DDoS Attacks on Industrial Infrastructure - Threats and Protection
DDoS attacks on OT/ICS systems - vectors, incidents (Killnet, NoName057), critical infrastructure protection, and NIS2 requirements.
Jozef Sulwinski 
On December 9, 2025, CISA, the FBI, and the NSA - together with partners from Europe and Asia - issued an urgent advisory: pro-Russian hacktivist groups - Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16 - were conducting coordinated DDoS attacks on SCADA and HMI systems of critical infrastructure in the water, energy, and food sectors. In some cases, DDoS attacks served as a smokescreen for actual intrusions into OT networks.
This is no longer a theoretical threat from textbooks. Attacks on the availability of industrial systems have become a tool of geopolitics, and a lack of preparedness can cost not only data but the continuity of physical production processes.
What are DoS and DDoS attacks in the OT context
A DoS (Denial of Service) attack disrupts the availability of a system, service, or network. DDoS (Distributed Denial of Service) is its distributed variant, where traffic is generated from multiple sources simultaneously. In IT environments, these attacks are disruptive but rarely threaten physical safety. In OT environments, the situation is different.
Industrial automation systems rely on continuous, deterministic communication. A PLC controller that loses connectivity with an operator station for a few seconds may trigger an emergency process shutdown. In an energy system, loss of SCADA visibility at substations means the inability to remotely switch circuits. In a wastewater treatment plant, a communication interruption with pH sensors results in an uncontrolled discharge.
Three categories of availability attacks in OT
| Category | Mechanism | Example in an industrial environment |
|---|---|---|
| Volumetric | Saturation of communication bandwidth | Flood on the WAN interface connecting SCADA to substations |
| Protocol | Exhaustion of session resources on network devices | SYN flood on a zone firewall, saturation of a managed switch connection table |
| Application | Overloading the logical layer of a service | Flood of Modbus TCP queries to a PLC controller (port 502), excessive OPC UA requests |
| Physical / RF | Disruption of wireless communication | Jamming of WirelessHART networks, disruption of LTE for remote RTUs |
WARNING
Industrial protocols such as Modbus RTU/TCP have no built-in authentication or encryption. Every packet that reaches a PLC controller on port 502 will be processed - there is no mechanism for rejecting unauthorized requests at the protocol level. This is a fundamental difference compared to IT protocols.
Incidents - from theory to real losses
NERC 2019 - first confirmed DoS on the energy grid
On March 5, 2019, attackers exploited a vulnerability in the web interface of firewalls at electrical substations in the US. Cyclic device restarts caused communication interruptions between field devices and the control center. The problem took over 8 hours to resolve. NERC (North American Electric Reliability Corporation) published a report confirming that this was the first documented cyber incident affecting the availability of American energy infrastructure.
FrostyGoop 2024 - Modbus as a weapon
In January 2024, the FrostyGoop malware sent crafted Modbus TCP commands to district heating controllers in Lviv. The result: over 600 residential buildings lost heating in sub-zero temperatures. The attack did not require sophisticated exploits - it was enough to reach an unsecured port 502 and send valid protocol commands. We discuss the broader context of this conflict in our article on the impact of the Russia-Ukraine war on cybercrime.
NoName057(16) - DDoS factory at industrial scale
The group NoName057(16), active since March 2022, operates the DDoSia platform, which enables volunteers to jointly generate DDoS attacks on targets designated by the group’s operators. Between June 2024 and July 2025, the group attacked an average of 50 unique hosts per day, with a record of 91 targets in a single day. Victims included airports (Taoyuan, Songshan), public transport systems, energy providers, and government institutions in 14 NATO countries.
In July 2025, Operation Eastwood (coordinated by Eurojust) led to the takedown of the botnet and the issuance of 7 arrest warrants. The group, however, rebuilt its infrastructure within weeks and resumed attacks.
Z-Pentest - hacktivism enters OT
The Z-Pentest group, formed in September 2024 from members of CARR and NoName057(16), specializes in intrusions into OT systems. Combined with simultaneous DDoS attacks on the victim’s network, the group exploits unsecured VNC connections to gain access to SCADA controllers and HMI in the water and energy sectors.
DDoS by the numbers - the scale of the problem
DDoS attacks blocked by Cloudflare in 2025
record DDoS attack in Q4 2025
NoName057(16) DDoS attacks on NATO countries since 2022
year-over-year increase in DDoS attacks in Q1 2025
Sources: Cloudflare DDoS Threat Report Q1-Q4 2025, Eurojust
The Cloudflare data covers all sectors, but the trend is unequivocal - the scale and frequency of DDoS attacks are growing exponentially. In industrial environments, a much smaller attack is sufficient to cause serious disruptions. A PLC controller managing a chemical process does not need terabits of traffic to stop responding - a few hundred packets per second directed at port 502 is enough.
Why OT is particularly vulnerable to DoS attacks
Industrial environments have characteristics that make them more sensitive to availability attacks than typical IT infrastructure:
-
Communication determinism - protocols such as Modbus, PROFINET, and EtherNet/IP require predictable response times. Even a small delay (on the order of milliseconds) can cause a timeout and an emergency process shutdown.
-
Lack of defensive mechanisms in protocols - most industrial protocols were developed in the 1980s and 1990s, when physical network isolation was assumed. They have no rate-limiting, authentication, or encryption.
-
Long device lifecycle - PLC controllers and RTUs operate for 15-25 years. Many of them do not support TLS, lack sufficient memory for IDS, and cannot be patched without stopping the process.
-
Availability is priority number 1 - in IT, we talk about the CIA triad (Confidentiality, Integrity, Availability). In OT, the order is reversed: AIC. Process availability is more important than data confidentiality, because its loss can endanger human lives.
-
Lack of communication redundancy - many facilities have a single communication channel between SCADA and field devices. A DDoS attack on that channel means loss of visibility over the process.
DoS attack scenarios on industrial infrastructure
Scenario 1: Volumetric attack on the WAN channel
An attacker directs DDoS traffic at the WAN link connecting the control center to remote substations or pump stations. Effect: operators lose SCADA visibility, but processes at substations operate in autonomous mode. Risk emerges when manual intervention is needed - the operator cannot remotely switch circuits.
Scenario 2: Industrial protocol flood
An attacker sends floods of Modbus TCP requests (function code 0x03 - Read Holding Registers) to a PLC controller. The controller attempts to process every request, neglecting actual communication with sensors and actuators. The watchdog timer detects a lack of response and forces an emergency shutdown.
Scenario 3: DDoS as a smokescreen
Groups such as Z-Pentest launch DDoS attacks on the victim’s corporate network, engaging the SOC team, while another part of the operation exploits unsecured VNC connections to modify process parameters in the SCADA system.
Scenario 4: Wireless communication disruption
In installations using WirelessHART or LTE communication (e.g., remote RTUs on pipelines), an attacker can use RF jamming to prevent the transmission of measurement data. Loss of signal from pressure sensors on a gas pipeline can force a section shutdown.
Protecting OT infrastructure from DDoS attacks
Standard DDoS protection methods (scrubbing centers, CDN, rate-limiting on WAF) primarily address IT infrastructure and web applications. The OT environment requires a different approach that accounts for the specifics of industrial protocols and the priority of process availability.
Checklist - 12 steps to protect OT against availability attacks
- Network segmentation - establishing zones and conduits in accordance with IEC 62443. A detailed segmentation guide can be found in our article on OT network segmentation
- Exposure reduction - no OT device should be directly accessible from the Internet. This applies particularly to Modbus (502), EtherNet/IP (44818), OPC UA (4840) ports, and VNC interfaces
- Dedicated zone firewalls - firewalls at the IT/OT boundary with rules permitting only known protocols and addresses. Deep Packet Inspection (DPI) for industrial protocols
- Redundant communication channels - backup links (e.g., LTE as a backup for WAN links) with automatic failover. Different protocols and transmission media for critical connections
- Rate-limiting at the OT network level - limiting the number of packets per second allowed on PLC controller and RTU interfaces
- Passive monitoring - OT-dedicated IDS systems (e.g., Tenable OT Security) monitoring network traffic anomalies without interfering with the process
- Firmware updates - regular patching of firewalls and network devices in the DMZ. For OT devices that cannot be patched - compensating network controls
- Configuration hardening - disabling unused ports and services on network devices, changing default passwords, disabling web interfaces on field devices
- Business continuity plan - operational procedures in case of SCADA communication loss, including manual operation mode and alternative communication channels
- Resilience testing - regular exercises simulating loss of OT system availability. Verification that operators can switch to local control
- VNC/RDP separation - remote access to OT systems exclusively through a dedicated jump host zone with MFA, never directly from the internet. More on secure remote access in our ICS remote access guide
- ISP cooperation - agreeing with the link provider on upstream DDoS filtering mechanisms (blackholing, scrubbing) for control center IP addresses
TIP
Before investing in DDoS protection tools, check the fundamentals: are OT devices visible from the internet? Tools like Shodan and Censys regularly index open Modbus and VNC ports on public IP addresses. Inventory and elimination of unnecessary exposure is the cheapest and most effective first step.
NIS2 and DDoS resilience
The NIS2 Directive, in effect since October 17, 2024, imposes cybersecurity risk management obligations on essential and important entities (including energy, transport, water, manufacturing) that directly relate to DDoS resilience:
| NIS2 Requirement | Relationship to DDoS protection |
|---|---|
| Art. 21.2(a) - risk analysis and security policies | Risk assessment of availability attacks on OT systems |
| Art. 21.2(b) - incident handling | DDoS attack response procedures, escalation, communication |
| Art. 21.2(c) - business continuity and crisis management | Action plan for SCADA communication loss, manual mode |
| Art. 21.2(d) - supply chain security | Verification of telecommunications provider resilience |
| Art. 23 - incident reporting | Early warning within 24h, notification within 72h, report within 1 month |
Organizations that fail to implement adequate measures to protect against availability attacks face administrative fines (up to EUR 10 million or 2% of annual turnover for essential entities).
NOTE
NIS2 does not mandate specific technologies - it requires proportionate risk management measures. For a facility with a single WAN link to its SCADA system, an appropriate measure may be a redundant LTE link. For a large energy grid operator - a dedicated scrubbing service from the link provider.
Summary
Availability attacks on OT systems are no longer the domain of advanced APT groups. Hacktivist groups such as NoName057(16) and Z-Pentest have proven that simple methods - DDoS combined with exploitation of unsecured VNC interfaces and industrial protocols - are sufficient to disrupt the operation of critical infrastructure. The scale of DDoS attacks is growing (47.1 million attacks in 2025 according to Cloudflare), and with it the risk for industrial system operators.
Protection starts with the fundamentals: OT network segmentation, elimination of direct internet access, redundant communication channels, and tested business continuity procedures. The NIS2 Directive formalizes these requirements, but implementation should stem from a genuine risk assessment, not from fear of penalties.
SEQRED helps critical infrastructure operators assess the resilience of OT systems to attacks, segment networks in accordance with IEC 62443, and build security architectures that account for availability attack scenarios.
Sources:
- CISA Advisory AA25-343A - Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
- Cloudflare DDoS Threat Report Q1 2025
- Cloudflare DDoS Threat Report Q4 2025
- Eurojust - Hacktivist group responsible for cyberattacks on critical infrastructure in Europe taken down
- Sekoia - NoName057(16) DDoSia project: 2024 updates and behavioural shifts
- Cyble - Hacktivists Escalate Critical Infrastructure Attacks In 2025
- NERC - Risks Posed by Firewall Firmware Vulnerabilities
- ScienceDirect - Assessing the impact of Modbus/TCP protocol attacks on critical infrastructure
- NIS2 Directive - official text