How Attackers Move from IT to OT in Real Life

In today’s connected industrial world, the line between Information Technology and Operational Technology is no longer a clean boundary. It is a bridge. That bridge is where modern cyber attackers thrive. What begins as a routine IT compromise can escalate into a full-scale IT/OT cyberattack with real-world consequences such as halted production, disrupted rail systems, or compromised safety controls. Understanding how attackers move from IT to OT is no longer just a technical concern. It is a business risk, a safety issue, and a board-level priority.

What is IT and OT? What are the differences between them?

Information Technology (IT) refers to systems that manage data. This includes email servers, cloud platforms, enterprise applications, identity systems like Active Directory, and user devices. IT prioritises confidentiality, integrity, and availability of information.

Operational Technology (OT), on the other hand, controls physical processes. This includes industrial control systems (ICS), SCADA platforms, programmable logic controllers (PLCs), and engineering workstations. OT prioritises safety, reliability, and uptime. If IT systems fail, the business is disrupted. If OT systems fail, people can be harmed, and physical infrastructure can be damaged.

Historically, these environments were separated. Today, they are increasingly integrated to enable efficiency, remote operations, and data-driven decision making. That integration is exactly what creates exposure.

The Reality of an IT/OT Cyberattack

An IT/OT cyberattack rarely begins in OT. Attackers start where it is easier, which is almost always IT. From real-world Operational Technology Cyberattack examples, a clear pattern emerges:

• Gain Access into IT

• Escalate privileges and move laterally

• Identify pathways into OT

• Use trusted connections to pivot

• Execute actions within OT systems

This is not theoretical. It is how modern attacks unfold across energy, manufacturing, water, and transport sectors.

How Attackers Move from IT to OT 

1. Initial Access in IT: Attackers typically enter through familiar methods:

   • Phishing emails

   • Stolen credentials

   • Vulnerable VPNs or remote access systems

At this stage, the attack looks like a standard IT breach. Nothing appears OT-related yet.

2. Identity and Privilege Escalation: Once inside, attackers focus on identity. This is where many organisations underestimate risk. They target:

   • Active Directory

   • Privileged accounts

   • Credential stores

   • Remote access permissions

Why this matters: many OT environments still rely on IT identity systems. If attackers control identity, they control access.

3. Discovery of OT Pathways: Attackers do not blindly move into OT. They look for bridges. Common pathways include:

   • Remote access gateways into OT

   • Jump serves used by engineers

   • Historian systems syncing OT data to IT

   • Vendor or maintenance connections

   • Dual-homed machines connected to both networks

These are legitimate business connections. That is exactly why they are exploited.

4. Pivot Through Trusted Access: This is the critical moment in an IT to OT cyberattack. Instead of breaking into OT directly, attackers:

   • Log in using valid credentials

   • Use remote desktop or VPN access

   • Operate through engineering workstations

   • Leverage vendor tools or maintenance channels

From a security perspective, these actions often look normal. From an operational perspective, they are highly dangerous.

5. Execution in OT Environments: Once inside OT, attackers shift tactics. They move from IT tools to OT-specific actions:

   • Modifying PLC logic

   • Changing control parameters

   • Uploading malicious configurations

   • Disrupting SCADA visibility

   • Triggering shutdowns or unsafe states

This is where cyber risk becomes physical risk.

Real-World Operational Technology Cyberattack Examples

• Colonial Pipeline (2021): A ransomware attack began in IT via compromised VPN access. Although OT systems were not directly infected, operations were shut down due to uncertainty and risk. This demonstrates how IT compromise alone can disrupt OT operations.

• Water Treatment Facilities (Multiple Incidents): Attackers used remote access to reach SCADA systems directly. In some cases, facilities had to switch to manual operations. This highlights how exposed remote access is one of the most common cyber threats to Operational Technology.

• Unitronics PLC Attacks (2023–2024): Internet-facing PLCs with weak authentication were directly accessed and manipulated. This case shows that sometimes attackers do not even need IT. If OT is exposed, it becomes the entry point.

• Ukraine Energy Sector (Industroyer2): Attackers deployed specialised malware capable of speaking industrial protocols. This represents the most advanced form of OT attack, where the goal is direct control over physical systems.

Why IT to OT Cyberattacks Are So Effective

There are three core reasons these attacks succeed:

1. Trusted Connections are not treated as threats: Most organisations focus on external threats, not internal pathways. The IT-OT bridge is trusted by design.

2. OT was not built for cybersecurity: OT systems prioritise uptime and safety. Security controls are often limited or difficult to implement without operational impact.

3. Visibility is limited: Many organisations cannot answer key questions: Who accessed OT systems? From where? What actions were performed? Without this visibility, attackers can operate undetected.

Common Cyber Threats to Operational Technology

From our experience at Complete Cyber, the most common cyber threats to Operational Technology include:

• Compromised remote access systems

• Weak identity and access management

• Poor IT-OT network segmentation

• Third-party and supply chain risks

• Internet-exposed OT assets

• Lack of OT-specific monitoring

These are not advanced nation-state techniques. They are common weaknesses.

What Organisations Should Do Next

To reduce the risk of an IT/OT cyberattack, organisations need to focus on the fundamentals.

1. Strengthen Identity Security:

   1. Enforce strong authentication across all remote access

   2. Remove legacy access pathways

   3. Control privileged accounts tightly

2. Secure the IT-OT Boundary:

   • Implement proper segmentation

   • Use an Industrial DMZ where appropriate

   • Monitor all traffic crossing between IT and OT

3. Control Remote Access:

   • Audit all remote connections into OT

   • Restrict vendor access

   • Apply least privilege principles

4. Improve OT Visibility:

   • Monitor OT protocols and engineering activity

   • Detect unusual changes to PLCs or SCADA systems

   • Correlate IT and OT security events

5. Prepare for Operational Resilience:

   • Develop manual operation procedures

   • Maintain secure backups of configurations

   • Test incident response across IT and OT teams

Final Thoughts

The most important takeaway is this: attackers do not need to break into OT, they walk in through IT. An IT/OT cyberattack is not a rare or highly complex scenario. It is a predictable progression that exploits how modern organisations are designed.

At Complete Cyber, we have spent over a decade working within OT environments, particularly in railway and critical infrastructure sectors. What we consistently see is that attackers do not jump into OT. They move step by step, using predictable pathways that organisations often overlook. The more connected your environment becomes, the more critical it is to understand and secure these pathways between IT and OT.

With experience supporting both SMEs and large enterprises, we know that effective OT cybersecurity is not about theory. It is about understanding how systems actually operate, and how attackers actually think. If organisations can secure the bridge between IT and OT, they can stop most attacks before they ever reach the physical world.