How LockBit Penetrates ICS/OT Networks: An Anatomy
The Colonial Pipeline attack in 2021 cost $4.4M in ransom and shut down fuel supply to the US East Coast for six days. The compromise vector: a legacy VPN account with no MFA. The attackers never touched OT systems β they did not need to. The company shut down operations proactively out of fear.
This is the new reality of industrial ransomware. The attack does not need to compromise your PLC to be devastating.
The IT/OT Convergence Problem
For decades, operational technology (OT) networks were air-gapped β physically isolated from corporate IT. The assumption was: if an attacker cannot reach the network, the network is safe.
That assumption collapsed with Industry 4.0. Today, most industrial environments have:
- Remote monitoring connections for vendor maintenance
- Historian servers that bridge IT and OT for production data
- Engineering workstations with both IT and OT network access
- ERP/SCADA integrations for production scheduling
Each of these is a bridge. Every bridge is a potential attack path.
The LockBit Attack Chain (Generalised)
Based on public incident reports and CISA advisories, the typical industrial ransomware chain looks like this:
Stage 1: Initial Access
- Phishing email to IT staff (most common)
- Exploitation of internet-exposed RDP or VPN (especially legacy versions without MFA)
- Compromise of an MSP with access to the target environment
- Supply chain: malicious update to a software the organisation trusts
Stage 2: IT Network Persistence and Lateral Movement
- Credential harvesting via Mimikatz or similar tools
- Abuse of Active Directory β service accounts with excessive privileges are the most valuable target
- Disable EDR/AV where possible; or operate in ways that avoid triggering it
Stage 3: IT/OT Boundary Crossing This is where the Purdue model matters. In organisations with proper segmentation, Stage 3 is where the attack should stop. In most, it does not, because:
- The historian server (DMZ Level 3.5) has bidirectional trust with both IT and OT
- Engineering workstations are domain-joined and also connected to the OT network
- Jump servers between zones have weak authentication
Stage 4: OT Impact In severe incidents, the attacker:
- Deploys ransomware on historian and HMI servers (disrupts visibility)
- Encrypts engineering workstations (disrupts ability to push config changes)
- May target the OT network directly if they have credentials from Stage 3
In most industrial ransomware incidents, the OT network itself is not directly encrypted. The disruption comes from the loss of IT systems that OT depends on.
What Actually Stops This
The controls that would have broken the chain at each stage are not exotic:
Stage 1: MFA on all external access (VPN, remote desktop, email). Phishing-resistant where possible (hardware keys for privileged accounts).
Stage 2: Privileged Access Workstations for AD administration. Service account hygiene β no service accounts in Domain Admins. EDR on all endpoints with behaviour-based detection, not just signatures.
Stage 3 (this is the critical one): Proper Purdue model implementation with:
- Unidirectional gateways or strict firewall rules between IT DMZ and OT network
- No domain-joined systems in OT
- Jump server with MFA and session recording for any IT-OT access
- OT-specific anomaly detection (Claroty, Dragos, Nozomi β or open-source alternatives)
Stage 4: OT backups stored offline and tested. Documented recovery procedures that do not depend on IT systems.
The Uncomfortable Truth About OT Security Budgets
Most industrial organisations spend their security budget on IT. OT is treated as an afterthought β until it is not.
The security economics are straightforward: a 24-hour production stoppage in a mid-size manufacturing facility can cost β¬100-500K. A proper OT security assessment and basic segmentation project costs a fraction of that. The ROI is not a theoretical exercise.
The challenge is not budget β it is getting OT and IT to agree on a shared risk model. That is where most industrial security projects stall.
If you operate in a critical sector and have not mapped your IT/OT boundaries, that is the right starting point.
30+ years of field experience. Senior architect leads every engagement β backed by AI agents and vetted specialists.
Related articles
NIS2 in Spain: What SMEs Need to Do Before August 2026
NIS2 is in force. Spanish SMBs in critical sectors have months to comply β or face fines up to β¬10M. A practical breakdown of what actually needs to happen.
Private LLMs vs OpenAI API: The Enterprise Security Case
Cost, control and compliance β why growing numbers of European enterprises are choosing on-premise LLMs over cloud APIs. The technical and legal argument.