A new report from Honeywell’s cybersecurity research team reveals troubling patterns in how cyberattacks are increasingly capable of causing real-world physical damage to critical infrastructure.
Six Attacks That Changed Everything
Since Stuxnet shocked the world in 2010 by physically destroying Iranian centrifuges through malicious code, five more sophisticated cyber-physical attacks have emerged. Together, these “Cyber-Physical Six”—Stuxnet, BlackEnergy, Industroyer, Trisis, Industroyer 2, and Incontroller—represent a growing arsenal that can disrupt power grids, manipulate safety systems, and sabotage industrial processes.
The attacks have primarily targeted Ukraine’s energy infrastructure, with BlackEnergy causing prolonged blackouts in 2015 and Industroyer striking the power grid in 2016. Most concerning was Trisis in 2017, which targeted safety systems designed to prevent industrial disasters—essentially removing the guardrails meant to protect human life.
A Disturbing Pattern Emerges
The report identifies several alarming trends. First, attacks are becoming more modular and automated, evolving from complex frameworks requiring constant oversight to self-contained weapons that can operate independently. Second, the time between new attacks is shrinking dramatically—from a five-year gap after Stuxnet to multiple attacks emerging simultaneously in 2022.
Perhaps most significant is the expanding target scope. The latest framework, Incontroller, supports 10 industrial protocols used across the energy, manufacturing, oil and gas, and building automation sectors. This means a single attack platform can potentially threaten multiple industries.
The Supply Chain Vulnerability
Attackers typically need extensive intelligence about their targets before striking, requiring either prolonged reconnaissance or command-and-control access to industrial networks. The report emphasizes that USB drives and compromised supply chains remain significant vulnerabilities, with approximately half of removable media threats specifically designed to propagate via USB storage.
What This Means for Industry
The good news is that these sophisticated attacks still require initial network access and detailed target knowledge, creating opportunities for early detection. Companies can protect themselves by securing sensitive operational data, implementing strict network controls, and assuming all industrial systems are vulnerable regardless of patch status.
As cyber-physical attack capabilities continue to mature and diversify, the question isn’t whether new threats will emerge, but when—and whether critical infrastructure operators will be ready.
