Cyberattacks rarely start in your OT environment.
Instead, they begin with something far more ordinary—trusted third-party access.
A compromised vendor account can provide an initial foothold, allowing attackers to enter through legitimate channels. From there, they move laterally across the IT environment, searching for weak segmentation, shared systems, or misconfigured access paths that connect IT to OT.
Once they reach operational systems, the impact shifts from digital disruption to physical consequences.
Think of vendor access as a temporary keycard issued to a technician.
It’s meant for a specific task—servicing a machine, updating firmware, or troubleshooting a system. But if that keycard is stolen or misused, it doesn’t just grant access to one system—it can open doors across the environment.
Attackers don’t need to break in when they can log in.
This is what makes vendor access one of the most dangerous and underestimated entry points into OT environments.
Most attacks follow a predictable path. They don’t jump directly into OT—they evolve step by step.
This is the typical attack path from vendor access to OT systems—a sequence that attackers repeatedly exploit across industries.
Typical Stages of an IT-to-OT Attack via Vendor Access
| Stage | Objective | Common Techniques |
|---|---|---|
| 1. Initial Compromise | Steal legitimate vendor credentials | Phishing, malware, and credential leaks |
| 2. IT Network Access | Enter corporate systems | Legitimate login using stolen credentials |
| 3. Lateral Movement |
Find OT pathways |
Network scanning, credential reuse |
| 4. OT Breach | Reach industrial systems | Misconfigured firewalls, shared systems |
By understanding this sequence, it's easy to see how a seemingly minor vendor credential leak can quickly spiral into a full-blown operational shutdown.
This pathway is alarmingly common. A recent survey of nearly 2,000 global executives revealed that a staggering 72% of OT attacks originate from the IT network, with vendor-related vectors such as unsecured remote access as a primary culprit. This has led to 1 in 4 industrial enterprises shutting down operations due to a cyber incident in the past year alone.
The core problem is that traditional security grants access to the entire network instead of just the specific application or asset a vendor needs. This wide-open access gives an attacker all the room they need to maneuver from a simple IT entry point to the heart of your operations.
Understanding this attack sequence is the first step toward building a much stronger defense. When you recognize how attackers exploit trusted relationships and network vulnerabilities, you can begin implementing targeted, effective controls.
For a deeper look into the unique challenges of industrial environments, check out our guide on OT cybersecurity for critical infrastructure. Securing these hidden pathways is absolutely essential for maintaining operational integrity and safety.
To see how a cyberattack jumps from a vendor’s laptop into your operational technology (OT) environment, you have to think like an attacker. This isn't a smash-and-grab job. It’s a patient, methodical campaign that can play out over weeks or even months.
Let's walk through the kill chain, step by step, to see how a single stolen password can ultimately give an adversary control over your physical industrial processes.
The initial breach often occurs far outside your network, making it incredibly difficult to detect until the attacker is already inside the gates.
The attack rarely starts at your front door. Instead, adversaries go after the weakest link in your supply chain: your third-party vendors. They use all the classic techniques—slick phishing emails, malware-laced attachments, or just buying credentials straight from the dark web.
Their first goal is simple: obtain a legitimate username and password for a vendor account with remote access to your IT network. To your firewalls and security tools, this initial login looks perfectly normal. It’s just another trusted partner signing on to do their job.
The real vulnerability here is implicit trust. Old-school security tools like VPNs are built to check ID at the door and then grant wide-ranging access, assuming anything that happens after is safe. Attackers absolutely depend on this assumption to move around undetected.
Once they’re on your IT network with valid credentials, the attacker’s next move is to find a bridge into the OT environment. This is the lateral movement phase. Think of it like a thief who has already slipped past the outer fence and is now quietly checking every window and door of the main house, looking for one that’s unlocked.
They are patient and methodical. They’ll scan the network to map its architecture, pinpoint connected devices, and identify potential entry points into the industrial side. Common targets include:
This stage is all about quiet reconnaissance and exploiting that internal trust. The attacker uses the stolen vendor login to poke around on shared drives, find ways to escalate their privileges, and hunt for those digital doorways connecting the corporate world to the plant floor.
The final leap is crossing the so-called “air gap” between the IT and OT networks. The hard truth is that this gap is rarely a real gap at all. It’s often more like a poorly guarded fence.
Attackers can breach it through misconfigured firewalls, legacy diagnostic ports that were never closed, or by compromising a shared asset, such as an HMI (Human-Machine Interface) connected to both networks.
The 2020 SolarWinds supply chain attack is a chilling real-world example. Russian state-sponsored hackers hid a backdoor in the Orion software update. Once that compromised update was installed in IT environments, the attackers had a foothold. From there, they scanned for weak segmentation and used insecure connections—like those to engineering workstations—to move laterally into OT networks and gain access to PLCs, SCADA systems, and HMIs. You can dive deeper into the state of OT security with research from Palo Alto Networks.
Once an attacker is inside your OT network, they’ve hit the jackpot. From this position, the potential for chaos is enormous:
This entire sequence shows how a seemingly minor security slip—a single stolen password from a contractor—can methodically escalate into a full-blown industrial disaster. By understanding each step in their playbook, we can start building the right defenses to break the attack chain at every stage.
It’s one thing to talk about attack paths in theory, but seeing them happen in the real world drives the risk home. When you dig into actual security failures, you can see exactly how attackers turn legitimate vendor access into a full-blown OT incident, turning abstract concepts into very expensive, very real lessons.
These breaches aren't just news headlines. They're cautionary tales that lay bare the specific, often overlooked, vulnerabilities that attackers love to exploit. While each story is a little different, they all share a common thread: a trusted third-party connection was the open door.
One of the most straightforward ways to gain access to an OT network starts with something as simple as a stolen password. We saw this play out with terrifying clarity in the 2021 cyberattack on a Florida water treatment facility. Attackers gained access using compromised TeamViewer credentials, a remote access tool used by plant personnel.
Once they were inside the IT network, they had a clear path to the plant's operational controls. The intruder then tried to raise the sodium hydroxide levels in the water supply to dangerous levels.
This incident is a textbook example of how a vendor-initiated attack unfolds:
Thankfully, a sharp-eyed operator spotted the unauthorized changes and stepped in, preventing a public health catastrophe. The attack, however, was a brutal wake-up call about the massive risk of unsecured remote access tools connecting to critical infrastructure.
This breach is a stark reminder that convenience can't come at the expense of security. A single compromised password for a remote tool can give an attacker the keys to a city's water supply.
A far more subtle and devastating method is to compromise the software supply chain itself. Instead of targeting a single organization, attackers slip malicious code into a product that thousands of companies rely on. The infamous SolarWinds attack is the ultimate case study for this technique.
Here, Russian state-sponsored actors hid a backdoor in the Orion Platform, a popular IT management software platform. When customers—including many critical infrastructure operators—installed the trojanized update, they unknowingly opened a backdoor for the attackers.
From that initial foothold in the corporate IT network, the attackers quietly mapped out the environment. They exploited weak network segmentation and unsecured connections, such as those on shared engineering workstations, to move laterally into sensitive OT networks. This gave them access to everything from PLCs to SCADA systems in a patient, multi-stage campaign.
This growing digital supply chain brings a whole new set of dangers. A recent analysis of over 2,451 ICS vulnerabilities from 152 vendors painted a worrying picture. Over 70% of manufacturers now link security incidents to IoT default settings on vendor equipment, and 60% admit they don't have the visibility tools needed to even spot these intrusions. You can learn more about these escalating vendor risks and find out how to control them on Trout Software.
Sometimes, the vulnerability isn't a stolen password or a malicious update. It's just a poorly configured connection left wide open by a third party. A series of attacks against US water and wastewater facilities in 2023 exploited this very weakness.
Hacktivist groups, reportedly with ties to the Iranian Revolutionary Guard Corps, went after facilities using specific Israeli-made PLCs. Their entry point couldn't have been simpler: they just scanned the internet for devices still using their default, out-of-the-box passwords.
In one case, they took control of a PLC at a Pennsylvania water utility, knocking a booster station offline. The impact was minimal, but the message was loud and clear. A vendor-installed device, left exposed to the internet with its factory-default credentials, became an open invitation for anyone looking to cause trouble. These attacks prove that the path from vendor access to OT compromise can be alarmingly short when basic security hygiene is ignored.
Knowing an attacker's game plan is one thing, but catching them red-handed is another. The ability to spot an active intrusion before it jumps to your operational technology (OT) is what separates a minor security headache from a full-blown operational shutdown. It all comes down to knowing what to look for—the subtle breadcrumbs attackers leave behind.
These clues are what we call Indicators of Compromise (IOCs). Think of them as digital tripwires that sound the alarm when something is amiss. It’s like noticing a maintenance worker’s ID being used to access engineering files at 3 AM on a Sunday. The ID is valid, but the context is all wrong.
Almost without fail, the first signs of an attack surface in the corporate IT network long before your OT environment is ever in the crosshairs. When attackers use stolen vendor credentials, they often make small mistakes as they get the lay of the land. Your security and IT teams need to be trained to spot these faint signals.
Keep an eye out for these early-stage IOCs:
nmap or netstat. They might even try poking around sensitive file shares on an engineering workstation.These indicators are your best chance to cut an attack off at the knees. They signal that a legitimate account is likely compromised and being used for reconnaissance—the quiet first step before a major assault on your OT systems.
If an attacker manages to cross the IT/OT divide, the warning signs become much louder and far more serious. An IOC in your OT network isn't just a red flag; it's a five-alarm fire demanding an immediate, all-hands-on-deck response. At this point, the attacker isn't just looking around anymore—they're trying to manipulate your physical processes.
Recent data shows that attackers are increasingly targeting OT-specific protocols. Modbus, for instance, now accounts for 57% of malicious interactions observed in OT honeypots, a significant jump from previous years. This shows attackers are becoming more fluent in the language of industrial control.
Critical OT-level IOCs that should trigger an instant response include:
Knowing the difference between these subtle IT warnings and the critical OT alerts is crucial. It helps your teams prioritize threats, contain a breach while it's still a manageable IT problem, and prevent it from snowballing into an operational crisis that could bring production to a grinding halt.
At every stage of the attack path, one core issue recurs: excessive trust.
Traditional remote access models assume that once a user is authenticated, their activity can be trusted. In reality, this assumption creates the perfect conditions for attackers to move undetected.
When vendor access is granted at the network level, attackers don’t need to exploit vulnerabilities—they simply use legitimate access to explore, scan, and pivot toward more critical systems.
This is why many organizations fail to stop attacks early. The controls focus on keeping attackers out rather than on controlling what happens after access is granted.
To stop this attack path, organizations must shift away from broad, network-level access and toward models that strictly control access at the session and asset level.
This approach limits what a user can access, prevents lateral movement, and ensures visibility into every action performed.
Understanding how attackers move from vendor access to OT systems is critical—but stopping them requires a different way of thinking about access.
Most traditional approaches focus on keeping attackers out. But as we've seen, attackers often enter through legitimate channels and move undetected inside the environment.
The real challenge is not just preventing access, but controlling what happens after access is granted.
To break this attack path, organizations must:
Limit access strictly to what is required
Prevent lateral movement between systems
Ensure visibility into all remote activity
Without these controls, even trusted access can become an attack pathway.
You now understand how attackers can snake their way from a vendor's laptop into the heart of your OT environment. The good news? That path is surprisingly predictable, which means we can build defenses to stop them in their tracks.
It's time to move from theory to action. This isn't about slamming the door on your vendors—they need access to do their jobs. Instead, it's about trading in those old, high-trust models for a strategy that gives you surgical control over every connection. The goal is to make it nearly impossible for an attacker to move laterally and to ensure every single privileged action is visible and accounted for.
Don't feel like you need to boil the ocean. True security gains come from making smart, high-impact changes, not a complete, disruptive overhaul. For CISOs and OT managers looking to harden their defenses right now, this is your starting point.
The core idea here is simple: You don’t have to sacrifice operational uptime for robust security. With the right tools and a clear strategy, you get both. A compromised vendor account should be a minor, containable incident—not the first domino in a catastrophic breach.
This proactive mindset is at the heart of modern industrial security. When you focus on granular controls and deep visibility, third-party access shifts from being your biggest headache to a secure, manageable, and auditable part of your business.
To see how organizations prevent these attack paths in practice—and secure third-party vendor access without exposing OT networks—read our full guide:
👉 Securing Third-Party Vendor Access in OT Environments
When it comes to securing vendor access to operational technology (OT) environments, most companies run into the same handful of tough problems. These aren't just technical issues—they involve balancing security with day-to-day operations and managing third-party relationships. Let's break down some of the most common questions we hear from the field.
This is a classic security dilemma. How do you give a remote vendor access to a truly air-gapped system without, well, un-gapping it? The old way—flying a technician onsite—is slow and expensive. But just punching a hole in your network for remote access feels like leaving the front door wide open.
This is where a more modern approach comes into play. Instead of a direct network-to-network connection, today's agentless platforms can create a temporary, outbound-only tunnel from the isolated asset to the authorized user.
Picture it like the system making a secure, one-time "phone call" out to the vendor, rather than letting the vendor dial in. This grants access to a specific piece of equipment or HMI without ever exposing your secure network to inbound threats, keeping that air gap fully intact.
Network segmentation is absolutely essential. Creating clear boundaries between your IT and OT networks is a non-negotiable first step. It's what stops an attacker who gets into your corporate network from waltzing right over to your industrial controls. But segmentation isn't a silver bullet.
Segmentation is like building strong walls and locked doors between departments in a building. It's a fantastic defense, but it doesn't stop someone who has already stolen a master key.
That's why you have to pair segmentation with strong identity controls. Even with a perfectly segmented network, your walls mean nothing if an attacker compromises a vendor account with legitimate access to the OT zone. Zero Trust access management verifies who is trying to get in and sharply limits their privileges after they cross that segment boundary. It ensures stolen "keys" can't be used to roam freely.
Getting pushback from vendors is a common—and completely understandable—hurdle. Your vendors work with dozens of different clients, and they can't be expected to install a new piece of software for every single job.
The secret to getting them on board is to make the security process as invisible and frictionless as you can.
The best solutions are agentless, meaning the vendor doesn't have to install anything on the machine. They just open a web browser, prove their identity, and get connected straight to the one system they're authorized to touch. By removing that technical headache, you turn a point of friction into a shared goal. You can frame it as a win-win: a much simpler process for them and a far more secure supply chain for everyone.