TL;DR: Critical infrastructure faces a mix of ransomware, destructive malware, DDoS, and lateral movement from IT into OT, with legacy systems, exposed protocols, and compromised credentials creating the main paths to disruption, according to SentinelOne and CISA. The governance gap is not just resilience, but identity and network containment across environments that were never built for modern threat velocity.
At a glance
What this is: The article argues that critical infrastructure is being targeted through legacy OT weaknesses, IT-to-OT pivot paths, and compromised credentials, with network segmentation and deception controls presented as key defensive measures.
Why it matters: It matters because IAM, PAM, and adjacent security teams increasingly have to govern credentials, lateral movement, and privileged access in environments where identity failures can disrupt physical operations.
By the numbers:
- CISA says 14 of the 16 U.S. critical infrastructure sectors have seen ransomware incidents.
- Five of the Fortune 10’s largest ICS/SCADA organizations have already widely deployed the company’s comprehensive solutions.
👉 Read SentinelOne's analysis of critical infrastructure security for OT and ICS environments
Context
Critical infrastructure security is not only about stopping malware. It is also about limiting how attackers move from a compromised IT foothold into OT and industrial control systems, where legacy devices and long-lived access paths can turn a breach into an operational outage. In these environments, identity, segmentation, and recovery controls matter because availability failures can become public safety issues.
The article frames a familiar OT problem: attackers exploit unpatched devices, exposed industrial protocols, and compromised credentials to reach mission-critical systems. That is a governance issue as much as a technical one, because the same access and containment assumptions used in enterprise IT do not hold once production environments and physical processes are involved.
Key questions
Q: What breaks when IT and OT networks are not segmented?
A: When IT and OT are not segmented, ransomware can move from business systems into production systems, and defenders often cannot prove where compromise stops. That uncertainty turns a containment problem into an outage decision. In manufacturing, the result can be a full shutdown, lost material, delayed shipments, and higher recovery cost than the initial intrusion.
Q: Why do compromised credentials remain so effective in modern environments?
A: Compromised credentials remain effective because they produce legitimate-looking access. Many environments still trust the identity after the password, token, or session is accepted, even if the login originated from a risky device or abnormal context. That makes identity confidence a live security issue, especially when access is broad or long-lived.
Q: How can organisations tell whether deception controls are actually helping in OT?
A: Deception controls are working when they produce high-fidelity alerts on activity that should never occur, such as a human operator touching a decoy HMI or an internal system authenticating to a fake credential. The signal should indicate reconnaissance, misuse, or lateral movement before production systems are reached, not after disruption has started.
Q: Who is accountable when an IT compromise reaches OT and disrupts services?
A: Accountability usually spans security, infrastructure, operations, and vendor-management teams because the failure is cross-domain. The practical question is whether access governance, segmentation, and recovery responsibilities were clearly assigned and tested before the incident. Frameworks such as NIST Cybersecurity Framework 2.0 help teams map those responsibilities to identify, protect, detect, respond, and recover.
Technical breakdown
How IT-to-OT lateral movement works in critical infrastructure
Attackers often begin in the IT environment, then use reconnaissance and privileged access to bridge into OT. Once inside, they look for flat networks, shared services, and protocols that were designed for availability rather than secure authentication. In industrial settings, a single compromised account can become a path to SCADA access, remote operations, or process disruption if segmentation is weak. The key technical issue is not just malware delivery. It is the collapse of trust boundaries between enterprise and operational networks, especially when credential reuse or remote service exposure makes the pivot easier.
Practical implication: enforce hard IT/OT segmentation and remove any remote access path that is not explicitly required and monitored.
Why ICS protocols and legacy systems remain easy to abuse
Industrial environments still depend on protocols such as MODBUS, DNP3, BACnet, and IEC 61850-related services that were never designed with modern identity controls in mind. Many assets also run on legacy hardware or software that cannot be patched quickly, which leaves defenders relying on compensating controls rather than secure-by-design features. That creates a persistent attack surface where misconfiguration, known vulnerabilities, and weak authentication remain exploitable for long periods. In practice, the combination of protocol trust and operational inertia is what makes critical infrastructure so hard to secure at scale.
Practical implication: inventory protocol exposure and wrap legacy assets with compensating controls, monitoring, and restricted management access.
Deceptive credentials and decoy systems as detection mechanisms
Deception technology works by planting believable decoys and credentials that legitimate operators should never touch. In OT environments, that can include fake HMI systems, PLC emulations, and deceptive identity artefacts that reveal reconnaissance, lateral movement, or remote service abuse. These controls do not replace prevention, but they shorten detection time by turning attacker curiosity into a signal. That is especially useful in industrial networks, where noisy endpoint controls are often harder to deploy and where passive monitoring may miss early intrusions. The value is less about catching everything and more about making stealth movement visible before production systems are reached.
Practical implication: place decoys and honey credentials in network paths that an attacker would need to traverse before reaching production control systems.
Threat narrative
Attacker objective: The attacker aims to disrupt mission-critical operations, extort payment, or create broader physical and political impact by taking industrial systems offline.
- Entry begins with compromise of an IT system or exploitation of an exposed OT-facing weakness, giving the attacker a foothold close to the industrial environment.
- Escalation occurs when the attacker uses stolen credentials or weak remote service controls to move laterally into OT networks and reach operational assets.
- Impact follows when ransomware, destructive malware, or denial-of-service activity disrupts industrial processes, public services, or safety-critical infrastructure.
NHI Mgmt Group analysis
Standing access is the hidden failure mode in critical infrastructure. The article points to compromised credentials, remote services, and weak segmentation as the practical route from IT compromise into OT disruption. That is not just a network design issue. It is a privilege governance problem, because any credential that can reach an industrial environment can become a production risk. Practitioners should treat OT access as a lifecycle-controlled trust boundary, not a convenience layer.
Critical infrastructure security depends on collapsing the trust boundary before attackers do. Legacy protocols and unpatchable systems are a reality, but they become dangerous when defenders assume internal traffic is safe. Network segmentation, restricted management paths, and deception controls are the controls that matter because they limit how far a compromised identity can travel. The discipline here is containment first, remediation second.
OT security needs identity-aware detection, not only asset protection. The article’s focus on deceptive credentials is useful because it turns identity abuse into a detection signal. In environments where uptime matters more than aggressive endpoint tooling, identity-based traps can expose remote service misuse and lateral movement earlier than conventional alerts. Practitioners should align this with NIST Cybersecurity Framework 2.0 and MITRE ATT&CK coverage for credential access and lateral movement.
Critical infrastructure programmes are converging on resilience engineering, not point products. The article ties security to backup testing, endpoint visibility, network segmentation, and behaviour monitoring because no single control stops every OT attack path. That reflects the direction the market is moving: teams need layered containment, recovery discipline, and identity governance for any access path that can touch production systems. Practitioners should evaluate security by how quickly they can isolate and recover, not only by how many threats they detect.
What this signals
Critical infrastructure teams are moving toward identity-aware containment. The operational lesson is that segmentation, session control, and recovery discipline now matter as much as classic perimeter defence. Where privileged access can cross from IT into OT, identity governance becomes a resilience control, not just an administrative one.
Trust boundaries are becoming the security design problem. Industrial environments will continue to contain legacy protocols and unpatchable assets, so the programme question shifts to how much movement a compromised identity can achieve before detection. That makes blast-radius reduction and monitoring of remote services more valuable than one-time hardening exercises.
Credential exposure in operational environments is no longer a back-office concern. The wider identity market is already showing that over-privilege and unmanaged access create measurable incident risk, and the same logic applies when access reaches production systems. Practitioners should align industrial security roadmaps with identity lifecycle controls and the NHI lifecycle guidance in the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
For practitioners
- Segment OT from IT with enforceable access boundaries Separate enterprise and operational networks with tightly controlled pathways for administration, monitoring, and vendor support. Treat every exception as a documented risk decision, and test whether a compromised IT credential can reach production control systems. Use the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the access lifecycle angle.
- Restrict and monitor all remote access into ICS environments Inventory every remote service, jump host, and privileged route into OT, then remove anything that is not operationally required. Where access must remain, apply strong authentication, session logging, and approval workflows so remote services cannot be used as silent persistence channels.
- Build deception into industrial detection workflows Deploy decoy HMIs, fake credentials, and emulated assets in network paths an attacker is likely to probe before reaching production systems. Use them to surface reconnaissance, credential misuse, and lateral movement early enough for containment, and align the alerting logic with MITRE ATT&CK.
- Test backup isolation and recovery for OT systems Verify that backups are isolated from network paths that malware could reach and that recovery works under operational constraints, not just in tabletop exercises. Include OT and IT restoration sequencing so a disruption in one environment does not prolong outage in the other.
Key takeaways
- Critical infrastructure attacks often succeed by turning IT compromise into OT disruption through weak segmentation and standing access.
- Legacy protocols, remote services, and compromised credentials create the main paths from reconnaissance to operational impact.
- The most effective controls are containment, deception, and recovery discipline, not reliance on any single perimeter defence.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centres on credential abuse, pivoting, and disruption. |
| NIST CSF 2.0 | PR.AC-4 | Access governance and segmentation are central to the article. |
| NIST SP 800-53 Rev 5 | AC-4 | Boundary protections are essential for IT-to-OT containment. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | Network segmentation and infrastructure control are recurring themes. |
| ISO/IEC 27001:2022 | A.8.20 | Network security controls fit the segmentation and monitoring guidance. |
Map OT attack paths to credential access and lateral movement, then test whether segmentation stops impact.
Key terms
- Operational Technology: Operational Technology is the hardware and software that monitors or controls physical processes such as manufacturing lines, utilities, and transportation systems. Unlike standard IT, OT prioritises uptime and safety, so identity controls must be precise enough to reduce risk without interrupting essential operations.
- Industrial Control Systems: Industrial control systems are the components that directly automate and supervise industrial processes, including controllers, sensors, and supervisory software. They are a subset of operational technology, but they often carry the most sensitive control paths and therefore demand specialised access and monitoring controls.
- IT-to-OT Lateral Movement: IT-to-OT lateral movement is the path an attacker takes from a compromised business network into an operational environment. It usually relies on shared credentials, remote administration channels, or weak segmentation, and it can turn a conventional cyber incident into a production outage.
- Deception Technology: A detection approach that uses decoys, lookalikes, or sensors to lure adversaries into revealing themselves. The point is to create high-confidence signals that should not be touched by legitimate users, making attacker interaction easier to distinguish from normal activity.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- ICS protocol coverage, including the industrial services and device types the vendor says its deception layer can emulate.
- Deceptive HMI and PLC deployment examples that show how the alerts are generated in real environments.
- Endpoint and identity detection workflows for spotting lateral movement and remote service abuse in OT-adjacent networks.
- The vendor's deployment claims and validation references for critical infrastructure use cases.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is relevant for practitioners who need to connect identity controls to resilience in complex operational environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org