Initial access is the bottleneck in attacking industrial facilities. We analyzed confirmed breaches from 2025 and found that the attack vector distribution has shifted. Email phishing and compromised credentials still dominate, but USB-borne attacks and supply chain compromise are growing rapidly, suggesting attackers are finding traditional IT defenses increasingly difficult to penetrate.
Of the forty-seven confirmed incidents we reviewed, thirty-two percent originated from spear-phishing to engineering or operations staff. Twenty-three percent came through compromised integrator or vendor access. Seventeen percent involved USB devices found on-site or delivered by threat actors. The remaining twenty-eight percent included firmware backdoors, misconfigured remote access, and compromised OEM software.
Email Remains the Primary Vector
Phishing attacks targeting industrial organizations now regularly use fabricated maintenance alerts, equipment serial numbers, and facility-specific details. Attackers conduct reconnaissance before sending emails, making the messages difficult to distinguish from legitimate vendor communications. We have observed attackers using real company names and impersonating actual vendors, requiring recipients to verify legitimacy through channels the attacker also compromised.
The attacks are not purely credential theft anymore. Many include weaponized documents or malicious links designed to drop lightweight reconnaissance tools that establish persistence before escalating to credential harvesting.
Emerging and Rising Vectors
- Supply chain compromise: Firmware updates and engineering tools from integrators and OEMs remain unverified in most deployments, creating a direct path to control systems.
- USB and physical media: Attackers are leaving USB devices at facility gates, in parking lots, and in common areas. Social engineering combined with legitimate-looking labels makes them high-success vectors.
- Remote access abuse: Legitimate remote access tools configured for convenience rather than security allow attackers to move freely once credentials are harvested.
- Cloud and OEM services: Increasing reliance on cloud-hosted engineering environments and OEM monitoring services expands the attack surface beyond the facility itself.
Defensive Prioritization
Your initial access defense strategy must address all vectors simultaneously. Email filtering alone is insufficient if USB devices and supplier access remain uncontrolled. If you'd like to discuss initial access threat modeling or entry vector hardening for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.