TL;DR: Critical infrastructure faces a mix of ransomware, destructive malware, DDoS, and lateral movement from IT into OT, with legacy systems, exposed protocols, and compromised credentials creating the main paths to disruption, according to SentinelOne and CISA. The governance gap is not just resilience, but identity and network containment across environments that were never built for modern threat velocity.
NHIMG editorial — based on content published by SentinelOne: critical infrastructure security for OT and ICS environments
By the numbers:
- CISA says 14 of the 16 U.S. critical infrastructure sectors have seen ransomware incidents.
Questions worth separating out
Q: What breaks when IT and OT networks are not segmented?
A: When IT and OT are not segmented, ransomware can move from business systems into production systems, and defenders often cannot prove where compromise stops.
Q: Why do compromised credentials remain so effective in modern environments?
A: Compromised credentials remain effective because they produce legitimate-looking access.
Q: How can organisations tell whether deception controls are actually helping in OT?
A: Deception controls are working when they produce high-fidelity alerts on activity that should never occur, such as a human operator touching a decoy HMI or an internal system authenticating to a fake credential.
Practitioner guidance
- Segment OT from IT with enforceable access boundaries Separate enterprise and operational networks with tightly controlled pathways for administration, monitoring, and vendor support.
- Restrict and monitor all remote access into ICS environments Inventory every remote service, jump host, and privileged route into OT, then remove anything that is not operationally required.
- Build deception into industrial detection workflows Deploy decoy HMIs, fake credentials, and emulated assets in network paths an attacker is likely to probe before reaching production systems.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- ICS protocol coverage, including the industrial services and device types the vendor says its deception layer can emulate.
- Deceptive HMI and PLC deployment examples that show how the alerts are generated in real environments.
- Endpoint and identity detection workflows for spotting lateral movement and remote service abuse in OT-adjacent networks.
- The vendor's deployment claims and validation references for critical infrastructure use cases.
👉 Read SentinelOne's analysis of critical infrastructure security for OT and ICS environments →
Critical infrastructure protection: are OT and identity controls keeping up?
Explore further
Standing access is the hidden failure mode in critical infrastructure. The article points to compromised credentials, remote services, and weak segmentation as the practical route from IT compromise into OT disruption. That is not just a network design issue. It is a privilege governance problem, because any credential that can reach an industrial environment can become a production risk. Practitioners should treat OT access as a lifecycle-controlled trust boundary, not a convenience layer.
A question worth separating out:
Q: Who is accountable when an IT compromise reaches OT and disrupts services?
A: Accountability usually spans security, infrastructure, operations, and vendor-management teams because the failure is cross-domain. The practical question is whether access governance, segmentation, and recovery responsibilities were clearly assigned and tested before the incident. Frameworks such as NIST Cybersecurity Framework 2.0 help teams map those responsibilities to identify, protect, detect, respond, and recover.
👉 Read our full editorial: Critical infrastructure security depends on OT segmentation and credential control