How Ransomware Crosses the IT-OT Boundary (And How to Stop It)

Ransomware operators understand manufacturing economics better than most security teams give them credit for. They know that a plant that cannot produce loses money by the hour. They know that operational technology (OT) systems are harder to restore than IT systems, that backups are often incomplete and that the pressure to pay comes faster when production is stopped. The IT-OT boundary is not an incidental target. It is a deliberate one. The numbers bear it out: Dragos tracked ransomware impacting 3,300 industrial organizations in 2025, and manufacturing accounted for more than two-thirds of the victims. 

How Ransomware Crosses From IT Into OT

The path from a phishing email to a production shutdown follows a predictable pattern. An attacker gains an initial foothold in the IT environment, typically through a compromised credential or a phishing campaign targeting an employee with access to both IT and OT systems. From there, they move laterally, looking for systems that bridge the two environments. 

Historian servers are among the most common pivot points. They are designed to collect process data from OT systems and make it available to IT applications. That functionality requires connectivity in both directions, which means a compromised historian server provides access to the OT network. Engineering workstations create the same exposure. They sit on the corporate network for remote access and email, and they connect to programmable logic controllers (PLCs) and human-machine interfaces (HMIs) for configuration and diagnostics. 

Why the Boundary Fails

The IT-OT boundary fails most often not because of sophisticated attacks but because of accumulated operational decisions that each seemed reasonable at the time. A shared credential set up so the night shift supervisor could access both systems. A firewall rule opened for a vendor during a maintenance window and never closed. A demilitarized zone (DMZ) that routes traffic between IT and OT but does not actually inspect or restrict what passes through it. 

These are not edge cases. In almost every OT environment that has undergone a security assessment, some version of these conditions exists. The boundary that appears robust in the architecture diagram is rarely as enforced as the documentation suggests. Ransomware operators, once they have access to the IT environment, are patient enough to find the gaps. They have the time: Dragos puts the industry-wide average dwell time for ransomware in OT environments at 42 days. 

What Ransomware in OT Actually Costs

The cost of a ransomware incident that crosses into OT is not just the ransom demand. It is the production loss during the shutdown, which for a mid-size manufacturer can run to hundreds of thousands of dollars per day. It is the recovery cost for OT systems, which cannot simply be reimaged from a backup the way a laptop can. It is the time required to revalidate and restart process control systems safely. It is the reputational damage with customers who depend on your production output. 

Colonial Pipeline is the most widely cited example, but the pattern repeats across manufacturing, food processing, pharmaceuticals and utilities. The May 2021 REvil ransomware attack on JBS halted cattle-slaughtering operations at 13 of its meat processing plants, and the company confirmed it paid the equivalent of $11 million in ransom. The attack does not need to target OT directly. It only needs to make enough of the environment inaccessible that operations leadership decides the cost of staying down exceeds the cost of paying. 

What Penetration Testing Finds Before Ransomware Does

The value of an IT-OT penetration test is not that it simulates a ransomware attack. It is that it finds the same paths a ransomware operator would use to reach the OT environment, before they get there. That means testing lateral movement from the IT network toward OT systems. Validating whether segmentation controls actually enforce the boundaries they are supposed to. Checking whether historian servers and engineering workstations are accessible from the IT network in ways that could be exploited. IEC 62443 from the International Electrotechnical Commission defines those boundaries as zones and conduits, and Special Publication 800-82 from the National Institute of Standards and Technology (NIST) describes how to assess them. 

The findings from these tests consistently cluster around the same categories: overly permissive firewall rules at the IT-OT boundary, shared credentials with access to both environments, and remote access paths that were set up for operational convenience and never hardened. Finding them in a controlled pen test is significantly less expensive than finding them during an incident response. 

Knowing Your Exposure

The first step toward protecting the IT-OT boundary is understanding how exposed it currently is. That requires looking at the actual state of your network, not the intended architecture. Where can traffic cross between IT and OT? What credentials exist with access to both environments? Which systems at the boundary have not been assessed in the past 12 months? 

A structured risk assessment focused on the IT-OT boundary gives you that picture. It identifies your most critical exposure points and maps them to the specific ways ransomware operators would exploit them. That is the foundation for a remediation plan that reduces real risk rather than checking compliance boxes. 

Ransomware operators are already looking for your boundary gaps. Find them first. Request an IT-OT boundary risk assessment and get your most critical exposure points identified, ranked and mapped to a remediation plan.