Full Report
Sophisticated OT threats, like living-off-the-land (LotL) attacks, exploit identity vulnerabilities to infiltrate critical infrastructure. Find out how robust identity security and unified exposure management can help you detect, prioritize and mitigate risks across IT and OT environments.The attack surface that today’s security leaders have to defend is growing at an unprecedented rate, and the situation is particularly challenging for organizations managing critical infrastructure: almost 70% of cyber attacks in 2023 targeted critical infrastructure, according to IBM’s “X-Force Threat Intelligence Index 2024” report. What was once a manageable task of protecting a defined network perimeter has transformed into a complex challenge of securing a vast, interconnected web of cyber-physical systems – IT, operational technology (OT), internet-of-things (IoT) devices, and more. These devices and their associated networks are under increasing pressure from sophisticated threat actors, who are leveraging advanced techniques such as living-off-the-land (LotL) attacks to infiltrate critical infrastructure networks.LotL techniques are especially dangerous in OT networks because they usually house “insecure by design” legacy and unmanaged systems that may not support the latest patches or cannot be easily upgraded without affecting operations. Additionally, these OT networks may share resources or trusted zones with IT environments. These two elements create an ideal landscape for attackers to move laterally and undetected between IT and OT networks.Advanced attack techniques blur the boundaries between historically separate security domainsOperational technology (OT) refers to the hardware and software systems that monitor and control physical devices, processes and events in environments such as industrial operations, building facilities, energy and water infrastructure, data centers and transportation systems. Unlike IT, which focuses on data and information, OT systems interact directly with the physical world. LotL attacks and similar modern attack strategies exploit legitimate, trusted applications pre-installed on many devices that control OT devices, as well as credentials within a system to avoid traditional detection methods. Rather than deploying new malware, these attacks rely on exploiting tools that are already present in the breached network. With legacy OT systems often lacking detailed logging or monitoring of user activities, attackers target over-privileged accounts to perform critical actions like modifying system configurations, disabling security controls or accessing sensitive data using legitimate permissions. This allows them to evade traditional IT-based security tools that rely on identifying malicious software and that are separate from the OT environment.Common LotL tactics include:Misusing legitimate tools: Attackers leverage tools pre-loaded onto operating systems such as Certutil, Ntdsutil and XCOPY to achieve their goals while masking as regular system activity.Hands-on-keyboard attacks: Human attackers directly manipulate compromised systems instead of relying on automated or programmed tools to evade detection by common security tools, such as endpoint detection and response (EDR).These techniques are particularly dangerous in OT environments, where: Legacy systems may lack robust logging and monitoring capabilities, and may share resources or trusted zones with IT. Shared or default accounts make it difficult to track user activity and identify unauthorized access. These conditions result in an ideal landscape for attackers to move laterally across IT and OT undetected.Case in point: The Volt Typhoon groupThe state-sponsored Chinese hacking group Volt Typhoon (first identified in May 2023), exemplifies the threat posed by LotL attacks. The group targeted critical infrastructure organizations in the U.S., including in the energy, communications and maritime sectors, using legitimate tools and native Windows commands to avoid detection. By exploiting existing system tools like PowerShell and WMI and not using malware, Volt Typhoon seeks to evade traditional defenses. Its focus on credential harvesting and maintaining persistent access highlights the importance of securing identities as a cornerstone of OT security, alongside robust OT network monitoring and configuration change tracking.Identity security: the missing ingredient for securing cyber-physical systemsUnderstanding what assets you have and the vulnerabilities associated with them helps ensure you are closing your exposure to stop attackers from getting a foothold in the first place. Attackers typically exploit identity and access systems—especially Microsoft’s Active Directory, a common entry point and target—to escalate privileges, maintain access and execute their strategies. Other common identity exploits that can impact OT systems include shared credentials, default passwords and lack of multi-factor authentication. Effective OT security requires a holistic approach that prioritizes identity security. Such an approach helps you:Understand your assets: By identifying and assessing vulnerabilities across your OT environment, you can prevent attackers from gaining a foothold.Monitor for anomalies: This allows you to monitor credential usage for unusual activity, such as logins from unexpected locations or outside of normal work hours.Limit privilege escalation: Proactively identifying privileged accounts and enforcing least privilege policies helps you restrict access to sensitive resources, even if an account is compromised.Harden AD: Given attackers’ focus on AD, it’s key for you to regularly audit AD for misconfigurations and enforce strong access controls. Consider dedicated AD domains for OT environments for enhanced security.Identify attack paths: Using exposure management tools can help you identify potential attack paths involving compromised identities and OT assets, allowing for proactive intervention. Closing the gap with exposure managementThe role of the CISO continues to evolve in parallel with today’s expanding threat landscape. No longer limited to safeguarding traditional IT environments, security leaders find themselves increasingly responsible for securing OT environments, along with cloud infrastructures, mobile devices, IoT and smart devices, advanced AI systems and shadow IT assets. Each component introduces vulnerabilities, making comprehensive security more difficult.Securing an organization today requires a far-reaching approach – it’s no longer sufficient to rely on basic defenses. Instead, security leaders must address a continuously shifting environment where attackers use sophisticated techniques and exploit diverse entry points.However, siloed security tools fail to provide a comprehensive view of the entire attack surface. Such fragmented solutions for security make it difficult for security teams to collaborate across IT and OT to identify risky connections that enable attackers to gain initial access, move laterally across the network and escalate privileges.The Tenable One Exposure Management Platform offers a unified solution to address this challenge by providing security teams with a set of critical capabilities:Complete attack surface visibility, which gives you insights across the modern attack surface, including OT, IoT, and IT assetsPrioritized risk management, which lets you identify and prioritize the exposures most likely to have a significant impact on critical infrastructureBridging of security silos, which brings together data across Tenable products – including Tenable OT Security and Tenable Identity Exposure – and combines it with third-party data to generate a holistic and real-time view of identities, risks, and configurationsAttack path visualization, which identifies and closes potential attack paths that allow threat actors to traverse across converged IT and OT environments (Source: Internal Tenable survey, July 2024)Incorporating identity security and OT security monitoring as part of any security strategy is critical—through real-time monitoring, anomaly detection, privilege controls, and AD hardening to proactively close risk exposures. By adopting a comprehensive exposure management approach, organizations can gain the visibility and context needed to effectively protect critical infrastructure from evolving threats.To see how Tenable One helps organizations bridge the gap between securing OT and identities, check out this video, where we demonstrate how Tenable’s AI-powered capabilities help you identify likely attack paths and close risky exposures before attackers can exploit them. For a deeper dive into how exposure management helps bolster your security posture, download the whitepaper "Hackers Don't Honor Security Silos: 5 Steps To Prioritize True Business Exposure" and read the blog post "CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?"
Analysis Summary
# Best Practices: Identity and Operational Technology (OT) Security Convergence
## Overview
These practices focus on establishing robust identity security and integrating it with Operational Technology (OT) security monitoring. The goal is to gain holistic visibility across converged IT/OT environments, prioritize exposures based on business impact (especially critical infrastructure), and proactively mitigate identity-based risks, as a significant portion of initial access to critical infrastructure stems from compromised identities (CISA Finding).
## Key Recommendations
### Immediate Actions
1. **Establish Basic Identity Exposure Monitoring:** Immediately begin monitoring identity infrastructure (like Active Directory) for anomalies and known risks using relevant security tooling.
2. **Prioritize Critical Infrastructure Identity Risk:** Use existing tools to identify and flag identities that have access, privileged roles, or pathways to critical OT assets.
3. **Apply Mandatory Authentication Controls:** Ensure Multi-Factor Authentication (MFA) is enforced for all high-risk identities and remote access points leading into the network boundary.
### Short-term Improvements (1-3 months)
1. **Implement Privilege Controls:** Review and immediately restrict standing privileges across both IT and OT environments. Implement Just-In-Time (JIT) access for elevated permissions.
2. **Harden Active Directory (AD):** Conduct and remediate findings from an initial audit of your Active Directory configuration to close common vulnerabilities targeted by attackers for domain compromise.
3. **Bridge IT/OT Security Silos:** Integrate identity exposure data (from Tenable Identity Exposure or similar) with OT security monitoring data (from Tenable OT Security or similar) to create a unified risk view.
### Long-term Strategy (3+ months)
1. **Adopt a Comprehensive Exposure Management Program:** Institute a framework that continuously gains visibility across the entire attack surface (Cloud, Vulnerability, OT, Identity) to accurately communicate cyber risk tied to business performance.
2. **Develop Attack Path Visualization:** Utilize tools capable of attack path analysis to map out potential lateral movement routes that could allow a threat actor to pivot from a compromised IT identity into sensitive OT environments.
3. **Automate Anomaly Detection:** Fully deploy and tune real-time monitoring and anomaly detection systems specifically focused on user behavior, especially for identities interacting with industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems.
## Implementation Guidance
### For Small Organizations
* **Focus on Essential Controls:** Prioritize MFA rollout across *all* administrative accounts and enforce strong, unique password policies immediately, as budget constraints often mean fewer specialized tools.
* **Leverage Foundational Scanning:** Use vulnerability scanning tools (like Nessus) to identify configuration weaknesses in essential identity services (e.g., domain controllers).
* **Manual Review:** Conduct quarterly manual reviews of highly privileged accounts due to the lack of advanced automated CIEM or specialized identity exposure solutions.
### For Medium Organizations
* **Implement Specialized Identity Tools:** Deploy a dedicated Identity Exposure solution to gain automated visibility into identity risks, attack paths, and entitlements.
* **Begin Convergence Mapping:** Start mapping critical IT users/services that interact with OT assets and prioritize hardening these specific identity relationships first.
* **Establish Patch Cadence:** Implement a formalized patch management process for servers hosting identity infrastructure and common remote access components.
### For Large Enterprises
* **Full Exposure Management Platform Deployment:** Adopt a unified platform (like Tenable One) to aggregate data from vulnerability, cloud, OT, and identity security domains for holistic risk assessment.
* **Proactive Attack Path Closing:** Dedicate resources to actively model and close identified attack paths traversing IT/OT boundaries using Attack Path Analysis techniques.
* **Advanced Privilege Management:** Roll out solutions for Privileged Access Management (PAM) and fully implement Just-In-Time (JIT) access strategies to minimize standing access across the enterprise, especially where it intersects with OT.
## Configuration Examples
* **Just in Time (JIT) Access:** Configure identity management systems to grant elevated permissions only upon explicit, time-bound request, revoking access automatically when the window expires.
* **AD Hardening:** Implement specific GPOs or configurations to restrict DC shadow sessions, enforce regular credential changes for service accounts, and limit the ability of standard users to enumerate sensitive groups.
* **Logging and Alerting:** Configure security information and event management (SIEM) systems to trigger high-priority alerts on credential stuffing attempts, unusual login locations for service accounts, and access to known OT management interfaces.
## Compliance Alignment
* **NIST CSF:** Primarily aligns with the **Identify** (ID.AM - Asset Management, ID.RA - Risk Assessment) and **Protect** (PR.AC - Access Control, PR.DS - Data Security) functions through asset visibility and access control enforcement.
* **ISO 27001/27002:** Relevant controls include A.5 (Information security policies), A.8 (Asset management), and A.9 (Access control), specifically around identity management and privilege limitation.
* **CIS Controls:** Strong alignment with **Control 4 (Secure Configuration of Enterprise Assets and Software)**, **Control 5 (Account Management)**, and **Control 14 (Security Awareness and Skills Training)**.
## Common Pitfalls to Avoid
* **Ignoring "Shadow IT" Identities:** Failing to account for identities not managed directly by central IT (e.g., specific OT network administrator accounts created locally on engineering workstations).
* **Treating IT Identity Risks in Isolation:** Focusing only on IT productivity risks while neglecting how a compromised IT credential can serve as the initial foothold into the OT environment.
* **Static Access Reviews:** Relying solely on annual or semi-annual access reviews rather than implementing continuous, risk-based monitoring for identity exposures.
## Resources
* **Framework Documentation:** Refer to the CISA guidance regarding Initial Access to Critical Infrastructure for prioritization context.
* **Best Practice Whitepapers:** Consult documentation focusing on "Hackers Don't Honor Security Silos" methodologies for prioritizing integrated cyber risk.
* **Tool Capabilities:** Investigate capabilities offered by Exposure Management Platforms that specifically integrate **Identity Exposure** and **OT Security Visibility**.