New research out today: 82% of cyberattacks on cyber-physical systems used remote access tools like VNC to reach exposed HMI and SCADA systems directly. Two thirds of those incidents involved compromising the human-machine interface or supervisory control systems.

This is not a sophisticated nation-state technique. It is basic remote access to systems that were never designed to be internet-facing — and in many cases, nobody knew they were.

The entry point in most of these attacks is not a zero-day exploit. It is a device that is visible when it should not be, reachable when it should not be, and communicating with something it has no business talking to. The kind of thing that shows up immediately on an outbound traffic dashboard configured to look for it — and stays invisible forever without one.

Asset discovery finds the device. Contextual monitoring finds the conversation. Inline enforcement stops it before it becomes a breach.

Source: Claroty Team82 — Analyzing CPS Attack Trends, March 2026