By NHI Mgmt Group Editorial TeamPublished 2025-12-10Domain: Governance & RiskSource: Elisity

TL;DR: Lateral movement remains central to modern breaches in IoT and OT environments, with Elisity citing IBM’s $4.88 million global average breach cost and research showing 60% of successful breaches involve lateral movement, while attackers dwell for 280 days on average before detection. The problem is not just detection; it is whether segmentation, access control, and response coordination actually work under realistic pressure.


At a glance

What this is: This is an analysis of how tabletop exercises can test lateral movement prevention in IoT and OT environments and expose where segmentation, detection, and response coordination fail.

Why it matters: It matters because IoT, OT, and medical device environments often cannot rely on endpoint agents or perimeter assumptions, so IAM-adjacent governance must prove that access and segmentation controls hold under real attack paths.

By the numbers:

👉 Read Elisity's tabletop exercise guidance for lateral movement prevention in IoT and OT


Context

Lateral movement is the phase of an intrusion where an attacker uses one foothold to reach other systems, segments, or privileged pathways. In IoT and OT environments, that matters because the usual enterprise model of endpoint coverage and perimeter trust does not map cleanly to devices, controllers, and engineering workstations that share operational space.

The article argues that tabletop exercises are the right way to test whether segmentation policies, least privilege rules, and cross-functional response can actually stop that spread. For identity and access teams, the governance issue is not only who can log in, but whether a compromised identity, vendor path, or dual-homed system can pivot into critical environments before containment decisions are made.

The starting position described here is typical, not unusual: mixed IT, IoT, and OT estates create exactly the sort of segmentation and visibility gaps attackers exploit.


Key questions

Q: How should security teams run tabletop exercises for lateral movement prevention in IoT and OT environments?

A: Design the exercise around realistic pivot paths, not abstract incident narratives. Start with a likely initial foothold such as phishing, vendor access, or a dual-homed workstation, then force participants to decide how they would detect, contain, and communicate at each stage. The exercise should prove whether segmentation, monitoring, and authority to isolate are usable under pressure.

Q: Why do IoT and OT environments make lateral movement harder to control?

A: Because many connected devices cannot run endpoint agents, and many operational protocols do not produce the same visibility that IT tools expect. Attackers can exploit shared connectivity, weak segmentation, and trusted engineering paths to move between systems. That means control effectiveness depends on network design, identity boundaries, and response authority, not just on malware detection.

Q: What breaks when segmentation policies are only tested on paper?

A: What breaks is the assumption that a policy statement equals a working control. If no one can demonstrate how a compromised path is blocked, detected, and isolated, the organisation may have documentation but not containment. In practice, that leaves attacker movement to be discovered after the next pivot rather than stopped at the boundary.

Q: Who should be accountable when lateral movement reaches critical OT or IoT systems?

A: Accountability should sit with the teams that own the access path, the segmentation boundary, and the containment decision, not with one security function alone. OT operations, network teams, and incident response all have to agree on authority before an event occurs. If no one can isolate a segment quickly, the governance model has failed.


Technical breakdown

Why lateral movement succeeds in mixed IT and OT environments

Lateral movement succeeds when an attacker can move from one trusted system to another without triggering a control boundary. In mixed IT and OT estates, that often happens through dual-homed systems, weak segmentation, shared credentials, or devices that cannot run traditional endpoint agents. The technical problem is not the first compromise alone, but the existence of reachable paths between otherwise separate trust zones. Once an attacker can enumerate neighbors, identify privileged management interfaces, or reuse contractor access, the network itself becomes the attack path.

Practical implication: map every cross-zone pathway and validate that each one has an enforceable policy boundary, not just a diagram.

How tabletop exercises test segmentation and least privilege

A tabletop exercise is a structured simulation, not a live attack. Participants walk through a scenario step by step and decide what they would see, what they would do, and who can authorize containment. That makes tabletops especially useful for testing whether segmentation rules, least privilege policies, and isolation runbooks are actually usable when pressure is real. If the response depends on knowledge no one has, approvals no one can get, or policies that only exist on paper, the exercise exposes that gap before an attacker does.

Practical implication: validate not only policy design, but the exact decision points and approvals needed to isolate a compromised segment.

Why device constraints change the detection model

IoT and OT devices often lack agents, log poorly, or use protocols that conventional SOC tooling cannot inspect well. That changes the detection model from endpoint-first visibility to network- and behavior-based monitoring, with special attention to reconnaissance, unusual east-west traffic, and contractor or engineering workstation activity. In these environments, failed detection is often a design issue, not a tuning issue, because the telemetry source simply does not exist in the same way it does for laptops and servers.

Practical implication: base detection coverage on the traffic and identity signals available in OT, not on endpoint assumptions borrowed from IT.


Threat narrative

Attacker objective: The attacker aims to turn one compromised foothold into broader operational access, then reach critical systems, sensitive data, or disruptive control points.

  1. Entry occurs when an attacker gains an initial foothold through phishing, compromised vendor credentials, or a vulnerable dual-homed system that connects IT and OT.
  2. Escalation follows as the attacker enumerates reachable assets, reuses trusted access, and pivots through poorly segmented paths toward higher-value systems.
  3. Impact occurs when the attacker reaches controllers, payment systems, or sensitive data and can disrupt operations or exfiltrate information at scale.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Lateral movement prevention is now a governance test, not just a network design problem. The article shows that segmentation only matters if people can validate it under realistic attack paths. For identity teams, that means access, trust, and isolation controls must be examined as an integrated system, not as separate checklist items.

Tabletop exercises expose the difference between policy intent and operational enforceability. A policy that says a contractor cannot pivot into OT is weak if no one can demonstrate how the pivot is blocked, detected, and contained in practice. That is a governance failure as much as a technical one, because it leaves risk distributed across teams without clear decision authority.

Access pathways that cross IT, IoT, and OT create identity blast radius. Once a compromised credential can reach engineering workstations, vendor VPNs, or shared management interfaces, the impact of one identity extends well beyond its original purpose. Practitioners should treat every cross-domain path as a blast-radius question, not a convenience question.

Microsegmentation only proves itself when response teams can act inside the exercise window. The article’s emphasis on coordinated containment is the key point: controls that depend on after-the-fact analysis do not stop lateral movement. The field should measure whether an organisation can isolate a segment before the attacker completes the next pivot.

The named concept here is identity blast radius. In mixed IT and OT environments, a single identity or access path can touch many more systems than the owner intended, especially when contractor access, engineering systems, and operational assets overlap. That means identity governance has to account for reachable systems, not just assigned entitlements.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
  • That same blind spot is why practitioners should also review Top 10 NHI Issues for the control gaps that turn access into reach.

What this signals

With 98% of organisations planning to deploy even more AI agents in the next 12 months, the lesson from lateral movement testing is broader than OT. Identity programmes that still assume access is fixed at provisioning time are moving toward a model where cross-domain paths must be proven safe, not presumed safe.

Identity blast radius: the real issue is no longer how many systems an identity can reach in theory, but how far one compromised path can extend before containment. That requires security, OT, and IAM teams to align on isolation authority, because the absence of that alignment is what turns a technical incident into an operational event.


For practitioners

  • Model real pivot paths in your tabletop scenarios Use scenarios such as IT-to-OT pivots, vendor credential compromise, and dual-homed workstation abuse to test whether segmentation actually blocks movement between trust zones. Tie each scenario to a specific decision point so the exercise reveals who can isolate what, and when. See the 52 NHI Breaches Analysis for how pivot paths become breach multipliers.
  • Test contractor access as a lateral movement pathway Include third-party remote access, VPN reuse, and maintenance workflows in your exercise design so you can verify whether vendor connectivity is constrained to the intended systems. If a contractor account can reach more than its job requires, the exercise should surface that immediately. Use the Top 10 NHI Issues to align the exercise with identity governance priorities.
  • Validate isolation authority before the exercise starts Document exactly who can disconnect an engineering workstation, shut down a vendor tunnel, or quarantine an OT segment when suspicious activity appears. If the answer depends on unplanned escalation or unavailable approvers, the control is not operational. Cross-check the response design against the Ultimate Guide to NHIs for lifecycle and access governance context.

Key takeaways

  • Lateral movement in IoT and OT is a governance problem as much as a network problem, because controls only matter if teams can enforce them under pressure.
  • The evidence shows why this matters: 60% of successful breaches involve lateral movement, and attackers can remain undetected for 280 days on average.
  • Tabletop exercises should prove whether segmentation, least privilege, and isolation authority actually stop the next pivot, not whether they look good in policy.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article centres on attacker pivoting and movement across connected systems.
NIST CSF 2.0PR.AC-4Segmentation and access restrictions are the core control theme here.
NIST SP 800-53 Rev 5AC-4Information flow enforcement directly matches segmentation and containment.
NIST Zero Trust (SP 800-207)The article’s zero trust thread is about eliminating implicit trust between segments.
CIS Controls v8CIS-12 , Network Infrastructure ManagementNetwork segmentation and control validation are central to the post.

Map tabletop scenarios to credential access and lateral movement techniques, then test detection and containment at each pivot.


Key terms

  • Lateral Movement: Lateral movement is the act of moving from one compromised system or identity path to another after initial access. In mixed IT, IoT, and OT environments, it often succeeds because trust relationships and network reachability are broader than operators assume.
  • Microsegmentation: Microsegmentation is the practice of dividing environments into small, enforceable security zones so traffic between systems is restricted by policy. In operational environments, it is useful only if the policy can be enforced on real traffic and validated during incident response.
  • Tabletop Exercise: A tabletop exercise is a structured discussion-based simulation used to test decisions, coordination, and response playbooks without executing a live attack. It is most valuable when the scenario reflects the actual access paths and containment constraints of the environment being tested.
  • Identity Blast Radius: Identity blast radius is the total set of systems, segments, and operational assets that a single identity or access path can reach. In IoT and OT estates, it is often larger than expected because contractor access, engineering systems, and management paths overlap.

What's in the full article

Elisity's full blog post covers the operational detail this post intentionally leaves for the source:

  • Scenario templates for phishing-to-OT pivots, vendor compromise, and IoT device abuse that can be adapted to your environment.
  • Detailed tabletop design guidance for segmentation validation, containment decision points, and cross-functional participation.
  • Measurement ideas for mean time to detect, mean time to contain, and segmentation effectiveness after the exercise.
  • Practical examples of how organisations with healthcare and industrial environments structure hybrid red, blue, and purple team testing.

👉 The full Elisity post covers scenario design, metrics, and response coordination details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org