When was the last time you assessed the security of your operational technology (OT) network? If your setup relies on a single, flat Active Directory (AD) structure, you might be exposing your critical systems to cyber threats. In 2024, ransomware attacks on the industrial sector surged globally, with a significant increase of approximately 30% in the fourth quarter compared to the previous three quarters.
Think of your OT and IT networks as two distinct neighborhoods. One is a specialized industrial zone with machinery running core operations; the other is a busy corporate environment filled with employees, emails and external connections. A single, flat AD domain acts like an open bridge between these two, allowing attackers to exploit vulnerabilities and move from IT to OT environments.
Most cyberattacks originate in IT — through phishing emails, compromised credentials or malware. Once inside, attackers seek ways to move laterally. If your OT assets share the same AD domain as your IT infrastructure, they become an accessible target. Notably, 32% of ransomware attacks in 2024 were due to exploited vulnerabilities.
In 2020, a critical vulnerability known as Zerologon (CVE-2020-1472) was discovered in Microsoft's Netlogon Remote Protocol. This flaw allowed attackers to gain unauthorized access to domain controllers without needing any credentials. Once exploited, attackers could effectively take over the entire domain, leading to potential disruptions across both IT and OT networks. Organizations that did not segregate their AD implementations faced heightened risks, as the compromise of IT systems could directly impact OT operations. This incident underscored the necessity of implementing separate AD forests for OT environments to prevent attackers from moving laterally between IT and OT systems.
To safeguard OT environments, implementing separate AD forests for OT identities is considered best practice. This segregation ensures that even if IT systems are compromised, attackers lack a direct route into OT systems.
While maintaining separate forests adds some administrative overhead, the security benefits far outweigh the challenges.
Managing an OT AD forest requires specialized expertise. Assigning this responsibility to IT personnel may lead to security gaps, as they might not fully understand OT’s unique constraints, including the need for high availability, legacy systems and vendor-controlled assets. A significant number of organizations lack dedicated OT security teams, with 66% facing staffing challenges such as overloaded employees and difficulties attracting qualified personnel. This shortage can exacerbate security risks, making it critical to build specialized OT teams that understand operational requirements.
Instead, consider forming a dedicated OT security team. Organizations with specialized OT cybersecurity teams often experience fewer security incidents compared to those where IT oversees both environments.
A collaborative approach — where IT and OT teams work together yet remain distinct — allows IT security professionals to contribute identity management expertise while OT teams ensure operational stability.
Even with separate AD forests, improper network segmentation can leave OT systems vulnerable. Many companies still use flat network structures, where all devices communicate freely — this is a major security risk.
The Purdue Model, as referenced in the ISA-95 standard, is a widely accepted framework for OT network architecture. It emphasizes strict segmentation:
Proper segmentation ensures that even if an attacker breaches IT systems, they cannot reach OT assets without triggering alerts.
An often-overlooked risk involves third-party vendors. Many OT systems require vendor access for maintenance and updates. However, unrestricted third-party access introduces a major attack vector.
Cybersecurity is an ongoing challenge, and for OT networks, the stakes are particularly high. Downtime from a cyberattack can be catastrophic. In 2024, ransomware attacks rose significantly around the world, with manufacturing entities among the hardest hit.
By segmenting networks, creating dedicated AD forests and restricting third-party access, organizations can significantly reduce the risk of OT-targeted cyberattacks.
So, the pressing question is: Is your OT identity management strategy truly protecting your critical infrastructure, or is it leaving the door open for attackers? Now is the time to take action.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive regular emails with links to thought leadership, research and other insights from the OT cybersecurity community.