• Abstract illustration of distorted dark green display screen with red light spot. Cyber attack inscription in worldwide technology interface.

    There have been many publicly documented control system cyberattacks that caused physical damage

    July 22, 2025
    Examples of publicly documented control system cyberattacks that caused physical damage from different sectors

    Numerous publicly documented control system cyberattacks have caused physical damage in every sector. Many others have not been publicly documented. Other cases, such as Chinese-made equipment with hardware backdoors have been documented, but the attack mechanisms have not yet been initiated. Additionally, there have been cases that have been misidentified as being cyberattacks when they were unintentional incidents.

    On July 20, 2025, Sinclair Koelemij published an article debunking the FUD associated with OT cyberattacks – “The Hype Machine: Unpacking Claims of Physical Consequences in Cyberattacks”. Sinclair was clear that ransomware attacks are not control system cyberattacks, and I agree with him. He went on to address the dubious claims about three cyberattacks that the OT security community continues to reference – the 1982 TransSiberian (Gazprom) pipeline explosion, the 2008 Baku–Tbilisi–Ceyhan pipeline blast and the 2014 German steel mill blast furnace damage. I have all three in my database identified as “cause unknown.”

    Sinclair said the only documented control system cyberattack that directly caused physical impacts was Stuxnet. (He only addressed one of the two Stuxnet attacks.) Sinclair’s key point was:

    “After fifteen years of hype, Stuxnet remains the only fully documented cyber-induced hardware failure. The steel mill case might become the second, if independent evidence ever surfaces.”

    His final thoughts were:

    “Dramatic headlines are easy; hard evidence is scarce. Until more Stuxnet-class proof emerges, skepticism remains the engineer’s best defense against the hype machine.”

    However, Sinclair missed many control system cyberattacks, as most weren’t in the process industries (though some were). I have only included examples that “successfully” caused physical impacts, not just impacted networks, and were publicly documented. In some cases, the documentation included criminal indictments. However, the OT security FUD machine has not addressed these cases. I can only surmise it was because these cyberattacks were not found from IT/OT network monitoring.

    Get your subscription to Control's tri-weekly newsletter.

    Here is a sample of publicly documented control system cyberattacks that caused physical damage from different sectors:

    • The first documented malicious control system cyberattack that caused damage was the 2000 Maroochyshire, Australia wastewater cyberattack that dumped more than 250,000 gallons of raw sewage by remotely manipulating sewage discharge valves. The case was fully documented in the criminal indictment. The attacker was convicted and sentenced to jail. In the 2008-time frame, NIST had MITRE and myself perform a detailed analysis of this case to determine how NIST 800-53 would have addressed the Maroochyshire incident and is documented on the NIST and MITRE websites as well as my book – “Protecting Industrial Control Systems from Electronic Threats.”
    • In 2011, over a period of 2-3 months, minor glitches were observed in remote access to a small Midwest water district’s SCADA system. The remote access was coming from Russia. The SCADA system was powered off and on resulting in the burnout of a water pump. This was documented by a DHS Fusion Center report.
    • In 2011, ICS-CERT identified and responded to a cyber intrusion into a building Energy Management System (EMS) used to control heating and cooling for a state government facility. Facility personnel reported to ICS-CERT that they had discovered unauthorized adjustments to the EMS control settings that had resulted in unusually warm temperatures in the facility. ICS-CERT analyzed the provided telemetry data and access logs and determined that temperature set points had been changed by an unauthorized user via the Internet accessible interface. Someone had gained access to this system despite the remote logon configura­tion requiring a password. 
    • In 2014, a disgruntled employee that worked for many years as the facility’s IT specialist and systems administrator was terminated and escorted from a paper mill. After being terminated, however, he remotely accessed the plant’s computer systems and transmitted code and commands which resulted in more than $1 million in damage to the mill and its operations. He was convicted and sentenced to jail.
    • Millions of cars were cyberattacked by manipulation of fuel and emission controls (this was similar to the Stuxnet attack in that control system logic was manipulated and hidden while the “attack” was occurring). Domestic and international auto manufacturers and the developer of the motor control and mixture control devices whose software contained illegal strategies were fined and at least one person went to jail. However, these cases were not considered to be cyberattacks because the impacts were “only emission releases and devaluation of the impacted cars.” They also did not involve IT or OT networks.
    • A disgruntled ex-employee hacked into the Wonderware SCADA system of a rural water district. He randomly manipulated pumps and setpoints for 40 minutes. The plant remote access was set up for logging every 2 hours. He deleted his old password and used a password from one of the current employees. He was able to get to the Wonderware SCADA system using remote access. He “randomly” turned pumps from automatic to local and changed lead to lag and vice versa. He also changed setpoints. He was caught and sentenced. I originally found out about this case when the Federal Public Defender wanted to know if it was possible to cause harm if the intruder was only in for 40 minutes. There is a public indictment.
    • In 2015, 2016, and 2022, Russia cyberattacked the Ukrainian power grid opening breakers and causing widespread electric outages. These cases were identified by CISA and various other organizations.
    • In 2022, the radiation monitoring system around the Chernobyl nuclear plant exclusion zone recorded a massive increase in external gamma dose rates, with the most affected stations reporting dose rates 3-600 times higher than normal. These increases vastly exceeded normal fluctuations. This dose rate anomaly generated significant concern and attention in the days following the Russian invasion. Reporting by the International Atomic Energy Agency (IAEA), international media outlets as well as the State Nuclear Regulatory Inspectorate of the Ukraine (SNRIU), indicated this temporary elevation was due to radioactive dust kicked up by invading Russian forces. If the reported dose rates were in fact valid, they would have presented an immediate and enduring hazard to all onsite. However, these readings were hacked and as a result the Ukrainian forces did not enter this “highly radioactive” zone. The analysis has been documented in scientific journals.
    • In August 2023, a poultry processing facility faced a potential crisis when a former technician at a cleaning service company manipulated its chemical cleaning systems. According to court documents, the defendant altered levels of peracetic acid and sodium hydroxide — chemicals critical for sanitizing poultry but hazardous if mishandled — while disabling safety alarms and redirecting notification emails to mask his actions. The indictment was made public more than a year and a half after the incident.
    • In January 2024, a pro-Russia hacktivist group accessed control systems at two Texas water facilities and tampered with their water pumps and alarms, causing water to overflow. The cases were documented by CISA and compiled by the Office of the Director of National Intelligence (ODNI). The ODNI report also indicated that Iran had hacked 29 Unitronics control system sites.

    Summary

    There are numerous cases in every sector where there have been publicly documented control system cyberattacks that caused physical damage. There have been many other control system cyber incidents that were not publicly documented or were part of the on-going Russia-Ukraine or Isarel-Palestinian/Iran wars. Most of these control system cyber incidents have not been addressed by the network IT/OT cybersecurity community as most of the incidents were not caused by network malware nor were there control system cyber forensics or training to identify the incidents as being cyber-related.

    About the Author

    Joe Weiss | Cybersecurity Contributor

    Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

    Email

    Continue Reading