Securing the Path Between IT and OT Environments

Securing the Path Between IT and OT Environments

Limited or No Security Visibility Puts Utilities at Extreme Risk

Connected IT and OT environments allow utilities greater efficiency, decision-making, security, and the ability to leverage data for optimization – but this collaboration also introduces serious cybersecurity risks. 

There are pathways connecting IT and OT that, if left vulnerable and unprotected, can give an attacker a doorway from the IT side directly into the critical infrastructure environment on the OT side.

Utilities can be an easy target for cybersecurity attacks; vulnerabilities in aging infrastructure and outdated security allow attackers to access and disrupt the critical infrastructure environment and exploit it for financial gain. 

Regular, in-depth security assessments, especially those that test both internal and external networked environments, are essential for utilities not only for compliance, but to gain comprehensive awareness of their security posture. The connectivity between IT and OT, coupled with the potential for vulnerabilities in the OT environment, creates serious cybersecurity risks. 

Security Assessments – the Secret Sauce

Nation-state actors and cybercriminal groups have increasingly turned their attention to industrial control systems (ICS), targeting power grids, water treatment facilities, and other critical infrastructure. Whether it’s to cause disruption, extract ransom, or test vulnerabilities for future attacks, utilities are firmly in the crosshairs of these malicious actors.

We’ve previously discussed the importance of segmenting your networked environments, but segmentation isn’t enough to fully protect against today’s threats. 

Your networks are likely far more interconnected than you may realize; configuration drift, undocumented systems, and shortcuts taken over time can result in invisible pathways between your IT and OT environments.

That’s why a proactive approach to cybersecurity – one that includes regular penetration testing, vulnerability assessments, and red team exercises – is essential. These assessments simulate the real-world tactics, techniques, and procedures (TTPs) of modern adversaries and reveal how different vulnerabilities can be chained together in ways your team might not expect.

Common, Underlying Security Issues

In many of our assessments across the utility sector, we’ve seen common and recurring issues:

• Weak internal protocol configurations, such as insecure DNS and DHCPv6 setups
• Credential storage vulnerabilities in remote access tools
• Improperly segmented or monitored IT and OT environments
• Lack of MFA on privileged accounts
• Inadequate or outdated asset documentation

CASE STUDY:

Compromising a Power Company’s OT Environment Through Its IT Environment

During a recent engagement with a client in the power utility sector, we were able to access the OT environment via a weakness in the IT infrastructure. 

A lack of SMB signing, combined with misconfigured Active Directory Certificate Services, allowed us to compromise the utility’s domain controller. From there, we accessed stored credentials in a remote access app, and these credentials provided entry into a VMware server directly connected to the OT environment. No malware, no phishing – just weak configurations and a clear path.

Exploitation of this IT domain gave our consultant access to the OT, SCADA, and Windows assets through this single server, and while the engagement didn’t allow for us to do any additional exploitation within the OT environment, we were able to validate a dangerous connection between the IT and OT sides of the power utility’s networked environment. 

If we had been a real attacker, there is a lot at stake in this scenario, especially if the OT environment is compromised:

• On the IT side, a security breach could shut down IT systems, which include billing, customer service, and corporate operations  
• On the OT side, a security breach could disrupt services, causing power outages, water, gas or power interference, and other public safety risks depending on the utility.

While some of these issues are relatively simple to fix, others require organizational change and a shift in mindset. They also highlight why even a “mostly compliant” utility can still be vulnerable.

It’s Not Just About Compliance

While compliance frameworks like NERC CIP, NIST 800-82, and ISA/IEC 62443 set important baselines for utilities, they aren’t always enough to uncover hidden paths between enterprise networks and industrial controls. Security assessments go deeper, identifying weak links before attackers do.

Compliance requirements importantly shouldn’t be treated like checking a box, but that mindset can leave utilities dangerously exposed. The NERC CIP standards, for example, require utilities to protect critical cyber assets, but they may not catch all misconfigurations, privilege escalations, or chained exploits. And many regulations focus heavily on the OT side, without fully considering the risks of lateral movement from IT.

In other words: just because you’re compliant doesn’t mean you’re secure.

Security is a moving target, and the only way to keep up is through continuous testing and visibility. Assessments help identify not just individual weaknesses, but the ways those weaknesses can be leveraged in combination – a technique attackers use all the time.

OT Access Through IT: A Slippery Slope

It’s easy to ignore your OT networks, assuming they’re insulated from threats or that your utility is too small or unknown for attackers to care. In reality, any vulnerability is a concern, and we routinely find exploitable IT-to-OT connections.

When those connections are discovered by a trusted security team, it’s a chance to fix them and avoid a serious issue down the line. Cyber attacks can result in some serious consequences; grid outages, tampered control systems, and cascading impacts on public safety. The good news is that utility leaders and security professionals don’t need to wait for a regulatory mandate or a breach to take action. Here’s what you can do now:

• Schedule a comprehensive security assessment that includes both IT and OT environments.
• Test for lateral movement and IT-to-OT pivoting through red team exercises.
• Deploy strong identity and access controls, including MFA, across all systems.
• Eliminate insecure legacy protocols and enforce modern, secure configurations.

• Ensure asset documentation is complete and accurate, especially for critical systems.
• Use your assessments to guide strategic investment, not just short-term fixes.

The utility sector has a special responsibility to protect its systems – not just for operational continuity, but for the safety and well-being of entire communities. Security assessments provide the visibility needed to identify unseen risks and the insights needed to act on them.

Whether driven by compliance, customer trust, or a simple desire to do the right thing, these assessments are not optional. They’re essential. Because when IT is a gateway to OT, and OT is the backbone of your utility’s function or your community, there’s simply too much at stake to wait.

Contact Us Today!

Talk to us if your utility is looking for MSSP services to fix vulnerabilities before they become a bigger issue.

   By: Jesse Rodriguez   07.30.25