OT

From Office PC to PLC: A Hacker’s Journey into the Heart of OT

01 May 2025 By Yogesh Deshpande

Over the years, our team has conducted numerous tests on industrial control systems (ICS) and operational technology (OT) environments. Time and again, the results are strikingly consistent: the OT network is a single click away from disaster.

In this post, we’ll walk you through the findings of an OT penetration test, shedding light on the vulnerabilities and misconfigurations that make it alarmingly easy for attackers to breach these systems. Many of the issues we’ll cover are just as prevalent in non-OT environments, so consider this post a two-for-one - your free IT and OT penetration test report. Addressing these issues not only strengthens your security posture but also brings you closer to meeting compliance standards.

...................................................................................................................................................................................................

Part 1: Initial Access — The Soft Perimeter

We frequently find that OT environments aren't as isolated or hardened as they should be. In fact, they often resemble a "soft perimeter" more than a robust "hard boundary." Here's how it typically plays out:

1. No True Network Segregation

While some companies believe their OT network is "segregated," our tests often reveal that firewall rules are far too permissive. We encounter:

  • Permissive firewall rules that allow excessive traffic between IT and OT networks.
  • VPNs or jump boxes used for remote access to OT systems, which sometimes provide direct access to both IT and OT networks.
  • Wireless networks with unfiltered access to OT networks.

On multiple occasions, we’ve gained access to OT networks through misconfigured jump boxes that were intended to isolate IT and OT. Unfortunately, the firewall rules allowed bidirectional traffic, opening the door for attackers.

...................................................................................................................................................................................................

2. Protocols That Love to Talk

Insecure legacy protocols are still widely used in many IT and OT networks, and they’re basically shouting for attention.

  • LLMNR/NetBIOS resource discovery: These protocols are often left enabled, allowing us to easily poison network traffic and capture NTLM hashes. This is one of the easiest entry points into the network, especially when weak passwords are in use. Attackers can exploit this to intercept credentials and escalate privileges with minimal effort.
  • Cleartext protocols: Protocols like FTP, VNC, and SNMP are still in use, transmitting sensitive data (including passwords) in plain text. This makes them an open invitation for sniffing and exploitation by anyone with network access.

These outdated protocols create multiple attack vectors that are easily exploited, particularly in environments that rely heavily on older or legacy systems. They provide attackers with unprotected communication channels, making it far easier to intercept, manipulate, or escalate their access within the IT and OT networks.

...................................................................................................................................................................................................

3. Shared Domain, Shared Credentials

Another discovery we regularly encounter: shared user accounts and domain access.

  • OT network joined to the IT domain: The OT network is often linked to the same Active Directory domain as IT, meaning any IT user with access to the corporate network can easily jump into the OT environment.
  • Shared admin accounts: It's all too common to see shared accounts (like admin creds) used across multiple users. They have simple passwords for the ease of sharing.

...................................................................................................................................................................................................

What can stop / slow down the attackers?
  • Network Segmentation: Keep IT and OT networks on separate VLANs, with strict firewall rules to control traffic flow and reduce exposure.
  • Disable Weak Protocols: Turn off insecure protocols like LLMNR, NetBIOS, and WPAD. Replace outdated protocols like FTP, Telnet, and HTTP with their secure counterparts (e.g., SFTP, SSH, HTTPS).
  • Separate Domains for IT and OT: Maintain isolated domains for IT and OT to prevent unauthorized cross-network access. Use local authentication in OT environments to further strengthen isolation.
  • Strong Password Policies: Enforce complex, unique passwords and multi-factor authentication (MFA) wherever possible to mitigate the risk of brute-force or credential-based attacks.
  • Patch and Audit Regularly: Regularly patch vulnerable services, especially RDP, SMB, and VNC, and ensure they’re configured securely. Consistently audit your systems for outdated software and potential misconfigurations.
  • Strict Monitoring: Implement continuous monitoring for any unauthorized traffic. Use intrusion detection systems (IDS) to catch suspicious activity early.

...................................................................................................................................................................................................

Part 2: Lateral Movement - Privileges Paved the Way

Once inside an IT network, attackers often move laterally into the OT environment. With excessive privileges, this transition becomes effortlessly simple, often resulting in full control over the OT network.

  • Domain Users with Local Admin Rights: A frequent issue is that domain users are granted local admin access. This means that any compromise in the IT network - whether through phishing, malware, or other attack vectors, gives attackers full control over the systems. The boundary between IT and OT is only as strong as the permissions on both sides, and in a lot of cases, it’s essentially non-existent.
  • Shared User Accounts and Service Accounts: Shared user accounts and service accounts with admin access are a massive security hole. These accounts are notoriously hard to trace back to an individual, complicating forensic analysis in case of a breach. Worse yet, many of these accounts carry excessive privileges, and are used across both IT and OT environments, even when those networks technically have separate domains. This makes it easy for attackers to move freely between IT and OT once they've compromised these credentials.
  • Kerberoasting: Attackers can exploit weak service account configurations through Kerberoasting - a method of requesting service tickets for service accounts and attempting to crack the encrypted tickets offline. If successful, this allows attackers to gain clear-text credentials for service accounts that often have high privileges in both IT and OT environments. These privileged accounts are especially dangerous in OT networks, where they may control critical infrastructure.
  • Active Directory Certificate Services (ADCS) Misconfigurations: Misconfigurations or weak security in ADCS can enable attackers to exploit certificate-based authentication to gain elevated privileges or assume identities of legitimate users. Once attackers can impersonate high-privilege accounts, they can easily pivot into OT environments and bypass access controls. ADCS issues are especially critical because they can grant attackers long-term access, even if passwords are changed or accounts are locked.
  • No User Activity Logging: In many environments, user activity logging is either insufficient or completely absent. Without logs, it’s impossible to trace which users accessed specific OT systems, what actions they took, or when they performed them. Lack of visibility makes it far easier for attackers to cover their tracks, especially when they’re moving laterally across both IT and OT environments.

...................................................................................................................................................................................................

What Can Stop / Slow Down the Attackers?

To prevent attackers from easily moving laterally between IT and OT networks, it’s essential to implement a combination of access controls, monitoring measures, and defense-in-depth strategies. Here's what you can do:

Strong Privilege Management:

  • Minimize administrative privileges and follow the principle of least privilege. Grant access based on need and restrict service account usage between IT and OT systems.
  • Regularly audit service accounts and ensure they have unique, complex passwords.

Harden Kerberos and Active Directory Certificate Services (ADCS):

  • Ensure Kerberos service accounts have strong, complex passwords and configure ticket lifetime limits to reduce the impact of Kerberoasting attacks.
  • Review and properly secure ADCS to prevent certificate abuse and unauthorized privilege escalation.

Logging and Auditing:

  • Enable centralized logging for authentication attempts, service account access, and certificate requests. Use SIEM for real-time alerts and analysis of suspicious activities.

Incident Detection and Response:

  • Set up real-time alerts for any unauthorized RDP, SMB, or service account activity.
  • Conduct regular incident response drills to test your ability to detect and contain lateral movement quickly.

Zero Trust Architecture:

  • Adopt a Zero Trust model, continuously verifying both users and devices before granting access to OT systems.

...................................................................................................................................................................................................

Part 3: Into the OT Zone - How Exploits Can Become Real

Let’s walk through a few realistic attack scenarios that showcase how an attacker might manipulate or disrupt OT systems once inside.

Scenario 1: HMI/SCADA Hijacking – Seizing Control of the Visual Interface

Human-Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems are often deployed on Windows-based platforms, making them a prime target for attackers.

Attack Scenario:

Initial Access: An attacker can compromise an HMI terminal running on unpatched Windows software using common vulnerabilities or advanced techniques like phishing, malware, or remote exploits. Alternatively, they might gain access by leveraging compromised credentials -for example, from domain users with excessive privileges, shared user accounts, or service accounts with weak or reused passwords (as discussed earlier). Once inside, the attacker gains a direct entry point into the SCADA system (e.g., Wonderware, WinCC, etc.).

Exploitation: Once inside, the attacker can manipulate the visual interface, altering the data shown to operators or controlling critical operations without detection. The attacker can mask their actions by leaving the actual process running normally in the background, creating a deceptive façade of normalcy.

Impact: The attacker could modify operational parameters, suppress critical alarms, or feed fake data to operators. This could lead to unsafe conditions that are completely hidden from the monitoring team, allowing an incident to unfold without proper response.

Potential Consequences:

Misleading Operators: Operators may continue making critical decisions based on fake or manipulated data, leading to incorrect adjustments in plant operations that compromise safety or efficiency.

System Malfunction: Altered parameters could cause the system to malfunction or perform unsafe operations, potentially triggering equipment failures or other system errors that result in significant downtime.

Production Disruption: A sustained attack on the HMI could shut down production, as operators would be unable to assess the true status of the system. The plant might be forced into emergency shutdown until corrective actions are taken, leading to financial losses and operational delays.

...................................................................................................................................................................................................

Scenario 2: Network Manipulation

Many PLC (Programmable Logic Controller) systems and other networked devices still rely on legacy protocols and weak authentication, with hardcoded credentials and insecure configurations that leave them vulnerable to simple exploits.

Attack Scenario:

Initial Access: After pivoting into the OT network, the attacker identifies a PLC or a networked device using insecure protocols with default or weak authentication. In this case, the device has SNMP read-write access enabled using default community strings.

Exploitation: Using SNMP write access, the attacker can make unauthorized changes to the network configuration of the PLC. This may involve:

  • Modifying SNMP configuration to gain control of other networked devices.
  • Altering network routing tables or VLAN configurations to create a segmentation gap, enabling further attacks across the network.
  • Disabling or modifying security settings such as disabling SNMP access control, which could allow the attacker to manipulate the device without triggering alerts.
  • Reprogramming PLC Communication Settings: An attacker can use SNMP to change communication parameters between the PLC and other devices, potentially redirecting control signals to unauthorized endpoints or severing normal communication with safety systems.
  • Bypassing Safe Operational Thresholds: With SNMP write access, the attacker can adjust network-related thresholds, potentially overriding critical communication settings that could affect system monitoring or reporting.

Impact:

  • Network Disruption: By manipulating SNMP settings, an attacker can cause a loss of communication between the PLC and other critical devices or systems. This can disrupt monitoring and control, preventing operators from receiving real-time updates or alerts about system health.
  • Device Isolation: The attacker can alter routing tables or VLAN configurations, isolating the PLC from other critical networked systems or redirecting control traffic to malicious devices. This could result in the PLC operating in isolation, with no feedback from safety systems or control centers.
  • Bypass Security Mechanisms: Changing SNMP configurations can allow an attacker to disable security features or remove access restrictions on other protocols, making it easier for them to manipulate other parts of the system undetected.
  • Escalation of Attacks: By altering network communication settings, the attacker can create backdoors into other parts of the network, giving them more leverage and expanding the scope of their attack. For example, redirecting communications between PLCs to gain control over critical production equipment.

Potential Consequences:

System Shutdown: If communication is lost or altered, it may trigger safety interlocks or automatic shutdowns. This could happen if the system detects changes in PLC parameters (e.g., communications failing to meet normal thresholds). A forced shutdown due to network manipulation can lead to operational downtime and production loss.

Compromised Network Integrity: Altering network settings such as IP addresses, routing paths, or VLAN configurations can cause communication blackouts or denial of service (DoS) to safety-critical systems. This may delay response times or prevent operators from identifying issues until they escalate into larger system failures.

Equipment Damage: If network isolation causes important safety systems (like monitoring or emergency shutdown systems) to be bypassed or fail to operate properly, physical components of the system could be damaged. For example, shutting down a reactor’s cooling system or disabling a heat sensor could lead to overheating and equipment damage.

Human Safety Risk: In a worst-case scenario, the attacker’s manipulation of the network can compromise safety mechanisms, leading to potentially dangerous conditions such as overheating, chemical release, or overpressure in critical equipment. This poses a serious risk to plant personnel or nearby communities, especially in industries like chemical manufacturing or energy production.

...................................................................................................................................................................................................

Scenario 3: RTU Compromise – Hijacking Remote Sites

Remote Terminal Units (RTUs) that monitor distant industrial sites often rely on insecure remote access protocols like Modbus, DNP3, and IEC 61850, which lack proper security controls or encryption.

Attack Scenario:

Initial Access: The attacker targets a remote RTU, exploiting weak or default passwords on the Modbus/TCP protocol and the lack of authentication mechanisms.

Exploitation: After gaining access, the attacker can issue arbitrary read/write commands to manipulate sensor readings or alter operational settings on the RTU.

Impact: The attacker could alter critical readings or modify operational thresholds, causing equipment malfunctions or triggering false alarms at remote locations.

Potential Consequences:

Remote Site Disruption: The attacker could manipulate settings to halt operations or create significant delays at remote sites by adjusting key parameters or disabling vital equipment.

Safety Violations: Altered sensor readings (e.g., pressure gauges, flow meters) could lead to wrong safety decisions, endangering personnel and equipment.

Increased Downtime: If operators fail to spot the discrepancies in sensor data, remote sites could continue operating outside safe parameters, leading to unplanned shutdowns and extended downtime.

...................................................................................................................................................................................................

The Impact — What Happens When It All Goes Wrong

When OT systems are compromised, the consequences can be catastrophic. Some of the most critical risks include:

  • Endangering Human Safety: By tampering with emergency shutdown systems or critical process control systems, attackers can directly threaten the safety of workers and operators, leading to potential injuries or fatalities.
  • Operational Disruption: A breach can bring operations to a halt, crippling production lines and causing significant downtime.
  • Physical Damage to Equipment: Attackers may manipulate process controls or safety systems, leading to irreversible damage to machinery, infrastructure, or entire facilities.
  • Financial Loss: The combined costs of recovery, legal penalties, fines, and reputation damage can lead to significant financial ruin, dwarfing the initial cost of the attack itself.

...................................................................................................................................................................................................

Closing Thoughts — Real-World OT Attacks Are More Likely Than You Think

The days of relying on the false sense of security provided by air-gapped networks are over. The lines between IT and OT are increasingly blurred, creating new pathways for attacks that can easily compromise critical infrastructure.

At Paladin, we’ve seen firsthand how even small vulnerabilities can quickly translate into serious risks for the IT and OT environments. It’s time for organizations to rethink their security posture, and approach OT security with an offensive mindset.

...................................................................................................................................................................................................

Call to Action

  • Share this post with your security team and leadership.
  • Think like an attacker, patch like a defender.
  • Want more actionable insights? Contact us today to schedule a penetration test of your IT and OT environments.