Blog - Wirtek

How attackers pivot from IT into OT systems

Written by Wirtek | 10 Jul 2026

Quick summary

Almost every serious industrial intrusion begins on the corporate IT network and crosses into operational technology through a small number of predictable choke points. This article traces the anatomy of an IT-OT attack path, maps it to the MITRE ATT&CK frameworks, and explains where defenders can break the chain before an attacker reaches a physical process.

Introduction

When people picture an attack on a power substation or a factory, they tend to imagine an adversary directly targeting a controller. The reality is almost always less dramatic and more instructive. The intruder starts on the corporate network, often through a phishing email, and spends days or weeks moving quietly before ever touching anything that looks like operational technology.

Understanding this path matters because it tells defenders where to concentrate effort. The transition from IT to OT is not a single wall to be defended but a sequence of steps, each of which is an opportunity to detect and stop the intrusion before it reaches a physical process.

The attack usually starts in IT, not OT

The early phases of major industrial incidents live in the enterprise IT environment, not the control network. MITRE maintains two relevant knowledge bases: ATT&CK for Enterprise, covering Windows, Linux, and cloud environments, and ATT&CK for ICS, covering the techniques unique to industrial control systems (MITRE, 2024).

The division is telling. Initial access, credential theft, and the first rounds of discovery and lateral movement almost all map to the Enterprise matrix. Only once an adversary has reached the boundary of the control network do the ICS-specific techniques, such as manipulating a programmable logic controller or suppressing a safety alarm, come into play.

The implication is that OT defenders cannot treat the control network as a self-contained problem. By the time activity appears in the ICS matrix, the attacker has typically been operating in the enterprise environment for a long time.

Takeaway: Industrial intrusions begin and mature on the IT network, so OT defence must account for the enterprise stages that precede it.

The choke points between IT and OT

The crossing from IT to OT happens through a limited set of pathways, which is fortunate for defenders because it narrows where to watch. Joint guidance from United States and allied cyber agencies highlights insecure remote access points as a way attackers gain access to OT systems and then move laterally (CISA, 2025).

The most common crossing points include:

  • Dual-homed devices, meaning servers or workstations connected to both the IT and OT networks

  • Engineering workstations used to program controllers, which often hold privileged access and trusted connections

  • Data historians that collect process data and frequently sit at the IT-OT boundary

  • Remote-access services for vendors and maintenance staff, especially where multi-factor authentication is absent

Each of these exists for a legitimate operational reason, which is exactly why they are dangerous. They are sanctioned bridges across a boundary that is otherwise meant to be tightly controlled, and an attacker who compromises one inherits its trust.

The same connections that make a modern plant efficient, remote maintenance, historians, engineering laptops, are the connections an intruder is counting on.

Takeaway: A handful of legitimate bridges, dual-homed hosts, engineering workstations, historians, and remote access, are the predictable crossing points into OT.

Anatomy of a cross-domain attack path

Tracing a typical path makes the pattern concrete. It commonly begins with a phishing email to a corporate employee, which delivers a foothold on the IT network. From there the adversary enumerates the environment, harvesting credentials and identifying systems that connect to the OT side.

Lateral movement through the enterprise follows, often abusing legitimate accounts and remote services rather than exotic malware, behaviour that is hard to distinguish from normal administration. The attacker then locates a bridge, perhaps a historian or an engineering workstation, and uses it to step into the control network. The MITRE ATT&CK for ICS framework describes this OT-side lateral movement as abusing default credentials, known accounts, and dual-homed systems that reside on both networks (MITRE, 2024).

Only at the end does the activity become unmistakably industrial: issuing unauthorised commands, altering controller logic, or interfering with safety functions. By then the attacker has crossed many stages, each of which was a missed chance to intervene.

Takeaway: A cross-domain path runs phishing to enumeration to enterprise lateral movement to a bridge into OT, with physical impact only at the end.

Breaking the chain

Because the path is a sequence, defenders do not need to be perfect at every stage; they need to be effective at enough of them. The choke points that attackers rely on are also the best places to detect and contain them.

Several controls work directly against the cross-domain path. Network segmentation, organised around the Purdue model and IEC 62443 zones and conduits, ensures that crossing from IT to OT requires passing through inspected conduits rather than open connections. Strong authentication on remote access closes one of the most exploited doors. Monitoring at the IT-OT boundary, including deception assets that no legitimate process should touch, raises the chance of catching lateral movement in progress.

None of this is possible without knowing what is there in the first place. An accurate asset inventory underpins every other control, because an operator cannot defend a bridge it does not know exists. For European energy operators under the NIS2 Directive, the ability to detect and report significant incidents depends on exactly this visibility into how IT and OT connect.

Takeaway: Defenders break the chain by hardening the known choke points with segmentation, strong authentication, boundary monitoring, and accurate asset visibility.

Why dwell time is the defender's window

One of the most useful facts about cross-domain attacks is that they are slow. The patient, multi-stage character of these intrusions means an adversary often spends weeks inside the enterprise network before reaching OT, and that interval is the defender's opportunity. Security agencies have documented adversary dwell times in critical-infrastructure incidents measured in weeks, which is ample time to detect activity if the right signals are being watched.

The implication is that detection does not have to be instantaneous to be effective. A defender who catches the intrusion during enterprise reconnaissance, or as it probes for a bridge into OT, can intervene long before any physical process is at risk. This reframes the goal: not to build an impenetrable wall, but to ensure that the attacker cannot traverse the whole path unnoticed.

It also explains why monitoring the IT-OT boundary specifically is so valuable. That boundary is the narrowest point in the path, the place every cross-domain attack must pass through. Concentrating detection there, including with deception assets that legitimate processes never touch, turns the attacker's slow, careful approach into a liability rather than an advantage.

Slow attacks are detectable attacks; the weeks an adversary spends moving toward OT are weeks in which a watchful defender can still intervene.

Takeaway: Long dwell times mean detection during the enterprise or boundary stages can stop an intrusion well before it reaches a physical process.

A shared responsibility across IT and OT

The structure of cross-domain attacks carries an organisational lesson as well as a technical one. Because the path begins in IT and ends in OT, no single team owns the whole of it, and that division is itself a vulnerability. An IT security team focused on the enterprise and an OT team focused on the plant can each defend their half competently while the crossing between them goes unwatched.

Cyber agencies repeatedly emphasise collaboration between IT and OT teams and the elimination of information silos as foundations of a defensible architecture. The reason is direct: the bridges that attackers exploit, dual-homed servers, historians, engineering workstations, sit precisely in the territory that neither team fully claims. Defending them requires shared visibility and agreed ownership.

For European operators under the NIS2 Directive, this organisational point has a compliance dimension too. The obligation to detect and report significant incidents spans whatever boundary an intrusion crosses, so an operator whose IT and OT functions do not share visibility may be unable to recognise, let alone report, an incident that moves between them. Closing the organisational gap is therefore as important as closing the technical one.

Takeaway: Because attacks span IT and OT, defending the crossing requires shared visibility and agreed ownership between teams that often operate separately.

Why prevention alone is not enough

A natural response to the cross-domain path is to try to seal every door: harden the perimeter, lock down remote access, and assume the problem is solved. Prevention is essential, but treating it as sufficient is a mistake, because the bridges attackers use are the same ones the business depends on. Remote maintenance, historians feeding analytics, and engineering workstations cannot simply be removed; they exist to keep the operation running.

This is why detection has to sit alongside prevention rather than behind it. Some legitimate pathway will always remain open, and some credential will eventually be compromised, so the realistic goal is to ensure that an intruder who gets through cannot move unseen. The multi-stage nature of the attack is what makes this achievable: each stage the adversary must complete is another chance to notice them.

The most effective posture therefore layers controls across the whole path rather than concentrating them at a single line. Segmentation slows lateral movement, strong authentication closes the easiest doors, monitoring and deception raise the odds of catching an intrusion in progress, and accurate asset visibility ensures none of the bridges is forgotten. No single layer is decisive, but together they turn a path the attacker hoped to traverse quietly into one littered with opportunities to be caught.

The aim is not a wall that cannot be breached but a path that cannot be crossed in silence, because in industrial security detection is what prevention alone can never guarantee.

Takeaway: Prevention cannot seal the bridges the business needs, so layered detection across the whole path is what stops an intrusion that gets through.

Conclusion

The image of an attacker reaching straight for a controller obscures how industrial intrusions actually unfold. They are patient, multi-stage campaigns that begin in the enterprise network and cross into OT through a small number of trusted connections.

That structure is the defender's advantage. The path is predictable, the crossing points are few, and each stage is a chance to detect and contain the intrusion before it reaches anything physical. The work is to know the bridges, watch them, and ensure that crossing them is neither easy nor invisible.

FAQ

Do attackers target OT systems directly?

Rarely at the outset. Most serious industrial intrusions begin on the corporate IT network, often through phishing, and only cross into OT after extended reconnaissance and lateral movement. The techniques unique to industrial control systems usually appear only in the final stages of an attack.

What is the most common way attackers move from IT to OT?

They exploit legitimate bridges between the two environments: dual-homed devices on both networks, engineering workstations with privileged access, data historians at the boundary, and remote-access services, particularly where strong authentication is missing. These sanctioned connections inherit trust that an attacker can abuse.

How does the MITRE ATT&CK framework help here?

MITRE maintains separate matrices for enterprise IT and for industrial control systems. Mapping an attack across both shows that initial access and most lateral movement occur in the enterprise matrix, with ICS-specific techniques appearing only once the adversary reaches the control network. This helps defenders see the full path rather than just the OT endpoint.

What single control best limits IT-to-OT lateral movement?

No single control is sufficient, but network segmentation around the Purdue model and IEC 62443 zones and conduits is foundational, because it forces any crossing to pass through inspected, controlled conduits. It is most effective when combined with strong remote-access authentication, boundary monitoring, and an accurate asset inventory.

Sources