Beyond the Air Gap: How IT-to-OT Pivot Attacks Actually Work

TLDR: Most industrial control systems are not as isolated as their operators believe, often sharing infrastructure with enterprise IT networks. This talk demonstrates how attackers gain initial access via standard IT vectors and pivot into OT environments by exploiting shared management platforms like VMware vCenter or SCCM. Pentesters should focus on identifying these cross-domain trust relationships to map realistic attack paths that lead to physical process disruption.

Operational technology environments are frequently treated as black boxes, protected by the mythical air gap. In reality, the convergence of IT and OT has created a massive, porous attack surface. When you are performing a red team engagement against a critical infrastructure provider, the most effective path to the physical process is rarely a direct exploit against a PLC. Instead, it is almost always a lateral movement chain starting from a compromised workstation in the corporate office.

The Myth of the Air Gap

Industrial networks are rarely isolated. They are connected to enterprise networks to facilitate data collection, remote maintenance, and patch management. This connectivity is the primary vector for modern OT attacks. During a red team exercise, the goal is to identify where the IT and OT domains bleed into each other.

Attackers look for shared infrastructure. If an organization uses a single VMware vCenter instance to manage both IT servers and OT guest virtual machines, the hypervisor becomes a high-value target. Compromising the vCenter server allows an attacker to gain administrative access to the guest VMs, effectively bypassing any firewall rules that might exist between the IT and OT VLANs.

Pivoting Through Shared Management Platforms

The most common pivot points are the tools that administrators use to keep systems running. Microsoft Endpoint Configuration Manager (SCCM) and Windows Server Update Services (WSUS) are prime examples. If these services are shared across the IT/OT boundary, they provide a direct mechanism for code execution on OT assets.

Consider a scenario where an attacker gains a foothold on an engineer's workstation. By dumping credentials or capturing keystrokes, they can access the management console for the OT environment. If that console is a jump host or a management server that is also joined to the corporate Active Directory domain, the attacker can use standard techniques to escalate privileges. Once they have domain admin rights, they can push malicious updates or configurations to the OT systems.

Exploiting the Human-Machine Interface

Once an attacker has successfully pivoted into the OT network, the HMI becomes the primary interface for mission execution. The HMI is essentially a web application or a thick client that communicates with PLCs and RTUs. If the HMI is misconfigured or lacks proper authentication, it can be used to send unauthorized commands to the physical process.

In one case study, researchers demonstrated how an attacker could use a debug console left enabled in a production environment to manipulate input/output signals. By using a force table, the attacker could override the actual state of a sensor, tricking the operator into believing the system was operating normally while the attacker manipulated the physical process. This is a classic example of Broken Access Control where the lack of authentication on a management interface leads to catastrophic failure.

Testing for Cross-Domain Vulnerabilities

When scoping an engagement, you must look for the "hidden" connections. Start by mapping the management plane. Ask the following questions:

• Are the same credentials used for IT and OT management consoles?
• Is there a shared Active Directory forest or domain trust between the two environments?
• Are there dual-homed servers that bridge the IT and OT networks?
• Is the same virtualization platform used for both environments?

If you find a shared Active Directory domain, you have already won the pivot. You can use standard tools like Mimikatz to extract credentials and move laterally into the OT network. If the networks are segmented, look for the jump hosts. These are the most critical assets in the environment. If you compromise a jump host, you have effectively bypassed the segmentation.

Defensive Considerations

Defenders often focus on hardening the PLCs, but the real risk is in the management layer. The most effective way to secure an OT environment is to enforce strict separation of management platforms. Do not share vCenter, SCCM, or WSUS instances between IT and OT. If you must have connectivity, use a dedicated, hardened jump host with multi-factor authentication and session recording.

Furthermore, ensure that all management interfaces are not accessible from the corporate network. If an HMI or a PLC management interface is reachable from the office, it is only a matter of time before it is compromised. Implement Identification and Authentication Failures protections by ensuring that all administrative access requires strong, unique credentials and is logged to a centralized, read-only SIEM.

The next time you are on an engagement, stop looking for the "cool" exploit against a proprietary protocol. Look for the boring, shared management server that connects the two worlds. That is where the real impact lies.