SLATE FERROUS: A Patient Operator Has Been Reading Industrial Control System Traffic Since November

The Activity And What It Means

Since at least mid-November 2025, an operator I track as SLATE FERROUS has been conducting sustained reconnaissance against industrial control system networks operated by mid-size utilities and by specialty industrial manufacturers in three U.S. regions. The targeting is consistent. The dwell time is long. The operator is not running smash-and-grab tradecraft. The operator is reading traffic. The reading is the work product the operator's customer is paying for.

I am withholding the affected vendor of the ICS platform involved, the affected protocol layer, and the specific category of misconfiguration that the operator has been exploiting. The vendor's coordinated disclosure cycle is in motion. The remediation is not yet complete. Naming any of those things together, in a public column, would compress the remediation timeline in ways that benefit no one except the operator's customer.

The Sector Pattern

The three sectors carrying SLATE FERROUS activity are mid-tier municipal utilities, specialty chemical manufacturers, and discrete-process industrial producers with significant export exposure. The selection pattern is too specific to be opportunistic. The operator is interested in the data flows that traverse the ICS layer in these sectors. The data flows include process telemetry, batch records, and the operator-to-supervisor command traffic that, in the right hands, would allow an adversary to model the production capacity, the supply chain dependencies, and the operational decision-making of the targeted enterprises.

The strategic value of that modeling is substantial for an adversary preparing to disrupt the targets at a future date of the adversary's choosing. The strategic value is also substantial for an adversary doing competitive intelligence in support of state-affiliated industrial policy. The two motivations are not mutually exclusive. The operator's customer profile, as best as I can read it from the available signals, is consistent with either or both.

The Defensive Read For Utility Operators

If you operate a municipal or mid-tier utility, your incident response posture for the next ninety days should treat ICS-side observation as a working hypothesis rather than a possibility. The reconnaissance the operator is conducting does not produce the alarms your security operations center is tuned to. The reconnaissance produces patterns of low-volume traffic to the ICS-to-IT bridge, anomalies in the operator-to-supervisor session timings, and changes in the historical baseline of how often certain protocol commands appear in the network capture.

The questions to ask your operations technology team this week. Have you baselined the protocol command distribution on your ICS network over the last twelve months in a way that lets you spot anomalies in the distribution? Have you instrumented the ICS-to-IT bridge with the kind of egress monitoring you have on your enterprise perimeter? Have you reviewed the access credentials for the engineering workstations that connect to the ICS environment, looking specifically for credentials that have not been rotated in periods longer than your written policy allows? Each question is a hunting prompt. Each prompt deserves an answer this week.

The Operational Discipline I Am Maintaining

I will not give the vendor. I will not give the protocol. I will not give the misconfiguration class at a level of specificity that would allow an opportunist to replicate the operator's approach. I will say that the vendor in question is well-known, that the protocol involved is in the ISA-99 reference family, and that the misconfiguration class is one that vendor documentation has cautioned against for years but that field deployments commonly do not follow the cautioning guidance.

The reasons for the discipline are operational. The remediation requires the vendor's coordination with the affected operators and with the relevant ICS-CERT and CISA equities. The coordination is more efficient when the vendor is not also managing the public attention that specific naming would generate. The coordination is finishing in weeks, not months. The defensive guidance in this column does not require the specific naming to be actionable. The actionable hunting prompts above are actionable regardless of what platform the reader's environment runs.

The Attribution Posture

I am not naming an attribution to a state or to a known cluster at this stage. The attribution work is being done by parties whose visibility into the campaign exceeds my own. The defensive guidance does not depend on the attribution being final. The activity is the activity. The response is the response. The attribution, when it crosses the threshold for confident public statement, will be made in the appropriate venues.

What I will say about attribution is structural. The operator's tradecraft is the tradecraft of a customer with sustained access to operator personnel. The operator's targeting is the targeting of a customer with a specific strategic-industrial intelligence requirement. The operator's patience is the patience of a customer who can defer the value realization. The structural signals point in a small number of directions. Readers who have seen this column in prior campaigns will recognize the pattern.

What To Expect

Vendor coordinated disclosure on this activity is expected within the next six to ten weeks. CISA will issue an advisory in coordination with the vendor. Industry threat intelligence vendors will publish technical analyses under their own designators within thirty days of the CISA advisory. The defenders who acted on the framing in this column will be ahead of the public timeline by approximately a quarter. The defenders who wait will be reading the public reporting and trying to determine, after the fact, whether the activity touched their environments during the window in which they had no instrumentation in place to know either way.

The cluster has a designator. It does not yet have a press release. By the time it does, your incident response team should already know what to do. Track the activity, not the artifact. Patch posture matters here. I will say what can be said.