OT/ICS Cyberattacks on Indian Manufacturing: 10 Real Incidents & How to Defend Your Shopfloor

In 2025, Dragos tracked 119 ransomware groups targeting industrial organisations — up 49% from 80 groups in 2024. Manufacturing remains the #1 victim sector globally, with 75% of OT ransomware incidents causing partial shutdown and 25% causing full plant stoppage. For Indian manufacturers riding the Make in India wave, OT digitisation is accelerating — but security is not keeping pace. This post examines 10 real-world OT/ICS attacks, maps attacker techniques to the MITRE ATT&CK for ICS framework, and lays out a practical defence blueprint using Fortinet’s OT security stack.

Why Indian Manufacturers Are Now Prime Targets

India’s manufacturing sector contributes 17% to GDP and is undergoing rapid OT digitisation through Make in India, Smart Cities Mission, and Industry 4.0 adoption. This creates an expanding attack surface: legacy PLCs connected to modern IIoT sensors, flat OT networks with no segmentation, and remote access VPNs added during COVID that were never decommissioned.

The India OT security market is projected to reach USD 1 billion by 2025, yet investment trails the threat curve. OT cyberattacks in India have risen 30%+ in recent years. The Kudankulam nuclear plant was targeted by North Korea’s Lazarus Group in 2019, power grids in North and West India have faced confirmed state-sponsored intrusions, and Polycab India (the country’s largest cable manufacturer) suffered a ransomware attack causing ₹20 crore in operational losses.

The regulatory landscape is tightening. CERT-In’s 2025 guidelines mandate that a CERT-In format auditor assessments explicitly cover OT/ICS environments, cyber incidents affecting OT must be reported within 6 hours, and annual audits are required with re-audits after major infrastructure changes.

10 Real OT/ICS Attacks Every Plant Manager Must Know

1. TRITON/TRISIS — Safety Systems Under Attack (2017)

A Russian state-backed group (TsNIIKhM) deployed the first-ever malware targeting safety instrumented systems (SIS) at a Saudi petrochemical plant. The malware reprogrammed Schneider Electric Triconex controllers — the last line of defence against explosions and toxic releases. The plant auto-shutdown prevented catastrophe. The FBI warns the threat remains active against 18,000+ Triconex-equipped plants worldwide, including facilities in India.

2. Colonial Pipeline — IT Breach Cascading to OT (2021)

DarkSide ransomware compromised a VPN account with no MFA, encrypted IT systems, and Colonial proactively shut down OT pipeline operations for 5 days. Fuel shortages across the US Southeast. $4.4M ransom paid. The attack demonstrated that you don’t need to hack OT directly — an IT breach with poor IT/OT segmentation is enough to halt operations.

3. FrostyGoop — Modbus Protocol Exploitation (January 2024)

Russia-linked attackers used Windows malware to send malicious Modbus TCP commands directly to heating controllers in Lviv, Ukraine. 600+ apartment buildings lost heating for 48 hours during winter. This was the first confirmed attack using native ICS protocols (Modbus) to directly manipulate physical processes — no PLC-specific malware needed, just protocol knowledge.

4. Electrum/Sandworm — NATO Energy Infrastructure (December 2025)

The Sandworm lineage struck ~30 wind farms, solar installations, and a CHP plant in Poland — the first attack on NATO energy infrastructure. Attackers exploited internet-facing devices with default credentials, deployed wiper malware on HMIs, and corrupted OT device firmware. This attack demonstrated that renewable energy infrastructure is now a military target.

5. CyberAv3ngers — Default PLC Credentials (November 2023)

Iranian IRGC-affiliated hackers compromised 75+ Unitronics PLCs across US water utilities, energy, food/beverage, and healthcare sectors — simply by using default credentials. At Aliquippa, PA, they defaced HMI screens with anti-Israel messages. The attack was trivially simple yet affected critical infrastructure across multiple states.

6. Volt Typhoon — Silent Pre-Positioning (2023–2025)

China’s Volt Typhoon maintained covert access inside US electric utilities for ~300 days using living-off-the-land techniques — leveraging legitimate admin tools to avoid detection. They compromised cellular gateways and pivoted to engineering workstations. No destructive action was taken; the purpose was pre-positioning for future conflict. India, with its border tensions, faces an analogous threat.

7. Clorox Manufacturing — Social Engineering to Shopfloor (August 2023)

Scattered Spider social-engineered a service desk into resetting passwords, then moved laterally from IT into Clorox’s operational backbone. Manufacturing was disrupted for months. Direct costs: $49M. Total losses including lost revenue: $380M. The lesson: OT security starts at the help desk.

8. Industroyer2 — ICS Protocol Weaponisation (April 2022)

Sandworm (GRU Unit 74455) deployed Industroyer2 targeting Ukrainian high-voltage substations using IEC 104 and IEC 61850 protocols, combined with CaddyWiper for data destruction. CERT-UA detected and neutralised the attack before grid disruption. The attack showed continued Russian capability evolution in weaponising ICS-specific protocols.

9. Kudankulam Nuclear Power Plant, India (October 2019)

North Korea’s Lazarus Group deployed DTrack malware on the administrative network of India’s Kudankulam Nuclear Power Plant in Tamil Nadu. While no OT systems were compromised, the attack confirmed that India’s critical infrastructure is actively targeted by nation-state actors. The administrative network contained sensitive operational data that could inform future, more targeted attacks.

10. Polycab India — Manufacturing Ransomware (2023)

India’s largest cable manufacturer, Polycab India Ltd, suffered a ransomware attack that encrypted internal files and disrupted operations, causing ₹20 crore (~$2.4M) in operational losses. The attack started with an infected employee workstation and moved laterally through flat network architecture — a scenario replicated across thousands of Indian manufacturing SMEs.

How Attackers Get In: MITRE ATT&CK for ICS

The MITRE ATT&CK for ICS framework catalogues 12 tactics and 83 techniques observed in real OT attacks. The attacks above map to three critical phases:

The pattern is consistent: attackers exploit weak initial access (default passwords, unpatched VPNs), pivot from IT to OT through flat networks, and then either encrypt for ransom or manipulate physical processes. Less than 10% of OT networks worldwide have any security monitoring — 90% of asset owners cannot detect the techniques used in the Ukraine grid attacks.

India’s OT Threat Landscape: What CERT-In and the Data Say

India’s industrial cybersecurity market is valued at USD 620M in 2024, projected to reach USD 1,070M by 2033 (CAGR 6.2%). But investment is reactive, not proactive. Key regulatory developments:

• CERT-In 6-hour reporting: All OT/ICS cyber incidents must be reported within 6 hours of detection
• OT in audit scope: Aligned auditor assessments now explicitly cover OT/ICS environments (2025 guidelines)
• Annual audits: Required with re-audits after major infrastructure changes, including OT system upgrades
• Smart City OT: Building management systems, traffic controllers, and utility SCADA in Smart Cities Mission cities are emerging attack surfaces

The confirmed attacks on Kudankulam, Indian power grids, and Polycab demonstrate that India is not a theoretical target — it is an active one. With Make in India connecting more factories to the internet, the attack surface grows monthly.

Building an OT Incident Response Playbook

OT incident response is fundamentally different from IT. The #1 principle: safety first, always. Operations teams must have authority to isolate compromised systems without waiting for IT approval. A chemical plant cannot wait for a change advisory board to approve shutting down a compromised PLC.

Based on NIST SP 800-82 Rev. 3 and IEC 62443, a practical OT incident response playbook includes:

Patch management in OT follows IEC 62443-2-3: risk-based, staged, and coordinated with operations. You cannot patch a running blast furnace — patches are tested in staging, scheduled during maintenance windows, and rolled back if safety tests fail.

Fortinet OT Security: From Shopfloor to SOC

Each attack vector above has a specific Fortinet countermeasure. Here is how the stack maps to real threats:

5-Step OT Security Roadmap for Indian Manufacturers

How Ogma Can Help

As a Fortinet authorized partner and cybersecurity services firm, Ogma combines deep OT security expertise with hands-on Fortinet deployment experience across Indian manufacturing and critical infrastructure:

• OT Security Assessment: Purdue Model gap analysis, asset discovery, vulnerability scanning with our 1,000-scan VA platform
• Fortinet OT Deployment: FortiGate Rugged, FortiNDR, FortiDeceptor, FortiSIEM design and implementation
• Breach & Attack Simulation: 256 attack simulations testing your OT defences against real-world TTPs
• Threat Intelligence: 4.1M+ active IOCs from our MISP-based TI platform, correlated with OT threat feeds
• CERT-In Compliance: Audit preparation, incident response playbook development, 6-hour reporting process setup

Frequently Asked Questions