Threat Actors Target Industrial Systems

Iranian-linked actors like Parisite serve as initial access brokers, exploiting VPNs and edge devices to infiltrate IT environments and then pass that access to state-affiliated groups. This deliberate pre-positioning is followed by actors such as Bauxite, using the "CyberAv3ngers" persona, who have already compromised over 400 OT devices and manipulated PLCs at U.S. water utilities. This pattern of escalating cyber operations often follows kinetic military actions, with a 700% increase in cyberattacks targeting Israel after its 2025 military strikes in Iran. The IT-OT boundary is precisely where threat actors thrive, exploiting a significant gap in security visibility. Research shows that nearly 70% of attacks affecting OT originate from the IT environment, using common techniques like credential abuse before pivoting. This blind spot allows attackers to dwell for extended periods, with organizations taking an average of 207 days to even detect a breach, a timeframe that is often longer in OT systems. Implementing the DoD's Zero Trust model, which is mandated for completion by fiscal year 2027, directly addresses this challenge by shifting from perimeter-based trust to continuous verification of every user and device. The "User" pillar is central, requiring continuous authentication and authorization for both person and non-person entities. This involves moving away from static network-based defenses to focus on users, assets, and resources, assuming no implicit trust based on network location. For Splunk engineers, this translates to specific detection and monitoring strategies. Utilizing the OT Security Add-on for Splunk enables improved threat detection and incident response across both IT and OT environments. Key use cases include monitoring for unauthorized remote access, detecting the use of external media like USB drives, and analyzing industrial protocol traffic for anomalies. Creating correlation rules that map to frameworks like MITRE ATT&CK for ICS is crucial for identifying suspicious lateral movement. A critical first step in a Zero Trust journey is a complete inventory of all assets, including hardware, software, and data, as resources cannot be protected if they are not known. For industrial environments, this means mapping traffic flows between IT and OT to understand interactions and potential vulnerabilities. Subsequently, building granular, identity-based access controls and micro-segmentation can severely limit an attacker's ability to move laterally after an initial credential compromise. Recent incidents highlight the urgency, with CISA adding a Rockwell Automation PLC vulnerability (CVE-2021-22681) to its Known Exploited Vulnerabilities catalog. This flaw allows a remote attacker to mimic an engineering workstation, bypassing verification to connect to controllers. Such vulnerabilities in widely used ICS products underscore the need for immediate auditing of unused contractor VPN sessions and enabling anomaly alerting on IT-to-OT lateral movement.