When was the last time you assessed the security of your operational technology (OT) network? If your setup relies on a single, flat Active Directory (AD) structure, you might be exposing your critical systems to cyber threats. In 2024, ransomware attacks on the industrial sector surged globally, with a significant increase of approximately 30% in the fourth quarter compared to the previous three quarters.

Why a Single AD Domain Is a Risky Bet

Think of your OT and IT networks as two distinct neighborhoods. One is a specialized industrial zone with machinery running core operations; the other is a busy corporate environment filled with employees, emails and external connections. A single, flat AD domain acts like an open bridge between these two, allowing attackers to exploit vulnerabilities and move from IT to OT environments.

Most cyberattacks originate in IT — through phishing emails, compromised credentials or malware. Once inside, attackers seek ways to move laterally. If your OT assets share the same AD domain as your IT infrastructure, they become an accessible target. Notably, 32% of ransomware attacks in 2024 were due to exploited vulnerabilities. 

Separate AD Forests

In 2020, a critical vulnerability known as Zerologon (CVE-2020-1472) was discovered in Microsoft's Netlogon Remote Protocol. This flaw allowed attackers to gain unauthorized access to domain controllers without needing any credentials. Once exploited, attackers could effectively take over the entire domain, leading to potential disruptions across both IT and OT networks. Organizations that did not segregate their AD implementations faced heightened risks, as the compromise of IT systems could directly impact OT operations. This incident underscored the necessity of implementing separate AD forests for OT environments to prevent attackers from moving laterally between IT and OT systems.

To safeguard OT environments, implementing separate AD forests for OT identities is considered best practice. This segregation ensures that even if IT systems are compromised, attackers lack a direct route into OT systems.

Benefits

• Eliminating backdoors: Without direct AD connections, attackers cannot use IT credentials to access OT systems.
• Reducing attack surfaces: A breach in IT remains contained, minimizing potential impact.
• Enhancing compliance: Many industry regulations, such as NIST and ISA/IEC 62443, mandate IT and OT segregation to strengthen security.

While maintaining separate forests adds some administrative overhead, the security benefits far outweigh the challenges.

Who Should Manage OT AD?

Managing an OT AD forest requires specialized expertise. Assigning this responsibility to IT personnel may lead to security gaps, as they might not fully understand OT’s unique constraints, including the need for high availability, legacy systems and vendor-controlled assets. A significant number of organizations lack dedicated OT security teams, with 66% facing staffing challenges such as overloaded employees and difficulties attracting qualified personnel. This shortage can exacerbate security risks, making it critical to build specialized OT teams that understand operational requirements.

Instead, consider forming a dedicated OT security team. Organizations with specialized OT cybersecurity teams often experience fewer security incidents compared to those where IT oversees both environments.

A collaborative approach — where IT and OT teams work together yet remain distinct — allows IT security professionals to contribute identity management expertise while OT teams ensure operational stability.

Can You Afford to Skip Network Segmentation?

Even with separate AD forests, improper network segmentation can leave OT systems vulnerable. Many companies still use flat network structures, where all devices communicate freely — this is a major security risk.

The Purdue Model, as referenced in the ISA-95 standard, is a widely accepted framework for OT network architecture. It emphasizes strict segmentation:

• Levels 0-2: OT systems and industrial control systems (ICS) should remain isolated.
• Level 3: A dedicated OT AD domain with controlled access.
• Levels 4-5: IT systems should be entirely separate, with minimal, monitored access to OT when absolutely necessary.

Proper segmentation ensures that even if an attacker breaches IT systems, they cannot reach OT assets without triggering alerts.

What About Third-Party Access?

An often-overlooked risk involves third-party vendors. Many OT systems require vendor access for maintenance and updates. However, unrestricted third-party access introduces a major attack vector.

Considerations

• Grant short-term access: Provide access for limited periods (e.g., four hours), then revoke it.
• Monitor sessions: Use tools to track and log all third-party activities.
• Implement zero-trust philosophies: Assume every external connection is a potential threat until verified otherwise.

Final Thoughts I’ll Leave You With

Cybersecurity is an ongoing challenge, and for OT networks, the stakes are particularly high. Downtime from a cyberattack can be catastrophic. In 2024, ransomware attacks rose significantly around the world, with manufacturing entities among the hardest hit.

By segmenting networks, creating dedicated AD forests and restricting third-party access, organizations can significantly reduce the risk of OT-targeted cyberattacks.

So, the pressing question is: Is your OT identity management strategy truly protecting your critical infrastructure, or is it leaving the door open for attackers? Now is the time to take action.