Critical Infrastructure at Risk: Threats to Industrial Embedded Devices in 2024–2025

Industrial Embedded Devices Under Siege

In the past two years, industrial embedded devices have faced a growing wave of cyber threats - and the stakes have never been higher. Vulnerabilities in systems from major vendors such as Honeywell, ABB, Emerson, and Johnson Controls have exposed critical infrastructure to potential sabotage, data theft, and operational disruption.

One of our most recent analyses, powered by PCA Cyber Security’s TICAP (Threat Intelligence Collection and Analysis Platform), reveals the evolving tactics used by threat actors, the devices most frequently targeted, and recent real-world incidents that highlight the urgency for better protection across industrial and energy sectors.

In the following article we are going to give a summary of this research focusing on the attack surface and vulnerabilities in industrial embedded devices discovered over the past two years (2024-2025).

The Expanding Attack Surface

Industrial embedded devices - from building automation controllers to power grid components - are increasingly network-connected, creating new opportunities for attackers. Over 2024–2025, critical flaws were uncovered in widely deployed products:

• Honeywell - Multiple high-severity vulnerabilities (CVE scores up to 9.8) affecting MB-Secure (versions from V11.04 before V12.53) and MB-Secure PRO (versions from V01.06 before V03.09), Experion PKS, OneWireless WDM, Experion LX, PlantCruise, Safety Manager, ControlEdge UOC controllers, and other OT products. Exploitations could lead to network access to bypass authentication or even to remote code execution, unauthorized system control, or manipulation of physical security systems.
• ABB - CODESYS runtime flaws and Cylon ASPECT, NEXUS, MATRIX building automation controller vulnerabilities enabling full system compromise, including takeover of HVAC, energy distribution, and safety controls.
• Emerson - PACSystem and Ovation control systems affected by OT:ICEFALL flaws, ransomware incidents, and ValveLink software weaknesses that could allow sabotage of industrial valves.
• Johnson Controls / Tridium Niagara - Critical vulnerabilities in building automation frameworks with supply chain implications, potentially enabling attackers to pivot into IT and OT networks.

The APT Group Hit List

Our TICAP analysis identified several industrial devices as frequent targets for Advanced Persistent Threat (APT) actors:

• Unitronics Vision PLC/HMIs - Previously shipped with default credentials (“1111”), widely used in water and wastewater systems.
• Orpak SiteOmat - Fuel station automation systems with default admin passwords.
• Red Lion Controllers - Used across factory automation, oil & gas, and WWS sectors.
• Tridium Niagara Framework - Core building automation platform vulnerable to unauthenticated remote access and code execution.

Recent Cyber Incidents in Critical Infrastructure

The vulnerabilities aren’t theoretical - they’re being actively exploited. The following list demonstrates some of real-life examples with the serious impacts of these attacks. 

• Norwegian Dam Hack (2025) - Weak password protection allowed attackers to fully open a water valve for hours.
• RECOPE Ransomware (Costa Rica, 2024) - State oil & gas company forced into manual operations after digital systems were crippled.
• Kuala Lumpur International Airport Attack (2025) - Disruption of flight displays, check-ins, and baggage systems, with a $10M ransom demand.
• Industrial and oilfield Nucor Steel, DJH Services, Newpark Resources companies impacted by ransomware and data theft campaigns.

Malware & Attack Trends

Threat actors are increasingly using multi-platform toolkits and living-off-the-land techniques, enabling them to blend in with normal network activity and evade detection.

Examples include:

• BEARDSHELL & SLIMAGENT malware leveraging PowerShell and public cloud services for stealth operations.
• IOCONTROL malware capable of targeting a wide range of devices from IP cameras to complex SCADA systems.

Underground activities

During the examined period multiple attacks by malicious attacker groups were discovered and have been further analyzed by PCA Threat Intelligence Analyst team. Following our responsible Vulnerability Disclosure Policy and other business policies of PCA Cyber Security, we are neither disclosing any details of these attacks, nor the targeted companies in this article.

Clients of PCA Threat Intelligence services and subscribers of our TICAP (Threat Intelligence Collection and Analysis Platform) can always get access and further insights in relation to underground activities of certain kind.

The Takeaway: No One Is Too Small to Target

Several incidents prove that cybercriminals don’t exclusively target major corporations or central hubs. Smaller organizations - often with fewer defenses - are prime candidates for exploitation, either as direct victims or stepping stones in larger campaigns.

The attack surface for industrial embedded systems is complex, interconnected, and constantly changing. Protecting these assets demands specialized, proactive security measures that go far beyond traditional IT defenses.

How PCA Cyber Security Can Help

At PCA Cyber Security, we specialize in protecting the most complex and critical environments with services designed specifically for industrial embedded systems:

• Embedded Systems Penetration Testing - Identify and fix vulnerabilities before attackers exploit them.
• Embedded & Supply Chain Threat Intelligence - Continuous visibility into evolving threats to your specific products and systems.
• Product SOC - 24/7 monitoring and rapid incident response tailored for industrial and OT assets.

With the PCA Threat Intelligence curated service and PCA TICAP (Threat Intelligence Collection and Analysis) platform, we transform raw threat data into actionable intelligence, customized to your asset inventory and configuration. This enables you to prioritize the most relevant vulnerabilities and anticipate likely attack paths - before they become incidents.

Do you want to see TICAP and Threat Intelligence Analysts in action?

Stay ahead of the upcoming threats! Contact us today to learn how PCA Cyber Security and the TICAP platform can safeguard your industrial environment. 

Book a demo today!