Executive Summary

Doppel reports that attacks against manufacturing are shifting away from software exploitation toward identity abuse, driven by leaked credentials and voice phishing (vishing) aimed at help desks and operators. The physical criticality is direct: a valid identity reaching an engineering workstation, historian, or remote access gateway does not need a CVE to send setpoints, modify logic, or halt a line, and it leaves none of the exploit artifacts that detection tooling expects.

Technical Exposure Breakdown

The vulnerable component here is not a PLC firmware build or a vendor library. It is the trust relationship between an operator identity and the systems that identity is permitted to touch. Manufacturing environments accumulate this exposure faster than most sectors because of how they are operated.

First, credential reuse is endemic. Shared service accounts run on SCADA servers, vendor maintenance accounts persist for years, and domain credentials from corporate IT cross into the OT domain through jump hosts and flat trust zones. When those credentials leak through infostealer logs or third party breaches, the attacker inherits whatever that account can reach. We have catalogued the downstream effect of this across 175,000+ OT products: the same human and machine identities frequently span both the enterprise and the plant.

Second, vishing targets the people who hold the override authority. Help desk staff reset MFA enrollments. Shift supervisors approve emergency remote access for a contractor who is not actually a contractor. The attack vector is a phone call and a plausible pretext, not a packet. This sidesteps the entire premise of network-layer exploit detection.

The conditions that make this work in OT are structural. Remote access into plants expanded permanently after 2020 and was never fully re-architected. Many sites still terminate VPN or RDP sessions directly onto engineering subnets. MFA coverage on OT-adjacent systems is incomplete because legacy HMIs and historians do not support modern authentication, so exceptions become permanent.

OT Impact and Compliance Risk

What breaks physically depends on what the stolen identity controls. An identity with write access to a controller can change ladder logic, alarm thresholds, or safety interlock parameters. An identity on a historian can corrupt the record operators rely on to trust their own process state. An identity on a remote access gateway becomes a persistent foothold that survives credential rotations elsewhere.

For compliance, this lands squarely on access control requirements. NERC CIP-004 and CIP-005 govern personnel access and electronic security perimeters, and a leaked credential that crosses the perimeter is a reportable access control failure, not a patch gap. IEC 62443-3-3 system requirements SR 1.1 through SR 1.9 address identification, authentication, and account management directly, and shared or non-expiring accounts violate them by design. For pipeline operators, TSA SD-02C mandates access control measures and segmentation that vishing-driven help desk compromise can quietly undercut. Water utilities under AWIA 2018 face the same identity exposure with thinner staffing to absorb it.

Compensating Controls

The vendor patch is not the answer here because there is no exploited software defect to patch. The control surface is identity and access topology.

Identity-driven intrusion is harder to detect than exploitation because the access is legitimate. Detection has to move from signatures to behavior: which identity, reaching which system, doing what, at what time.

BreachSpider Intel

BreachSpider tracks credential exposure and identity-driven intrusion patterns against the 25,000+ ICS CVEs and 175,000+ OT products in our dataset, so you can monitor the access paths into your plant before someone else uses them.