The IT→OT Attack Path Everyone Has and Almost No One Tests

This wasn't an anomaly. According to Dragos' 2024 OT Cybersecurity Report, approximately 70% of OT-related incidents originated from within the IT environment. Yet when organizations assess their industrial cybersecurity posture, they focus on OT vulnerabilities while the real shadow current flows unmonitored at the IT-OT boundary.

IT-OT integration isn't coming. It's here. Zero Networks projects that 70% of OT systems will connect to IT networks within the next year, and the IT-OT convergence market is racing toward $133.7 billion by 2030, growing at 20.83% annually. 52% of organizations now have CISOs responsible for OT security, up from just 16% in 2022, with 80% planning to consolidate OT security under the CISO within the next year, recognizing that these environments can no longer operate in isolation.

This convergence delivers genuine benefits: remote monitoring, predictive maintenance, real-time analytics. But it also creates something else: a highway from your enterprise network straight into production systems. And most organizations have no idea what's traveling that highway.

In previous blogs, we introduced shadow currents as the unauthorized paths electricity takes through your facility, and revealed that most organizations can't even map their attack paths. Now let's identify the specific shadow current almost everyone has but ignores: the IT-OT boundary.

According to the SANS Institute and Opswat, 58% of respondents identified IT compromises as the leading initial attack vector for ICS and OT incidents. The math is straightforward. Most attacks start in IT. Most industrial environments connect IT to OT. Yet 81% of organizations allocate less than 50% of their security budget to OT.

That's the paradox. Gartner reports global cybersecurity spending will hit $213 billion in 2025, but organizations pour resources into IT perimeter defenses while the IT-OT boundary gets a fraction of the attention and even less visibility.

Attackers achieve lateral movement in an average of 48 minutes, according to ReliaQuest's 2025 Annual Threat Report. Security teams take an average of 204 days to identify and contain a breach, according to IBM's Cost of a Data Breach Report. In some enterprise networks, Elisity analysis shows average detection time stretches to 95 days.

But detection assumes visibility. Here's the reality: complete OT visibility remains rare, down from just 13% of organizations in 2022. Visibility isn't improving as threats increase. It's deteriorating.

Consider what visibility gaps mean at the IT-OT boundary. You can't detect what you can't see. You can't secure what you don't monitor. And according to SANS research, 64% of organizations lack comprehensive monitoring capabilities for their OT environments. That's not a security posture. That's an open invitation.

Organizational structure explains much of this blind spot. OT typically reports to the COO, focusing on reliability and uptime. IT reports to the CIO, prioritizing confidentiality and access control. Two separate teams, each securing half the network, often with minimal coordination at the seam where they meet.

The result: Two security teams each protecting half of total network. The boundary between them becomes no one's complete responsibility.

Technical challenges compound the organizational silos. You can't patch OT systems the same way you patch IT. The average OT patch time exceeds 180 days, compared to IT's average patch time of 30-60 days. You can't stop a production line for security updates the way you restart a server. And legacy OT equipment often lacks the instrumentation needed for modern security monitoring.

So the IT-OT boundary becomes the path of least resistance: connected enough to enable business value but monitored poorly enough to enable attacker movement.

Manufacturing feels this acutely. The sector has ranked as the top ransomware target for four consecutive years, accounting for 22-26% of all attacks. In Q2 2025 alone, 65% of OT-related ransomware incidents hit manufacturing environments.

The financial impact extends far beyond ransom payments. MKS Instruments reported losses exceeding $200 million. Clorox's total losses reached $356 million. Nucor halted production in 2025. These aren't just IT incidents with OT consequences. They're successful attacks that traveled the IT→OT path organizations failed to secure.

Colonial Pipeline demonstrated how a single compromised credential becomes the vehicle for attack. But credentials are just one mechanism. Data historians, sitting at the IT-OT boundary (Purdue Level 3), served as the initial access vector in 10% of OT incidents. Remote access solutions, vendor connections, engineering workstations: each represents another potential pathway.

According to IDC research, nearly 70% of successful breaches involve lateral movement techniques, which MITRE ATT&CK documents as a critical tactic used by adversaries. In industrial environments, that lateral movement crosses from IT into OT through every connection point organizations create for operational efficiency.

The question isn't whether your organization has this shadow current. The statistics make clear that if you've integrated IT and OT, you have it. The question is whether you know where it flows, what protections exist at each crossing point and how quickly you'd detect movement along it.

Compliance frameworks validate that controls exist. They don't verify that those controls would stop a determined attacker who's already inside your IT network. They can't test whether your segmentation would hold, whether your monitoring would catch lateral movement or whether your incident response would work when production systems are at stake.

By 2027, Gartner predicts 75% of security teams will have onboarded at least five tools to manage cyber-physical systems security. That's recognition of OT security's complexity, but it's also an admission: most organizations currently lack adequate tooling for the environments they're trying to protect.

You've passed audits. Your compliance documentation looks good. But have you tested what happens when someone gets VPN access? Have you mapped how far a compromised credential could travel? Have you verified whether lateral movement from IT into OT would trigger alerts before damage occurs?

The shadow current at your IT-OT boundary exists. The only questions are whether you've mapped it, whether you've measured it and whether you can control it.

In our next blog, we'll explore what carries this shadow current from IT into OT: credentials. Those invisible flows of trust and authentication that make operations possible also make attack paths inevitable.