Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that operational technology (OT) environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 Ukraine power grid disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to misused remote access and stolen credentials (including the Colonial Pipeline shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments.
Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate “living-off-the-plant” techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researcher plans RSA 2026 demo of Siemens S7comm abuse techniques
Ahead of RSA Conference 2026, Ric Derbyshire said he would demonstrate how Siemens S7comm protocol fields could be manipulated to leak data and propagate attacks between PLC-connected devices. The planned presentation underscored concerns that 'living-off-the-plant' techniques are becoming more practical.
Attackers access Norwegian dam HMI using default Internet-exposed credentials
In April 2025, attackers reportedly accessed a dam in western Norway by using default HMI credentials exposed to the Internet and then 'clicked around' the system. The incident was presented as an example of crude but still dangerous OT interaction enabled by weak access controls.
OpenAI report describes actors querying ChatGPT for default credentials
An OpenAI report described threat actors using ChatGPT to look up default credentials, illustrating how AI tools can lower barriers to learning and abusing OT environments. The report was referenced as part of the broader trend of attackers gaining easier access to industrial knowledge.
CyberAv3ngers activity targets Unitronics PLCs
In 2023, the CyberAv3ngers activity involving Unitronics PLCs highlighted growing adversary familiarity with industrial control components. The activity was cited as evidence that OT-focused tradecraft was becoming more accessible and repeatable.
Colonial Pipeline shuts operations after ransomware intrusion
In 2021, attackers used a compromised password to access Colonial Pipeline’s environment, and the company shut down a major fuel distribution system. The incident became a prominent example of how IT compromise can trigger major OT and critical infrastructure disruption.
Cyberattack causes Ukraine power outage
On December 23, 2015, a cyberattack attributed to Russian nation-state actors disrupted Ukraine’s power grid. The incident became the first publicly acknowledged case showing that a cyberattack could cause a real-world power outage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rising Risk of State-Linked Attacks on Power Grids and Operational Technology
Reporting highlighted growing concern that **state-affiliated and state-linked actors** are positioning for disruptive attacks against **operational technology (OT)** and critical infrastructure, with activity that may be difficult for operators to detect. A Codific analysis described five common pathways seen in disruptive grid-focused intrusions—often beginning with **human error or exposed perimeter services**, then escalating through **credential theft**, **remote access exploitation** (e.g., VPNs/gateways), **ransomware**, and misuse of **legitimate industrial commands** that can delay operations and complicate detection and recovery; it also warned that attacks on virtualized environments can hinder restoration efforts and that cascading impacts could be severe (e.g., Lloyd’s “Business Blackout” scenario estimating losses up to **$1T**). Recommended mitigations emphasized proven controls such as **phishing-resistant MFA** and **IT/OT segmentation**, rather than novel defenses. Separate commentary and media content also pointed to OT becoming a frontline in geopolitical escalation, including claims of a coordinated campaign tied to Iran-linked hacktivist activity targeting OT devices such as **Unitronics PLCs** used in water and industrial facilities, alongside psychological operations and SMS spoofing. Other items in the set were leadership/career/podcast-style content without specific incident or vulnerability detail and do not materially add to the OT/power-grid threat reporting.
Mar 21, 2026
Threat Reports Highlight Identity Abuse and OT Intrusions as Primary Initial Access Vectors
Palo Alto Networks’ **Unit 42** reported that **identity abuse** has become the dominant initial access vector in incident response engagements, with identity-based techniques accounting for **nearly two-thirds** of initial intrusions and an identity-related element present in **nearly 90%** of cases across the attack lifecycle. The report highlights **social engineering** as the leading entry method (about **one-third** of cases), alongside compromised credentials, brute force, overly permissive identity policies, and insider threats; it also notes that growth in **machine identities** and **AI agents** is expanding the identity attack surface and complicating detection because malicious use of valid identities can blend into normal telemetry. Dragos’ 2026 OT/ICS Year in Review described industrial threat actors increasingly moving beyond opportunistic access toward **control-loop mapping**—identifying engineering workstations and collecting configuration/alarm files to understand how processes behave and enable physical impact. Dragos tracked **26** OT-targeting threat groups and identified new groups (**AZURITE, PYROXENE, SYLVANITE**), emphasizing specialization and a division of labor where initial-access activity (including targeting **internet-facing systems**) feeds more OT-capable operators; it also warned that **ransomware** is driving operational disruption and multi-day outages that require OT-specific recovery and is often underestimated as “just IT.”
Mar 21, 2026
OT and Smart Factory Cybersecurity Risk in Industrial Environments
Industrial and manufacturing organizations continue to face significant **operational technology (OT)** security risk as connected control systems, IoT devices, and legacy infrastructure expand the attack surface. A Siemens Energy report cited by *TechRepublic*, based on Ponemon Institute survey data, found that **77%** of respondents said an OT security compromise in the past 12 months led to loss of confidential information or operational disruption, while **52%** said a successful exploit against their industrial control systems is likely within the next year. Respondents also estimated that **41%** of OT attacks go undetected, with many organizations taking more than a month to detect incidents and an average of seven months to recover. The broader picture is that smart factories are still struggling with basic cyber resilience as modernization outpaces security controls. In an interview with *Help Net Security*, Packsize CSO Troy Rydman said unmanaged **IoT** devices, outdated legacy systems, and human-targeted attacks such as phishing and social engineering remain major weaknesses in factory environments. He also highlighted the persistent tradeoff between production uptime and security requirements, underscoring that industrial operators are still balancing business continuity with the need to reduce exposure across connected devices and older operational systems.
Apr 2, 2026