Your Maintenance Window Is an Open Invitation to Attackers

The contractor arrived with a USB drive and a work order. Standard stuff: a firmware update for the plant's control system, scheduled during the quarterly maintenance window. He plugged in, ran his update, packed up and left. Three weeks later, the facility was still trying to restart production.

When a change window opens, something predictable happens to your security posture: it contracts. Monitoring tools get powered down or tuned to suppress the flood of legitimate reconfiguration traffic. Firewall rules get temporarily relaxed so vendors can connect. Safety Instrumented Systems (SIS) get taken offline for servicing. Break-glass credentials come out.

According to a 2025 analysis by ShieldWorkz, this creates what practitioners call a "security fog"—a period where monitoring is blinded by legitimate activity and malicious actions can be initiated without triggering alarms. ShieldWorkz describes the correct posture as a "surgical theater" mindset, a principle aligned with IEC 62443, which calls for heightened security governance and controls throughout the maintenance lifecycle. Most organizations don't come close to that standard.

Three components converge: increased human intervention, relaxed operational controls and temporary bypass of standard defenses. Any one of these creates risk. All three simultaneously, on a scheduled and predictable timeline, create something worse: an invitation. Pen tests conducted outside these windows never see this configuration, which means the security controls your last assessment validated may look nothing like what exists during a maintenance event.

One uncomfortable truth about change windows: they are highly visible to patient adversaries.

Public utilities publish planned outage windows on customer-facing websites. Regulatory bodies require maintenance reporting. LinkedIn profiles map exactly which engineers and contractors handle which systems. Tools like Shodan can passively query more than 100,000 internet-connected industrial devices, gathering device banners, operating systems and facility identifiers without ever touching a target system.

Sophisticated actors don't need to guess when your defenses drop. Mandiant's M-Trends 2025 report found the global median dwell time rose to 11 days, but in cases where external parties discovered the breach, that median extended to 26 days. During that period, attackers learn your operational rhythms from the inside. VOLTZITE demonstrated this at U.S. electric and water utilities in 2025, mapping engineering workstations and process shutdown conditions for months before acting.

The TRITON/TRISIS attack on a Saudi petrochemical refinery in 2017 is the clearest example of change window exploitation. Attackers leveraged the fact that SIS controllers must connect to engineering workstations during maintenance and programming activities. That temporary connectivity—required by the engineering process itself—was the attack path. The malware targeted the facility's last line of automated defense against catastrophic accidents and attempted to disable it.

Stuxnet followed the same logic a decade earlier, entering the air-gapped Natanz nuclear facility through maintenance contractor USB drives. The air gap was only bridged during maintenance visits. That was enough.

Dragos' 2026 OT cybersecurity report documented 42-day average dwell times for ransomware in OT environments—significantly longer than the enterprise-wide average. Attackers arrive during a change window when access is expanded and monitoring is reduced, establish persistence and wait. The disruption comes later, at a time of their choosing.

Claroty Chief Strategy Officer Grant Geyer described the pattern in February 2025: "There's some emergency. There's a maintenance issue or production is down, and they need to connect their automation OEM to do troubleshooting or firmware upgrade. And so they will download TeamViewer or some other off-the-shelf remote access tool and implement it quickly, without multifactor authentication in place, so it's an open channel out to the Internet." That open channel, created under operational pressure, is the shadow current that wasn't there the day before.

Vendor access provisioned for a maintenance window frequently outlasts it. A March 2026 analysis found 42% of manufacturing companies reported a vendor-access breach in 2025, and 46% called remote access their weakest security link.

Break-glass accounts compound the issue. These emergency override credentials bypass MFA by design. Organizations routinely fail to rotate them after maintenance events "due to manual labor, lapses in policy, or other business excuses," according to the Identity Defined Security Alliance. An account with credentials unchanged since the last maintenance window is not an emergency access tool. It's a standing invitation.

Credential shadow currents persist long after maintenance teams have left. And the third-party access provisioned for vendor visits is often the least-governed channel in the environment, making change windows the point where credential risk and third-party risk converge.

Change windows can't be eliminated—operations require them. The question is whether you treat each one as a security event, not just an operational one.

Post-maintenance threat hunting is a starting point: scan workstations for anomalous services, hunt PLCs for persistence indicators and increase detection sensitivity for Modbus, DNP3 and PROFINET anomalies after work concludes.

Just-in-time (JIT) access for vendors addresses the persistence problem directly. Access that expires when the work order closes doesn't become a permanent backdoor. Gartner projects organizations applying least privilege approaches to remote privileged access management will reduce their risk exposure by more than 50% by 2026.

Taking "golden image" backups of PLCs, SCADA servers and engineering workstations before maintenance starts gives you a verified baseline to compare against afterward. This matters especially for legacy systems, which often can't be patched between maintenance cycles and represent the highest-value targets when a window opens.

Change windows create express channels: temporary paths with reduced friction, expanded access and limited visibility. Attackers don't need the full window to achieve their objective. They often just need to deploy a backdoor and wait.

The 42-day dwell time tells you what "later" means. Entry happens during the window. The damage happens when operations are running and your team least expects it. Some shadow current paths opened during maintenance never fully close.

But there's a root cause beneath all of the gaps this series has explored: compliance audits, pen test scope, change window blind spots—they all share the same origin. Your organizational structure creates the very silos that shadow currents exploit: the gaps between IT and OT teams, security and operations, corporate and plant.