Operational Technology (OT) Penetration Testing Guidefor Ransomware Defense

Your OT systems may never touch the internet. But your IT systems do. And the boundary between them is exactly where ransomware actors are hunting.

Table of Contents

1. How Ransomware Got Into OT: The IT-OT Convergence Problem
   1. Why Ransomware Actors Target the IT-OT Boundary Specifically
   2. The Colonial Pipeline Attack: What the Boundary Failure Looked Like
   3. From IT Compromise to OT Shutdown: The Anatomy of a Crossing
2. Why the IT-OT Boundary Fails
   1. Flat Networks and the Absence of Real Segmentation
   2. Shared Credentials Between IT and OT Systems
   3. Historian Servers and Engineering Workstations as Pivot Points
   4. Poorly Controlled Remote Access and Vendor Connections
   5. The DMZ That Exists on Paper Only
3. What Ransomware Targeting OT Looks Like
   1. Double Extortion Tactics in Manufacturing Environments
   2. Triton and ICS-Targeted Malware: When Ransomware Becomes Sabotage
   3. The Cost of OT Downtime vs. IT Downtime: Why Attackers Know Your Pressure Points
4. How Penetration Testing Exposes the Boundary Before Ransomware Does
   1. Testing Lateral Movement Paths From IT Into OT
   2. Validating Segmentation Controls That Are Assumed to Be Working
   3. What a Pen Test Finds at the IT-OT Boundary Most Often
   4. Mapping Findings to Ransomware Kill Chain Stages
5. How Exposed Is Your IT-OT Boundary?
   1. Take the IT-OT Boundary Ransomware Risk Assessment
   2. What to Do With Your Score
6. Frequently Asked Questions (FAQ)

For decades, the assumption in industrial environments was straightforward: air-gapped operational technology (OT) networks were inherently safe. If the control systems, PLCs, HMIs, and SCADA infrastructure were not connected to the internet, they were out of reach. That assumption collapsed slowly at first, then all at once.

The convergence of IT and OT, driven by the demand for real-time production data, remote diagnostics, predictive maintenance, and supply chain integration, has fundamentally changed the threat landscape. The efficiency gains are real. So are the consequences. Every connection you create between your enterprise IT network and your industrial OT environment is a potential lateral movement path for a ransomware actor. And attackers know it.

According to Dragos's 2025 OT Cybersecurity Year in Review, ransomware attacks against industrial organizations surged 87% in 2024, with manufacturing taking the hardest hit. Of those incidents, approximately 70% of OT-related disruptions originated from within the IT environment. This is not a technology gap. It is an architecture gap, and it sits squarely at the IT-OT boundary.

This blog breaks down how that boundary fails, why ransomware actors specifically target it, what the exploitation looks like in practice, and how penetration testing exposes the crossing paths before attackers do.

1. How Ransomware Got Into OT: The IT-OT Convergence Problem

IT-OT convergence is not an accident. It is the product of deliberate architectural decisions made by plant engineers, IT leadership, and business operations teams who wanted tighter integration between shop floor data and enterprise systems. Historian servers were deployed to aggregate production metrics into enterprise dashboards. Engineering workstations were given remote access capability to reduce on-site vendor dependency. VPNs were opened for third-party maintenance. Patch management servers were connected across both domains.

Each of these decisions was rational in isolation. Collectively, they dismantled the physical separation between two networks that were never designed to coexist. Industrial control systems run on deterministic protocols: Modbus, DNP3, EtherNet/IP, PROFINET. They were built for reliability, not for security. They run on legacy operating systems, often unpatched because taking a production line offline for a Windows update is not operationally acceptable. They have no native authentication. No encryption. No logging.

When you bridge that environment to an IT network, you are introducing a security-hardened (or at least security-aware) architecture to one that was designed with zero adversarial threat modeling. The seam between them is where attackers live.

1.1 Why Ransomware Actors Target the IT-OT Boundary Specifically

The answer is pressure. Ransomware is fundamentally a coercion business. Attackers need the victim to feel enough pain to pay. In pure IT environments, that pressure often comes from data encryption and threat of exfiltration. In manufacturing and critical infrastructure environments, the pressure is immediate and visceral: a production line that goes dark costs money every minute it is down.

According to Comparitech research, ransomware has cost the manufacturing industry more than $17 billion in downtime since 2018, with daily losses averaging $1.9 million per incident. The average downtime per attack is 11.6 days. That is not a data problem. That is an operational crisis.

Ransomware actors understand that an OT operator's recovery timeline is not measured in hours. Restoring a SCADA environment, validating that control logic has not been tampered with, and restarting a production line safely is a multi-day, sometimes multi-week process. That asymmetry is their leverage. And the IT-OT boundary is where they enter the equation.

1.2 The Colonial Pipeline Attack: What the Boundary Failure Looked Like

On May 7, 2021, DarkSide ransomware actors gained access to Colonial Pipeline's systems through a single compromised VPN account, one that lacked multi-factor authentication and had not been decommissioned after an employee stopped using it. What followed was the most disruptive cyberattack on U.S. energy infrastructure to date.

Colonial's OT network, the control systems managing 5,500 miles of pipeline delivering nearly half of the East Coast's fuel supply, was not directly compromised. The ransomware encrypted systems on the IT side. But the company could not verify the integrity of its OT environment, and without that confidence, it could not safely operate the pipeline. It shut down voluntarily.

That is the boundary failure in its most consequential form. You do not need to breach the control room. You need to get close enough that the operator cannot be sure you haven't. Colonial paid a $4.4 million ransom. Gas prices spiked across the Eastern Seaboard. President Biden declared a state of emergency. All of it traced back to one unmonitored VPN credential.

As Rob Caldwell, Director of ICS and OT Security at Mandiant, put it after the incident: "It did reveal to a lot of companies that they don't understand the interplay between IT and OT."

1.3 From IT Compromise to OT Shutdown: The Anatomy of a Crossing

The path from initial access in IT to impact on OT is not a single leap. It is a deliberate, staged process. Ransomware actors typically follow a kill chain that looks like this:

• Initial access via phishing, credential stuffing, or exploitation of a public-facing asset (VPN, RDP, web application)
• Privilege escalation within the IT environment using lateral movement tools: Mimikatz, BloodHound, PsExec
• Discovery of network topology, identifying connections between IT and OT zones, often through Active Directory, DHCP logs, or network scans
• Pivot across the IT-OT boundary via historian servers, engineering workstations, shared file shares, or remote access gateways
• Reconnaissance in the OT environment: identifying PLCs, HMIs, historian databases, and safety systems
• Payload deployment: encryption of IT systems, potentially corrupting OT configurations or threatening to do so
• Extortion: demand payment or face extended downtime, data release, or safety system interference

The crossing itself often happens through one of a handful of chokepoints: the historian server that aggregates OT data into the enterprise, the engineering workstation that sits in both domains for programming PLCs, the patch management server that has access to both zones, or the VPN concentrator used by third-party vendors with OT system access.

2. Why the IT-OT Boundary Fails

The IT-OT boundary does not fail because organizations are careless. It fails because the environments evolved separately, under different ownership, with different risk frameworks, and then were connected without re-engineering the security architecture that governs either side. The result is a seam with predictable, repeatable weaknesses.

2.1 Flat Networks and the Absence of Real Segmentation

The Dragos 2025 Year in Review flagged a pattern that should concern every OT security leader: many organizations believe they have proper IT/OT network segmentation, but routine penetration tests reveal hidden connections bridging the two environments.

A flat network in the OT context means that SCADA workstations, PLCs, historian servers, and engineering stations are reachable from the enterprise IT network without passing through any enforcement boundary. The firewall may exist. The VLAN may be defined. But if the rules permit SMB traffic, RDP sessions, or database queries from IT to OT without inspection, the segmentation is cosmetic.

VLANs alone do not constitute segmentation. They define boundaries in Layer 2. They do not enforce Layer 3 policy, and they do not inspect traffic for malicious content. Real segmentation requires enforced, inspected, deny-by-default firewall policy between zones, with specific allowed flows documented, approved, and audited. Most environments have not done that work.

2.2 Shared Credentials Between IT and OT Systems

According to Dragos's OT Year in Review, 17% of organizations audited had a shared Active Directory domain architecture between IT and OT, making it the most common method of lateral movement and privilege escalation observed in OT incidents.

Shared domain architecture means that a Kerberos ticket obtained in the IT environment is valid in the OT environment. An attacker with a compromised domain administrator credential does not need to find a separate OT vulnerability. They authenticate using the same credentials that work for everything else. This is the industrial control systems equivalent of leaving the same key under the mat for every door in the building.

The problem compounds when OT engineers use their corporate email credentials to log into engineering workstations, HMIs, or historian servers. Those credentials are exposed to phishing, credential stuffing, and pass-the-hash attacks at the IT perimeter, long before an attacker is anywhere near the control network.

2.3 Historian Servers and Engineering Workstations as Pivot Points

If you had to identify the single most commonly exploited pivot point in IT-to-OT ransomware attacks, it would be the historian server. Historian servers, OSIsoft PI (now AVEVA PI), Wonderware, and similar platforms, are deployed specifically to aggregate real-time process data from OT systems and make it available to enterprise IT systems for analytics, reporting, and integration with ERP platforms like SAP.

That dual connectivity is their value. It is also what makes them the most dangerous node in the architecture. A historian server typically has:

• Read/write OPC-DA or OPC-UA connections to PLCs and DCS systems in the OT zone
• SQL or REST API connections to enterprise data warehouses in the IT zone
• Remote desktop access enabled for IT staff managing the analytics layer
• Outdated operating systems because production stability requirements prevent aggressive patching

Engineering workstations carry similar risk. They program PLCs and RTUs using IEC 61131-3 logic. They are often running Windows with IT-side domain credentials and dual-homed network interfaces: one adapter facing the corporate LAN, one facing the OT control network. An attacker who reaches the engineering workstation has reached the OT environment.

2.4 Poorly Controlled Remote Access and Vendor Connections

The vendor remote access problem is pervasive and underappreciated. Industrial OT environments depend on third-party vendors for maintenance, firmware updates, and calibration of specialized equipment. That dependency creates a practical requirement for remote access, and most organizations satisfy it with the same tool they use for IT remote access: a VPN.

The problem is that OT vendor access is rarely scoped. A vendor maintaining one specific make of compressor controller often gets VPN access to a broad OT network segment, not a narrowly defined session to that one device. There is no session recording. No time-bounded access window. No MFA. No traffic inspection. And when that vendor's own systems are compromised, as they often are, the attacker inherits whatever access the vendor had.

Dragos observed in its Q4 2024 analysis that ransomware groups are increasingly exploiting legitimate remote monitoring and management (RMM) tools, including AnyDesk and Microsoft Quick Assist, to maintain footholds across segmented networks. These are the same tools that vendors use for legitimate OT maintenance.

2.5 The DMZ That Exists on Paper Only

The Purdue Model, or its more modern IEC 62443 equivalent, prescribes a demilitarized zone between the enterprise network (Level 4) and the OT supervisory network (Level 3). In practice, many organizations have a DMZ in their network diagram that functions as a paper boundary.

A paper DMZ is one where:

• Firewall rules allow broad bidirectional traffic between the enterprise and OT zones through the DMZ
• The DMZ hosts assets that have both IT and OT connectivity without strict egress control
• No IDS/IPS is deployed to inspect traffic traversing the DMZ
• Rules have accumulated over years without a cleanup cycle, creating a tangled policy that no one fully understands

Attackers do not need to break through a DMZ. They need to find the rules that already let traffic through. In most environments, those rules exist and have existed for years.

3. What Ransomware Targeting OT Looks Like

There is a common misconception that ransomware targeting OT environments means ransomware that directly compromises PLCs or tampers with control logic. In most cases, that is not how it works, and that distinction matters for how you design your defenses.

What ransomware actors primarily do is encrypt IT systems that OT processes depend on: the historian server's database, the engineering workstation's file system, the HMI's Windows OS, the remote access gateway. They do not need to write malicious ladder logic into a PLC to halt production. They need to take down enough of the surrounding infrastructure that the operator cannot safely run the process, or cannot see enough of the process state to trust that it is safe to run.

That said, the threat landscape is evolving. And some of what we have already seen goes well beyond data encryption.

3.1 Double Extortion Tactics in Manufacturing Environments

Double extortion has become the default ransomware playbook. According to Verizon's 2024 Data Breach Investigations Report, double extortion was used in 62% of financially motivated data breaches in 2024. Triple extortion, involving a third pressure vector such as DDoS or direct customer notification, was observed in 27% of attacks.

In manufacturing and critical infrastructure environments, the data exfiltration component of double extortion carries different weight than it does in financial services or healthcare. What gets stolen is not just customer PII. It is:

• Proprietary process formulas and manufacturing recipes
• Production line configurations and OT asset inventories
• Maintenance schedules and known vulnerability documentation
• Supplier and customer contracts with pricing and volume data
• Regulatory compliance documentation that, if disclosed, reveals gaps

For a defense contractor, an energy company, or a pharmaceutical manufacturer, exposure of this data is not just a reputational problem. It is a competitive and national security problem. Ransomware actors know this, and they price their demands accordingly.

Dragos identified 1,693 industrial organizations with sensitive data exposed on ransomware groups' dedicated leak sites (DLS) in 2024. The data is already out. In many of those cases, the organizations paid and still had their data published.

3.2 Triton and ICS-Targeted Malware: When Ransomware Becomes Sabotage

In August 2017, a petrochemical facility in the Middle East discovered malware in its safety instrumented system (SIS) that did not belong there. The malware, subsequently named TRITON (also known as TRISIS and HatMan), had been deployed by a sophisticated threat actor who moved laterally through the facility's IT and OT networks before reaching the safety system layer.

TRITON targeted Schneider Electric's Triconex safety controllers, specifically the SIS controllers responsible for initiating safe shutdown procedures in the event of a process emergency. The FBI later confirmed: "TRITON malware's design gave the attackers complete remote control of the SIS, providing them the capability to cause significant physical damage and loss of life if the plant were to enter an unsafe state."

TRITON is not ransomware in the traditional sense. It is sabotage-grade ICS malware. But it illustrates the trajectory. The line between ransomware actors who disrupt IT-dependent OT operations and adversaries who actively target safety systems is not as clear as it once was. TRITON moved through IT before it reached OT. The initial access vector was the IT environment.

This is no longer a theoretical escalation path. It is a documented one. And it starts at the IT-OT boundary.

3.3 The Cost of OT Downtime vs. IT Downtime: Why Attackers Know Your Pressure Points

IT downtime is expensive. OT downtime is existential. That is the asymmetry that ransomware actors exploit when they get to the OT boundary.

In an IT environment, losing access to a file server or email system is disruptive. Operations slow down. Employees work around it. Recovery is measured in hours. In an OT environment, the calculus is completely different.

EMA Research estimates the cost of unplanned OT downtime at between $14,000 and $23,750 per minute. For a continuous process manufacturer, a chemical plant, or a semiconductor fab, a 24-hour production halt does not just cost a day's output. It can scrap in-process batches worth millions, trigger contractual penalties, destroy perishable supply chain inventory, and require a controlled restart sequence that itself takes days.

Attackers who understand your industry understand this. They know that a food and beverage manufacturer cannot hold a fermenter offline for two weeks. They know that an automotive plant with a just-in-time supply chain cannot absorb 11 days of downtime without triggering downstream assembly plant shutdowns. They know the production economics of your industry, and they set their ransom demands accordingly.

4. How Penetration Testing Exposes the Boundary Before Ransomware Does

The most important insight from years of documented IT-to-OT ransomware incidents is this: every attack path that ransomware actors exploit was discoverable before the attack. The pivot points, the flat network segments, the shared credentials, the unmonitored VPNs, the paper DMZs, all of them show up in penetration tests. The question is whether you find them first.

IT-OT boundary penetration testing is not the same as a traditional IT network pen test. It requires testers who understand industrial control system protocols, the operational constraints of OT environments (you cannot crash a PLC to prove a point), and the specific attacker TTPs documented in real-world ICS incidents. It also requires organizational alignment: OT engineers, IT security, and plant operations all need to be in the room, because the scope decisions have real operational stakes.

4.1 Testing Lateral Movement Paths From IT Into OT

The first objective of an IT-OT boundary pen test is to map and validate lateral movement paths. Starting from a foothold in the enterprise IT environment, a skilled tester will attempt to reach OT assets using the same techniques ransomware actors use:

• Active Directory enumeration to identify accounts with access to both IT and OT systems
• Network scanning to discover historian servers, engineering workstations, and remote access gateways reachable from IT
• Credential harvesting from IT systems to test reuse against OT authentication mechanisms
• Protocol-aware scanning for OPC-UA, Modbus, or SCADA-specific services exposed to the IT network
• Exploitation of firewall misconfigurations to test whether the DMZ enforces policy or merely creates the appearance of one

The goal is not to compromise OT systems. The goal is to document every path that reaches the OT environment and validate whether the controls that are supposed to stop lateral movement are doing so. Most organizations discover that the answer is: they are not.

4.2 Validating Segmentation Controls That Are Assumed to Be Working

This is where pen testing consistently delivers its highest value. As Dragos noted in its 2025 report: "Many organizations believe they have proper IT/OT network segmentation, but routine penetration tests reveal hidden connections bridging IT and OT."

Segmentation assumption gap is a documented phenomenon in OT security. Firewall rules are created to permit specific traffic for a specific purpose, a vendor needs SFTP access to transfer a configuration file, a historian needs to pull data via OPC-DA. The rule is created. The project finishes. The rule stays. Months later, no one remembers it is there. Years later, it is an open lateral movement path in the attack surface.

Penetration testing validates segmentation controls against actual traffic, not documentation. It answers the question that a firewall rule review cannot: can an attacker, with the TTPs and tooling of a real ransomware group, traverse from your enterprise IT to your OT environment? The answer, more often than not, is yes.

4.3 What a Pen Test Finds at the IT-OT Boundary Most Often

Based on documented findings from OT security practitioners, including Dragos, Claroty, and Nozomi Networks, the most common vulnerabilities discovered at the IT-OT boundary in industrial environments include:

• Unmanaged or legacy remote access tools: RDP, VNC, TeamViewer installed on engineering workstations with no session monitoring
• Shared Active Directory domains: single domain spanning IT and OT with no separate credential management
• Historian servers with bidirectional trust: OPC connections with write access to OT process databases, reachable from IT
• Firewall rules permitting SMB traffic between IT and OT: enabling pass-the-hash and ransomware propagation
• Dormant vendor VPN accounts: active credentials for vendors no longer engaged, with broad OT network access
• Engineering workstations with dual-homed network interfaces: one NIC on corporate LAN, one on OT control network, bridging the two

• Unpatched Windows systems in OT: Windows 7, Windows Server 2008, Windows XP running SCADA software with known exploitable CVEs

  

4.4 Mapping Findings to Ransomware Kill Chain Stages

Every finding from an IT-OT boundary pen test maps to a specific stage in the ransomware kill chain. That mapping is what transforms a list of vulnerabilities into an actionable risk narrative. When you can tell your plant manager, your CISO, or your board that a dormant vendor VPN account is the equivalent of leaving the side door unlocked for an attacker who is three steps away from your historian server, the conversation about remediation priority changes.

5. How Exposed Is Your IT-OT Boundary?

Most organizations fall into one of three categories when it comes to IT-OT boundary security: those who have done the work and have the pen test results to prove it, those who believe they have done the work but have never validated it against an adversarial test, and those who know they have gaps but have not yet quantified them.

The second category is the most dangerous. Assumed segmentation is worse than acknowledged exposure, because assumed segmentation produces false confidence. You do not prioritize a risk you believe you have already mitigated. But if that mitigation has never been tested, you are operating on a belief, not a fact.

The Dragos 2024 incident data makes this concrete: organizations that had enforced network segmentation and tested it significantly shortened recovery times and avoided paying ransom after ransomware incidents. Those that did not had longer recovery times, more involved incident response, and greater financial impact. Segmentation that is validated works. Segmentation that is assumed does not.

5.1 Take the IT-OT Boundary Ransomware Risk Assessment

The following self-assessment is designed for OT security managers, plant operations leaders, and IT security teams who want a structured starting point for evaluating their IT-OT boundary exposure. It covers the eight control domains most commonly found deficient in real-world OT penetration tests.

5.2 What to Do With Your Score

Regardless of where your assessment lands, the path forward is the same: validate before you assume. A risk assessment tells you where to look. A penetration test tells you what is there.

If your score indicates high exposure, the priority sequence is:

• Identify and decommission all dormant remote access accounts, especially vendor VPNs
• Conduct an emergency firewall rule review focused on IT-to-OT traffic; close or restrict any rule you cannot explain with a current business justification
• Implement MFA on every remote access pathway without exception
• Separate or restrict shared Active Directory domains between IT and OT
• Deploy passive OT network monitoring to establish a baseline before your pen test

If your score indicates medium exposure, validate your segmentation with an IT-OT boundary pen test. Do not assume the controls you have documented are the controls that are enforced. Test them against adversarial tooling and documented attacker TTPs.

If your score indicates a managed posture, run a red team exercise that simulates a realistic threat actor attempting to cross from IT to OT. Managed does not mean immune. It means you have done the foundational work. Now stress-test it.

The ransomware actors targeting your industry are not waiting for a perfect opportunity. They are probing the boundaries you have right now, looking for the credential that was never decommissioned, the firewall rule that was never reviewed, the VPN tunnel that was opened for a vendor three years ago and never closed. They are patient, systematic, and well-funded.

The question is not whether your IT-OT boundary has weaknesses. It does. Every boundary does. The question is whether you find them before someone else does.

DivIHN's OT penetration testing practice conducts IT-OT boundary assessments for manufacturers, energy operators, and critical infrastructure organizations across the U.S. Our testers are trained in ICS-specific attack methodologies, OT-safe testing protocols, and the documented TTPs of active ransomware groups targeting industrial environments. To discuss your boundary exposure, contact our OT security team.

Sources & References

• Dragos 2025 OT Cybersecurity Year in Review: dragos.com
• Dragos Industrial Ransomware Analysis 2024 (87% surge): industrialcyber.co
• Colonial Pipeline Attack, CISA Two-Year Retrospective: cisa.gov
• Colonial Pipeline Attack Root Cause Analysis: cybersecuritydive.com
• FBI PIN: TRITON Malware Remains Threat to Global ICS: aha.org
• Ransomware Costs Manufacturing $17B in Downtime (Comparitech / Infosecurity Magazine): infosecurity-magazine.com
• 2024 Ransomware Attack Statistics, JumpCloud: jumpcloud.com
• Verizon 2024 Data Breach Investigations Report (double extortion): verizon.com

• TRITON/TRISIS Attack Technical Analysis, Schneider Electric / Dark Reading: darkreading.com