Executive summary
Dark factories and dark logistics sites are attractive cyber targets because automation concentrates operational trust in software. A lights-out warehouse or factory may have fewer people on the floor, but it has more dependency on WMS, MES, robotics fleet managers, PLCs, sensors, RFID readers, cloud dashboards, remote maintenance, and machine identity.
The risk is not only data theft. The risk is wrong motion, stopped motion, invisible motion, and delayed recovery.
In 2026, Melina Security treats dark-factory and dark-logistics assessments as cyber-physical dependency assessments. We map how a digital compromise becomes a missed shipment, stopped production line, unsafe robot behavior, inventory corruption, or business interruption.
All testing of industrial, robotics, logistics, and OT systems must be authorized in writing and scoped with safety constraints before work begins.
Why automated operations change the threat model
Traditional IT incidents often begin and end in data systems. Automated operations do not. A ransomware infection in a warehouse management server can block picking. A compromised robotics fleet manager can stop autonomous mobile robots. A manipulated RFID or barcode workflow can corrupt inventory state. A misconfigured VPN path can give a contractor more access than intended.
Dragos reported that 119 ransomware groups impacted more than 3,300 industrial organizations in 2025, with manufacturing representing a large share of victims. Nozomi Networks’ 2026 OT/IoT reporting identifies transportation and manufacturing as the top targeted sectors for the full calendar year. Forescout’s 2026 device-risk research adds a useful detail: high-risk connected device classes now include serial-to-IP converters, RFID readers, BACnet routers, I/O modules, and power distribution devices.
Those are not abstract enterprise endpoints. They are the connective tissue of automated facilities.
The lights-out dependency stack
Dark operations are only “dark” from a staffing perspective. From a network perspective, they are dense.
| Layer | Typical systems | Failure mode after compromise |
|---|---|---|
| Business planning | ERP, order management, supplier portals | Wrong demand, wrong release, delayed order flow |
| Execution | WMS, WES, MES, SCADA | Stopped production, wrong pick path, blocked batch execution |
| Robotics | AMR fleet manager, robot charging, path planning, safety zones | Fleet halt, traffic jams, unsafe routing, recovery delay |
| Control | PLCs, drives, conveyors, sorters, dock automation | Physical stoppage, misrouting, equipment stress |
| Identity and sensing | RFID readers, barcode scanners, cameras, time clocks | Inventory drift, identity fraud, blind spots |
| Remote access | VPN, vendor jump boxes, cloud dashboards | Persistent external foothold |
| Support services | DNS, NTP, IAM, certificates, logging | System-wide instability and poor forensics |
The dangerous part is cross-layer coupling. A cyber event rarely stays neatly inside one layer. WMS depends on identity, robots depend on Wi-Fi and fleet control, conveyors depend on PLC logic, and incident response depends on logs that may not exist at the device layer.
Five attack scenarios that matter
1. Ransomware blocks execution, not only files
The most obvious scenario is ransomware against IT servers. In automated sites, the damaging system may be WMS, MES, engineering workstation, historian, jump host, or identity provider. Encryption is only one path. Service disruption is enough.
If the WMS cannot release work, AMRs and conveyors may be physically healthy but idle. If engineering workstations are unavailable, recovery may be slow even when backups exist.
Assessment question: which three systems would stop the site within one hour if unavailable?
2. Remote maintenance becomes privileged access
Automated facilities rely on vendors. Robotics integrators, conveyor suppliers, camera vendors, controls engineers, and cloud dashboard providers may all need access. That access is often created under delivery pressure.
The common weakness is not “remote access exists.” The weakness is that remote access is shared, over-permissioned, weakly logged, or still active after commissioning.
Assessment question: which external accounts can change logic, firmware, routes, or safety-zone configuration?
3. Robot fleet disruption creates physical backlog
AMRs, AGVs, and robotic workcells have operational choke points: charging stations, fleet managers, path maps, safety zones, localization markers, and dispatch queues. Attacking one choke point can degrade the whole fleet without touching every robot.
The business impact is compounding. A 30-minute fleet halt at peak throughput may create hours of recovery work because containers, pallets, or work-in-progress accumulate in the wrong places.
Assessment question: can one compromised service degrade every robot in the fleet?
4. Inventory state is changed without obvious downtime
Not every attack stops the facility. Some attacks make it wrong.
RFID reader manipulation, barcode workflow tampering, API abuse, or database changes can create inventory drift. That drift may surface later as missed shipments, phantom stock, compliance issues, or disputes with customers.
This is especially relevant to dark logistics because the physical floor may have fewer humans who notice anomalies.
Assessment question: which systems are allowed to assert inventory truth, and how are contradictions detected?
5. Edge devices become the bridge
Forescout’s 2026 list is a reminder that small devices matter: serial-to-IP converters, RFID readers, time clocks, BACnet routers, I/O modules, and PDUs often sit between IT and physical process. They may not have endpoint agents, mature logging, or routine patching.
In a dark facility, those devices can be more operationally important than laptops.
Assessment question: which edge devices can reach both management networks and operational systems?
Dark logistics has a special weakness: partner complexity
Factories usually have complex supplier environments. Logistics sites add another layer: carriers, customs brokers, 3PLs, dock systems, fleet operators, customer portals, IoT trackers, and freight-forwarding integrations.
DHL’s public cybersecurity guidance for freight forwarding warns that supply-chain cybersecurity can be weakened by a single IoT sensor. That is the right mental model. In logistics, a minor device or partner integration may become the path into a critical workflow.
The strongest logistics security programs map trust by operational consequence:
- Who can create, release, cancel, or redirect shipments?
- Who can update routing data?
- Who can change dock appointment state?
- Which APIs can override manual review?
- Which sensors or readers feed billing, custody, or compliance records?
The answer is rarely owned by one team. It crosses IT, operations, supply chain, security, and legal.
What to test before a site goes live
For a new automated facility, penetration testing should not wait until after commissioning. The best window is before production go-live, when network segmentation, remote access, identity, logging, and recovery procedures can still be changed without disrupting live orders.
| Test area | What to validate | Evidence to collect |
|---|---|---|
| Network segmentation | Robotics, OT, corporate IT, guest, vendor access separation | Reachability matrix and blocked-path proof |
| Remote access | MFA, named accounts, least privilege, session recording | Account inventory and privilege map |
| WMS/MES/API security | AuthZ, input validation, dangerous workflow abuse | Exploit paths and compensating controls |
| Robotics fleet manager | Role model, map/config protection, recovery controls | Tested misuse cases and safety boundaries |
| PLC and edge device exposure | Engineering access, default creds, firmware age | Device list with owner and remediation plan |
| Logging and forensics | Ability to reconstruct operational change | Sample incident timeline from logs |
| Backup and recovery | Restore time for execution-critical systems | Recovery test results, not policy claims |
Do not test motion-control systems casually. Safety constraints, test windows, manual override procedures, and operator presence must be agreed before any test touches robot movement, PLC logic, or production equipment.
The Melina Security assessment model
For dark-factory and dark-logistics environments, Melina Security uses a four-part assessment model:
- Dependency mapping: identify the systems that translate cyber state into physical operation.
- Trust-boundary review: map identities, APIs, network paths, vendor access, and machine-to-machine permissions.
- Abuse-case testing: test realistic misuse cases under safety constraints, prioritizing stoppage, misrouting, inventory corruption, and recovery delay.
- Recovery validation: verify whether the site can restore critical execution systems within the required operational window.
This differs from a generic IT penetration test. A normal web-app finding may matter less than a lower-severity weakness that lets an attacker stop a conveyor, poison inventory, or disable robot dispatch.
Defensible architecture principles
The security architecture for automated operations should follow five principles.
1. Segment by operational consequence
Separate networks according to what failure does. A robot fleet manager, WMS server, domain controller, and visitor Wi-Fi segment should not share broad trust because their failure consequences are different.
2. Treat remote maintenance as production access
Vendor access should be named, time-bound, MFA-protected, logged, and scoped. Shared vendor accounts should be removed. Commissioning access should expire automatically.
3. Protect system-of-record integrity
Inventory, work order, routing, and custody state need integrity controls, not only backups. Detect impossible transitions, conflicting sensor inputs, and unauthorized overrides.
4. Build recovery paths for physical operations
Backups are not recovery unless the facility can operate after restore. Test whether operators can clear queues, resynchronize robots, reconcile inventory, and return to throughput.
5. Include edge devices in vulnerability management
RFID readers, serial converters, cameras, PDUs, and I/O modules need owners, firmware tracking, credential policy, and segmentation. If they are invisible to the security team, they are useful to attackers.
A 2026 board-level framing
The board-level risk is not “hackers may attack robots.” That is too theatrical.
The board-level risk is this: automated operations compress labor cost and increase throughput by placing trust in software. If that software becomes unavailable, untrusted, or unrecoverable, the business loses the operational advantage it automated for.
That is a sober risk. It is also testable.
Sources
- Dragos: OT Threat Landscape 2026
- Dragos: 2026 OT Cybersecurity Report press release
- Nozomi Networks: OT/IoT Cybersecurity Trends and Insights, February 2026
- Forescout: The Riskiest Devices of 2026
- DHL: Cybersecurity Importance in Freight Forwarding
Related
- Service: Robotics & Autonomous Systems Security
- Service: Architecture & Cloud Security Review
- Service: IoT & Embedded Security Assessment
- Solution: Pre-Launch Product Security
- Research: TARA Quality Patterns