Threat Research

Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security

Unit42
Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security

Industrial-impacting attacks rarely begin in OT; they commonly originate in IT and traverse the IT–OT edge, producing detectable precursor activity long before operational disruption. Joint research from Palo Alto Networks OT Threat Research Lab, Siemens Cybersecurity Lab and the Idaho National Laboratory shows extended dwell times (average ~185 days) and that ~70% of OT-impacting attacks begin in IT, highlighting the need to “bring the fight to the edge.” #PaloAltoNetworks #SiemensCybersecurityLab

Keypoints

  • Most OT-impacting incidents originate in IT environments (~70%), not directly within OT systems.
  • The IT–OT network edge is the strategic control point where adversaries expose detectable signals (authentication anomalies, protocol misuse, reconnaissance).
  • Adversary behavior is consistent: 82.8% of activity occurs during extended precursor phases, with an average dwell time of ~185 days before impact.
  • Common attacker techniques include credential abuse, brute force, exploitation of IT-facing services, lateral movement, reconnaissance, and staging—creating observable opportunities for early detection.
  • Visibility alone is insufficient; effective defense requires OT SecOps with architectural segmentation, passive telemetry, and Active Defense capabilities at the edge.
  • IT–OT SOC convergence should enable coordinated detection and response while preserving separation of duties and OT safety/availability constraints.

MITRE Techniques

  • [T1110 ] Brute Force – Used as an initial access or credential compromise method; (‘brute force attempts’)
  • [T1078 ] Valid Accounts – Credential abuse for lateral movement and persistence; (‘credential abuse’)
  • [T1190 ] Exploit Public-Facing Application – Exploitation of IT-facing services to gain footholds in enterprise environments; (‘exploitation of IT-facing services’)
  • [T1595 ] Active Scanning – Reconnaissance and scanning activity at the edge to discover targets and services; (‘reconnaissance activity’)
  • [T1021 ] Remote Services – Use of remote access pathways and management infrastructure to move between IT and OT zones; (‘remote access pathways and management infrastructure’)
  • [T1071 ] Application Layer Protocol – Misuse of protocols and anomalous session behavior that produce detectable signals at the edge; (‘protocol misuse’ and ‘session deviations’)

Indicators of Compromise

  • [No explicit IOCs ] The article does not list specific IPs, domains, file hashes, or filenames; it provides high-level observable indicators and counts such as ‘nearly 20 million OT-related assets observable on the public internet’ and a ‘332% increase between 2023-2024’ — examples: internet-exposed OT devices, IT-facing services.

Read more: https://unit42.paloaltonetworks.com/ot-edge-security/