IT Passwords Are for IT Not OT: Why Credential Reuse Is a Ticking Time Bomb for Industrial Control Systems + Video

By /

Listen to this Post

Featured Image

Introduction:

The convergence of Information Technology (IT) and Operational Technology (OT) networks has created unprecedented efficiency—but also a dangerous blind spot. A staggering 40% of OT networks reuse credentials from their corporate IT environments, a practice that transforms a routine phishing email into a direct pathway for manipulating industrial processes, introducing safety hazards, and even bringing down an entire site. When attackers inevitably breach the IT network—and they will—they gain the keys to not just your data, but your physical operations.

Learning Objectives:

  • Understand the cascading risks of IT/OT credential reuse and why attackers target this vulnerability.
  • Learn how to implement technical controls, including separate Active Directory forests, unique usernames, and hardened password policies.
  • Master practical commands and configuration steps for Linux, Windows, and network devices to enforce credential separation.
  1. The Attack Path: From a Phishing Email to a PLC

The threat model is deceptively simple. Employees on the IT network engage in routine activities—reading emails, clicking links, browsing the internet, opening attachments. These actions expose them to phishing, malware, and credential theft. Attackers will get onto the IT network, and they will obtain IT passwords.

Once they have those credentials, the question is not if they can move laterally, but what they can do. With reused credentials, the answer is terrifying:

  • Make programming changes to a Programmable Logic Controller (PLC)
  • Access engineering workstations to modify control logic
  • Impact an industrial process, causing production downtime
  • Introduce safety issues that could harm personnel
  • Upload malicious firmware to devices
  • Bring down the entire site

This is not hypothetical. As Mike Holcomb emphasizes, “IT passwords are for IT. Not OT!” The separation of credentials is not a convenience issue—it is an operational survival imperative.

  1. Step-by-Step: Separating Active Directory for IT and OT

Many OT environments run Windows-based systems, including data historians and engineering workstations. The most common mistake is connecting these to the corporate IT Active Directory (AD). Do not do this.

Step 1: Install a Separate AD Forest for OT

Do not extend your IT AD forest into the OT network. Instead, deploy a completely separate AD forest dedicated solely to OT systems.

Step 2: Do Not Establish Trust Relationships

Configure the OT AD forest with no trusts—inbound, outbound, or transitive—with the IT AD forest. This ensures that even if an attacker compromises an IT account, they cannot authenticate against OT resources.

Step 3: Enforce Different Password Policies

Apply distinct password policies and Group Policy Objects (GPOs) to the OT AD forest. For OT, consider:

  • Minimum password length of 15+ characters
  • Avoid mandatory 90-day rotation unless compromise is suspected (NIST now advises against frequent resets)
  • Block common, reused, and breached passwords

Step 4: Use Different Usernames

As the EPA recommends, require a single user to have two different usernames and passwords—one for IT, one for OT. This adds a layer of defense beyond just password separation.

Step 5: Monitor and Audit

Implement identity visibility platforms that can audit and enforce separation across IT and OT domains in real time.

3. Practical Commands: Linux User and Password Management

For OT environments running Linux-based systems (e.g., engineering workstations, SCADA front-ends), here are essential commands for managing separate credentials.

Create a Dedicated OT User Account

 Create a new user with a specific home directory and shell
sudo useradd -m -s /bin/bash ot_engineer

Set a strong password for the OT account (different from IT)
sudo passwd ot_engineer

Enforce Password Aging and Complexity

Edit `/etc/login.defs` to set global policies:

 Minimum password length
PASS_MIN_LEN 15

Maximum days before password change (set to 99999 for no forced rotation)
PASS_MAX_DAYS 99999

For per-user password aging:

 Set password expiration (e.g., never expires unless compromised)
sudo chage -M 99999 ot_engineer

Force password change on next login
sudo chage -d 0 ot_engineer

Audit Existing Users for Password Reuse

While Linux does not store passwords in plaintext, you can check for weak hashes:

 List all users and their password status
sudo passwd -S -a

Check for users with empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

Restrict SSH Access for IT Accounts

Prevent IT-domain accounts from SSH-ing into OT systems:

 In /etc/ssh/sshd_config, deny specific IT users or groups
DenyUsers it_admin1 it_admin2
DenyGroups it_domain_users

Restart SSH service
sudo systemctl restart sshd
  1. Windows Commands: Active Directory and Local Account Hardening

For Windows-based OT systems, whether domain-joined to a separate OT AD or standalone, these commands are critical.

Create a Local OT User (Non-Domain)

 Create a new local user for OT access
New-LocalUser -1ame "ot_operator" -Password (ConvertTo-SecureString "StrongOTPassword123!" -AsPlainText -Force) -FullName "OT Operator" -Description "OT network access only"

Add user to appropriate local groups (e.g., Remote Desktop Users)
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "ot_operator"

Enforce Local Password Policy via Command Line

 Set minimum password length to 15 characters
secedit /export /cfg C:\secpol.cfg
 Edit C:\secpol.cfg: change PasswordComplexity=1, MinimumPasswordLength=15
secedit /configure /db C:\windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY

Remove IT Domain Accounts from OT Systems

If your OT system was previously joined to the IT domain, disjoin it:

 Remove from current domain
Remove-Computer -UnjoinDomainCredential (Get-Credential) -PassThru -Verbose -Restart

Disable LLMNR and NetBIOS to Prevent Credential Theft

Attackers use tools like Responder to poison LLMNR and NetBIOS, capturing hashed credentials:

 Disable LLMNR via Group Policy or registry
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -1ame "EnableMulticast" -Value 0 -Type DWord

Disable NetBIOS over TCP/IP
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" -1ame "NetbiosOptions" -Value 2 -Type DWord

5. Network Device Hardening: PLCs, Switches, and Firewalls

OT networks are populated with embedded devices that often have default or weak credentials.

Change Default Passwords on All OT Devices

As Dragos recommends, change all default passwords for devices and applications. This includes:

  • PLCs (e.g., Siemens, Rockwell, Schneider Electric)
  • Network switches and routers
  • Firewalls
  • HMIs and engineering workstations

Implementation Checklist:

  • [ ] Inventory all OT devices with default credentials
  • [ ] Document a password change procedure for each device type
  • [ ] Use unique passwords per device or per device class
  • [ ] Store credentials in a secure, encrypted password manager—not in spreadsheets or sticky notes

Segment OT Management Interfaces

Ensure that management interfaces for OT devices are on a separate VLAN or network segment, accessible only from dedicated jump hosts with OT-specific credentials.

6. The Role of Zero Trust and Defense-in-Depth

Credential separation is one pillar of a broader Zero Trust architecture. As Mike Holcomb notes, “Identity separation is 100 percent the best practice”. However, additional layers are essential:

  • Network Segmentation: Use firewalls, VLANs, and data diodes to physically or logically separate IT and OT traffic.
  • Least Privilege: Restrict OT access to only what is necessary for each role.
  • Real-Time Monitoring: Deploy threat detection solutions that span both IT and OT to identify anomalous behavior.
  • Phishing-Resistant MFA: Implement multi-factor authentication that is resistant to phishing, especially for remote access.

7. What Undercode Say:

  • Key Takeaway 1: Over 40% of OT networks reuse IT credentials—a silent vulnerability that turns a routine IT breach into an OT catastrophe. The separation of credentials is not optional; it is a fundamental security control.

  • Key Takeaway 2: Technical implementation requires more than just different passwords. Organizations must deploy separate Active Directory forests, enforce distinct password policies, use unique usernames, and harden both Windows and Linux systems against credential theft.

Analysis:

The IT/OT credential overlap is a classic example of a “hidden risk” that only surfaces after the damage is done. The convenience of single sign-on and unified directory services is seductive, but in OT environments, it is a fatal flaw. Attackers are not targeting PLCs directly—they are targeting the humans and the credentials that bridge the gap. The 40% statistic is a wake-up call: most organizations do not even know if they are reusing credentials. The path forward requires a cultural shift, treating OT as a distinct security domain with its own identity infrastructure, not as an extension of IT. As the EPA guidance emphasizes, unique credentials are “an integral part of a defense-in-depth strategy”. The time to act is now—before the next phishing email finds its way to a shared password.

Prediction:

  • +1 Organizations that implement strict IT/OT credential separation will experience significantly fewer operational disruptions from cyber incidents, as attackers will be unable to pivot from compromised IT accounts to industrial control systems.

  • -1 Organizations that continue to reuse credentials across IT and OT will face increasing regulatory scrutiny and potential fines, as frameworks like NIST SP 800-82 and ISA/IEC 62443 increasingly mandate identity segmentation.

  • +1 The market for OT-specific identity and access management (IAM) solutions will grow exponentially, with platforms that provide real-time visibility and enforcement across converged environments becoming standard.

  • -1 High-profile OT breaches caused by credential reuse will become more frequent and more damaging, as attackers increasingly target industrial sectors with ransomware and sabotage campaigns.

  • +1 Security awareness training will evolve to include OT-specific scenarios, teaching employees that a password used for email is also a password that could shut down a power plant.

  • -1 The complexity of managing separate credentials will lead to “shadow IT” practices—users writing down passwords or using unsafe workarounds—unless organizations provide user-friendly password managers and streamlined access workflows.

  • +1 NIST’s shift away from mandatory password rotation will benefit OT environments, reducing operational overhead while encouraging longer, more complex passphrases that are less susceptible to brute-force attacks.

▶️ Related Video (70% Match):

https://www.youtube.com/watch?v=1F-3_wp30Qg

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mikeholcomb It – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: