Where Many OT Disruptions Begin: Gaps in IT Access and Identity Controls
Published
Key Takeaways
- Cyolo highlights that access failures, not destructive malware, force OT systems offline during incident response.
- Apirion says most OT disruptions originate in IT environments through weak identity and remote access controls.
- OT downtime often results from uncertainty over who accessed systems, rather than confirmed system compromise.
- Zero-trust, identity-based access is required to balance OT security with uptime and operational continuity.
- Cyolo observes that third-party and OEM remote access remains one of the most persistent OT security risks.
Almog Apirion, CEO and Co-Founder of Cyolo, shares that most operational technology (OT) disruptions do not start inside OT systems, but from weaknesses in IT environments, particularly around remote and vendor access, and identity controls.
A former CISO with experience securing IT and OT environments across critical infrastructure, Apirion previously led a cybersecurity unit in the Israeli Navy.
Apirion explains that attackers commonly enter through IT pathways, including VPNs, shared credentials, or poorly governed third-party access, then move laterally into OT environments.
He notes that access failures are now a leading cause of OT downtime. In many incidents, systems are taken offline during response because teams lack sufficient access data.
AI is accelerating reconnaissance and exploitation, making weak identity governance more dangerous at an industrial scale.
To address these risks, Apirion draws attention to a shift toward identity-based, zero-trust access models for both humans and machines, supported by strict segmentation between IT and OT, just-in-time access, continuous verification, and improved visibility into vendor and OEM activity.
Vishwa: Many OT disruptions begin with weaknesses in IT environments rather than inside OT systems. From your experience, which IT gaps most allow attackers to reach industrial operations?
Almog: This is exactly right. Rather than attacking OT systems directly, many incidents begin on the IT side. The most common entry points for attackers are weak identity and access controls in IT environments, particularly around remote and third-party access.
These “softer” access points, which enable unauthorized actors to enter the network undetected, frequently stem from VPNs that grant broad network access, lack of zero-trust adoption, overly permissive access policies, and shared or unmanaged credentials.
The human factor also plays a significant role, including reused passwords, delayed deprovisioning of vendor accounts, and well-intentioned users granting more access than necessary to keep operations moving.
Once attackers are inside, flat network architectures and inadequate segmentation often allow them to move laterally and reach industrial operations. In many cases, limited cross-environment visibility and governance over who can access what creates a direct bridge from IT compromise to OT disruption.
As a result, hard segmentation between IT and OT, combined with strict access controls based on zero-trust principles, is becoming increasingly critical.
Vishwa: Without naming specific organizations, can you describe real-world patterns and incidents where insecure vendor access or misconfigured remote pathways contributed to operational downtime?
Almog: Several high-profile incidents show how insecure vendor access or misconfigured remote pathways can directly lead to operational downtime. In 2021, Colonial Pipeline was forced to shut down operations after attackers gained access through a compromised VPN account that lacked multi-factor authentication. This incident demonstrates how a single remote access weakness can disrupt critical operations.
That same year, an attacker accessed a Florida water treatment facility through an exposed remote access tool used for maintenance, prompting operators to take systems offline to prevent physical harm.
In other cases, attackers entered through third-party or remote support connections and triggered shutdowns not because systems were destroyed or even malfunctioning, but because access pathways could no longer be trusted during response and recovery.
Vishwa: Manufacturers reported an average of 360 hours of downtime in 2025. From what you’ve observed, what types of operational or access failures most commonly trigger these outages?
Almog: Most unplanned downtime is triggered by failures in remote or third-party access. In modern manufacturing, external technicians, vendors, and OEMs play a crucial role in keeping systems running, and these days they often connect via remote access.
But when that remote access relies on fragile VPNs, hard-to-manage jump servers, or manual approvals, even minor equipment issues can have a serious operational impact.
In many cases, a routine matter will escalate into downtime because security and access controls not designed for time-critical operations prevent technicians from connecting quickly enough to diagnose and resolve the problem.
This is one of the key reasons OT environments require access solutions that prioritize uptime and operational agility alongside security.
Vishwa: What forms of AI-driven attack automation do you believe pose the most serious risk to critical infrastructure sectors? What preventive measures would be most effective in preventing these threats?
Almog: With AI-driven automation, attacks that once required a significant amount of skill now only require access to an AI model. Attackers are already using AI tools to automate reconnaissance, identify vulnerabilities and misconfigurations, create tailored exploits, and conduct complex attacks at machine speed.
These capabilities are especially dangerous in critical infrastructure, where they can be used to very quickly discover weak access paths and poorly segmented networks.
Because AI magnifies existing weaknesses, the best defenses include OT security best practices, including identity-based zero-trust access with continuous validation of users and devices, strong segmentation, real-time session supervision, and governance of internal automated tools to prevent shadow AI.
It will also become more common for AI to supervise AI, ensuring that risky or unusual actions trigger alerts before serious harm can occur.
Vishwa: Across the OT community, as defenders witness the speed and scale of AI-driven attacks, where do they struggle the most?
Almog: Defenders often struggle with the mismatch between the speed and automation of AI-driven attacks and the manual, fragmented processes still used to manage access and response in many OT environments.
Limited visibility into who has access to critical systems and what they are doing while connected – especially for third-party vendors and OEMs – creates blind spots that attackers can exploit. AI tools make finding these blind spots significantly easier.
At the same time, teams must balance security with uptime. Today, many security tools and workflows were designed for IT environments, where brief disruptions are inconvenient but manageable. When applied to OT, those same tools can introduce unacceptable friction and operational risk.
Without security approaches built around OT realities – such as time-critical, 24/7 industrial operations – defenders are left at a significant disadvantage as AI-driven attacks continue to accelerate.
Vishwa: As automation increases, what type of identity and access-control model should govern machine-to-machine interactions in OT environments?
Almog: As automation and AI use expands in OT environments, machine-to-machine interactions should be governed by a zero-trust–based, identity-centric access-control model.
Rather than relying on static network trust or implicit segmentation, each machine, service, or workload should have a unique, verifiable identity. Access decisions should be made dynamically based on strong authentication, device posture, workload context, and the specific action being requested.
This model should enforce least-privilege, just-in-time access, allowing machines to communicate only with explicitly authorized peers and only for the duration and scope required.
Credentials must be short-lived and automatically rotated to reduce the risk of compromise, while policies should be centrally defined but locally enforced to accommodate OT reliability and latency requirements.
Additionally, the model should support continuous verification and monitoring, enabling rapid detection of anomalous behavior or unauthorized interactions without disrupting operations.
By giving each machine its own identity and not relying on fixed network boundaries for trust, organizations can safely expand automation, limit the impact of security incidents, and protect the reliability and safety that OT systems depend on.
Vishwa: As organizations modernize legacy OT systems in 2026, what specific upgrades or redesigns do you see as most urgently needed?
Almog: As organizations modernize their legacy OT systems in 2026 and beyond, the most urgent need is to redesign access and connectivity models that were built for isolated, static environments.
Legacy systems were never designed for remote access, cloud integration, or high levels of automation, yet they are now routinely exposed to all three.
A top priority is introducing strong, identity-based access controls for both humans and machines, replacing shared credentials, inherent trust, and network-based permissions. All access should be granular, policy-driven, and continuously verified, without requiring major changes to fragile OT assets.
Equally important is reducing flat network architectures by implementing segmented, software-defined connectivity that limits lateral movement while preserving operational reliability.
Visibility upgrades are also critical: organizations need real-time insight into who and what is accessing OT systems, with continuous monitoring and the ability to terminate a connection immediately if suspicious behavior is detected.
Finally, modernization must focus on operational resilience, ensuring security controls are non-disruptive, easy to audit, and designed to work within strict uptime and safety constraints. The most successful redesigns will enhance security without forcing wholesale replacement of legacy equipment or interrupting critical operations.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular