Cryptomining malware on industrial networks presents a unique threat. Unlike malware designed for espionage or destruction, miners run continuously, consuming computational resources and power. This creates immediate operational degradation—slower systems, higher cooling costs, equipment wear. The financial incentive also attracts less sophisticated attackers, meaning detection opportunities are higher than with advanced threats.
We have observed cryptominers on plant networks at three major manufacturing facilities in the Pacific Northwest over the past two years. In each case, the infection had persisted for several months before discovery. The impact included accelerated hardware failure, reduced production throughput, and inflated power consumption that triggered facility-wide investigations before the underlying cause was identified.
How Miners Persist Undetected
Cryptominers establish persistence through compromised credentials, unpatched systems, or supply chain routes identical to other threats. What distinguishes them is their low profile. Unlike ransomware, miners do not announce their presence. They consume resources gradually and remain dormant during peak production hours to avoid triggering alarms that operations teams would notice.
Some miners specifically target GPU-equipped engineering workstations and graphics-enabled HMI systems, where mining can run alongside legitimate work without obvious performance degradation.
Detection and Investigation Methods
- Power consumption monitoring: Baseline facility power by hour of day and day of week. Persistent unexplained increases indicate mining activity.
- CPU and GPU utilization: Monitor sustained high CPU or GPU usage on systems that should be idle or lightly loaded during off-shift hours.
- Network traffic analysis: Miners must communicate with mining pools. Look for persistent outbound connections to unusual destinations, especially on non-standard ports.
- Process enumeration: Run process audits on all systems, searching for known miner process names or CPU-intensive processes running with anomalous privileges.
Incident Response and Prevention
Cryptomining infections require the same response rigor as any malware incident. Assume the attacker has deeper access than the miner alone suggests. Rotate credentials, scan systems comprehensively, and implement controls to prevent reinfection. If you'd like to discuss cryptomining detection or incident response for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.