OT

From Office PC to PLC: A Hacker’s Journey into the Heart of OT

01 May 2025 By Yogesh Deshpande

Over the years, our team has conducted numerous tests on industrial control systems (ICS) and operational technology (OT) environments. Time and again, the results are strikingly consistent: the OT network is a single click away from disaster.

In this post, we’ll walk you through the findings of an OT penetration test, shedding light on the vulnerabilities and misconfigurations that make it alarmingly easy for attackers to breach these systems. Many of the issues we’ll cover are just as prevalent in non-OT environments, so consider this post a two-for-one - your free IT and OT penetration test report. Addressing these issues not only strengthens your security posture but also brings you closer to meeting compliance standards.



Initial Access

We frequently find that OT environments aren't as isolated or hardened as they should be. In fact, they often resemble a "soft perimeter" more than a robust "hard boundary." Here's how it typically plays out:

No True Network Segregation

While some companies believe their OT network is "segregated," our tests often reveal that firewall rules are far too permissive. We encounter:

  • Permissive firewall rules that allow excessive traffic between IT and OT networks.
  • VPNs or jump boxes used for remote access to OT systems, which sometimes provide direct access to both IT and OT networks.
  • Wireless networks with unfiltered access to OT networks.

On multiple occasions, we’ve gained access to OT networks through misconfigured jump boxes that were intended to isolate IT and OT. Unfortunately, the firewall rules allowed bidirectional traffic, opening the door for attackers.



Protocols That Love to Talk

Insecure legacy protocols are still widely used in many IT and OT networks, and they’re basically shouting for attention.

  • LLMNR/NetBIOS resource discovery: These protocols are often left enabled, allowing us to easily poison network traffic and capture NTLM hashes. This is one of the easiest entry points into the network, especially when weak passwords are in use. Attackers can exploit this to intercept credentials and escalate privileges with minimal effort.
  • Cleartext protocols: Protocols like FTP, VNC, and SNMP are still in use, transmitting sensitive data (including passwords) in plain text. This makes them an open invitation for sniffing and exploitation by anyone with network access.

These outdated protocols create multiple attack vectors that are easily exploited, particularly in environments that rely heavily on older or legacy systems. They provide attackers with unprotected communication channels, making it far easier to intercept, manipulate, or escalate their access within the IT and OT networks.



Shared Domain, Shared Credentials

Another discovery we regularly encounter: shared user accounts and domain access.

  • OT network joined to the IT domain: The OT network is often linked to the same Active Directory domain as IT, meaning any IT user with access to the corporate network can easily jump into the OT environment.
  • Shared admin accounts: It's all too common to see shared accounts (like admin creds) used across multiple users. They have simple passwords for the ease of sharing.


What can stop / slow down the attackers?
  • Network Segmentation: Keep IT and OT networks on separate VLANs, with strict firewall rules to control traffic flow and reduce exposure.
  • Disable Weak Protocols: Turn off insecure protocols like LLMNR, NetBIOS, and WPAD. Replace outdated protocols like FTP, Telnet, and HTTP with their secure counterparts (e.g., SFTP, SSH, HTTPS).
  • Separate Domains for IT and OT: Maintain isolated domains for IT and OT to prevent unauthorized cross-network access. Use local authentication in OT environments to further strengthen isolation.
  • Strong Password Policies: Enforce complex, unique passwords and multi-factor authentication (MFA) wherever possible to mitigate the risk of brute-force or credential-based attacks.
  • Patch and Audit Regularly: Regularly patch vulnerable services, especially RDP, SMB, and VNC, and ensure they’re configured securely. Consistently audit your systems for outdated software and potential misconfigurations.
  • Strict Monitoring: Implement continuous monitoring for any unauthorized traffic. Use intrusion detection systems (IDS) to catch suspicious activity early.


Lateral Movement

Once inside an IT network, attackers often move laterally into the OT environment. With excessive privileges, this transition becomes effortlessly simple, often resulting in full control over the OT network.

  • Domain Users with Local Admin Rights: A frequent issue is that domain users are granted local admin access. This means that any compromise in the IT network - whether through phishing, malware, or other attack vectors, gives attackers full control over the systems. The boundary between IT and OT is only as strong as the permissions on both sides, and in a lot of cases, it’s essentially non-existent.
  • Shared User Accounts and Service Accounts: Shared user accounts and service accounts with admin access are a massive security hole. These accounts are notoriously hard to trace back to an individual, complicating forensic analysis in case of a breach. Worse yet, many of these accounts carry excessive privileges, and are used across both IT and OT environments, even when those networks technically have separate domains. This makes it easy for attackers to move freely between IT and OT once they've compromised these credentials.
  • Kerberoasting: Attackers can exploit weak service account configurations through Kerberoasting - a method of requesting service tickets for service accounts and attempting to crack the encrypted tickets offline. If successful, this allows attackers to gain clear-text credentials for service accounts that often have high privileges in both IT and OT environments. These privileged accounts are especially dangerous in OT networks, where they may control critical infrastructure.
  • Active Directory Certificate Services (ADCS) Misconfigurations: Misconfigurations or weak security in ADCS can enable attackers to exploit certificate-based authentication to gain elevated privileges or assume identities of legitimate users. Once attackers can impersonate high-privilege accounts, they can easily pivot into OT environments and bypass access controls. ADCS issues are especially critical because they can grant attackers long-term access, even if passwords are changed or accounts are locked.
  • No User Activity Logging: In many environments, user activity logging is either insufficient or completely absent. Without logs, it’s impossible to trace which users accessed specific OT systems, what actions they took, or when they performed them. Lack of visibility makes it far easier for attackers to cover their tracks, especially when they’re moving laterally across both IT and OT environments.


What Can Stop / Slow Down the Attackers?

To prevent attackers from easily moving laterally between IT and OT networks, it’s essential to implement a combination of access controls, monitoring measures, and defense-in-depth strategies. Here's what you can do:

Strong Privilege Management:

  • Minimize administrative privileges and follow the principle of least privilege. Grant access based on need and restrict service account usage between IT and OT systems.
  • Regularly audit service accounts and ensure they have unique, complex passwords.

Harden Kerberos and Active Directory Certificate Services (ADCS):

  • Ensure Kerberos service accounts have strong, complex passwords and configure ticket lifetime limits to reduce the impact of Kerberoasting attacks.
  • Review and properly secure ADCS to prevent certificate abuse and unauthorized privilege escalation.

Logging and Auditing:

  • Enable centralized logging for authentication attempts, service account access, and certificate requests. Use SIEM for real-time alerts and analysis of suspicious activities.

Incident Detection and Response:

  • Set up real-time alerts for any unauthorized RDP, SMB, or service account activity.
  • Conduct regular incident response drills to test your ability to detect and contain lateral movement quickly.

Zero Trust Architecture:

  • Adopt a Zero Trust model, continuously verifying both users and devices before granting access to OT systems.


How Exploits Can Become Real

Let’s walk through a realistic attack scenario that showcase how an attacker might manipulate or disrupt OT systems once inside.

HMI/SCADA Hijacking

Human-Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems are often deployed on Windows-based platforms, making them a prime target for attackers.

Attack Scenario:

Initial Access: An attacker can compromise an HMI terminal running on unpatched Windows software using common vulnerabilities or advanced techniques like phishing, malware, or remote exploits. Alternatively, they might gain access by leveraging compromised credentials -for example, from domain users with excessive privileges, shared user accounts, or service accounts with weak or reused passwords (as discussed earlier). Once inside, the attacker gains a direct entry point into the SCADA system (e.g., Wonderware, WinCC, etc.).

Exploitation: Once inside, the attacker can manipulate the visual interface, altering the data shown to operators or controlling critical operations without detection. The attacker can mask their actions by leaving the actual process running normally in the background, creating a deceptive façade of normalcy.

Impact: The attacker could modify operational parameters, suppress critical alarms, or feed fake data to operators. This could lead to unsafe conditions that are completely hidden from the monitoring team, allowing an incident to unfold without proper response.



The Impact - What Happens When It All Goes Wrong

When OT systems are compromised, the consequences can be catastrophic. Some of the most critical risks include:

  • Endangering Human Safety: By tampering with emergency shutdown systems or critical process control systems, attackers can directly threaten the safety of workers and operators, leading to potential injuries or fatalities.
  • Operational Disruption: A breach can bring operations to a halt, crippling production lines and causing significant downtime.
  • Physical Damage to Equipment: Attackers may manipulate process controls or safety systems, leading to irreversible damage to machinery, infrastructure, or entire facilities.
  • Financial Loss: The combined costs of recovery, legal penalties, fines, and reputation damage can lead to significant financial ruin, dwarfing the initial cost of the attack itself.


Closing Thoughts - Real-World OT Attacks Are More Likely Than You Think

The days of relying on the false sense of security provided by air-gapped networks are over. The lines between IT and OT are increasingly blurred, creating new pathways for attacks that can easily compromise critical infrastructure.

At Paladin, we’ve seen firsthand how even small vulnerabilities can quickly translate into serious risks for the IT and OT environments. It’s time for organizations to rethink their security posture, and approach OT security with an offensive mindset.



Call to Action

  • Share this post with your security team and leadership.
  • Think like an attacker, patch like a defender.
  • Want more actionable insights? Contact us today to schedule a penetration test of your IT and OT environments.