after initial delivery with no operator interaction.
TRITON / TRISIS (2017). Targeted Schneider Triconex Safety Instrumented Systems at a Saudi petrochemical plant. Attempted to reprogram safety controllers whose sole function is to prevent catastrophic failure. The first known malware to target safety systems specifically — a cyber attack with the potential to cause loss of life.
PIPEDREAM / INCONTROLLER (2022). A toolkit rather than a single binary. Targets Schneider Modicon and OMRON Sysmac PLCs plus Open Platform Communications (OPC) UA servers. CISA attributed it to state actors. Demonstrates modular, multi-vendor OT tooling built for scale.
Why OT is structurally exposed
Three properties make OT different from IT:
- No endpoint agents. PLCs, RTUs, HMIs, and safety controllers cannot run CrowdStrike, SentinelOne, or Defender. Endpoint detection is not an option on the asset itself. Detection moves to the network layer or does not exist.
- Trust inside the zone. Flat OT segments assume hosts inside the zone are trustworthy. A compromised engineering workstation can reach every PLC on the segment because nothing separates them.
- Protocols without authentication. Modbus, DNP3, and older IEC 61850 implementations have no concept of authenticated senders. A device on the wire is a trusted device.
IT malware that reaches OT
Most OT incidents begin with IT malware — ransomware, info-stealers, RATs — that traverses the IT/OT boundary through a shared historian, a jump server, a remote-access VPN, or a dual-homed engineering workstation. The Colonial Pipeline shutdown (DarkSide ransomware, 2021) was not OT malware; it was IT ransomware that caused the operator to shut down OT as a precaution. The Norsk Hydro incident (LockerGoga ransomware, 2019) hit IT systems that OT operators relied on for production scheduling.
What actually mitigates OT malware
Two patterns repeatedly reduce OT malware impact across documented incidents:
- Network-layer segmentation with identity enforcement. A compromised host cannot pivot to targets it is not authorized to reach.
- Protocol-aware inspection. Traffic patterns that signal reconnaissance or write-operation abuse produce detectable events even when the host itself is invisible to endpoint tooling.
Endpoint antivirus, patch management, and user training are still necessary — but on OT assets, the enforcement moves to the network.
Related terms
- Ransomware
- Industrial Control Systems Security
- OT/IT Convergence
- Cybersecurity Incident (OT)
- Protocol Filtering (OT)
Access Gate connection
Access Gate enforces identity-based segmentation and protocol-aware filtering at the OT network layer — providing detection and containment for assets that cannot host endpoint agents. See OT Network Visibility.
