Executive Summary
Doppel reports that attacks against manufacturing are shifting away from software exploitation toward identity abuse, driven by leaked credentials and voice phishing (vishing) aimed at help desks and operators. The physical criticality is direct: a valid identity reaching an engineering workstation, historian, or remote access gateway does not need a CVE to send setpoints, modify logic, or halt a line, and it leaves none of the exploit artifacts that detection tooling expects.
Technical Exposure Breakdown
The vulnerable component here is not a PLC firmware build or a vendor library. It is the trust relationship between an operator identity and the systems that identity is permitted to touch. Manufacturing environments accumulate this exposure faster than most sectors because of how they are operated.
First, credential reuse is endemic. Shared service accounts run on SCADA servers, vendor maintenance accounts persist for years, and domain credentials from corporate IT cross into the OT domain through jump hosts and flat trust zones. When those credentials leak through infostealer logs or third party breaches, the attacker inherits whatever that account can reach. We have catalogued the downstream effect of this across 175,000+ OT products: the same human and machine identities frequently span both the enterprise and the plant.
Second, vishing targets the people who hold the override authority. Help desk staff reset MFA enrollments. Shift supervisors approve emergency remote access for a contractor who is not actually a contractor. The attack vector is a phone call and a plausible pretext, not a packet. This sidesteps the entire premise of network-layer exploit detection.
The conditions that make this work in OT are structural. Remote access into plants expanded permanently after 2020 and was never fully re-architected. Many sites still terminate VPN or RDP sessions directly onto engineering subnets. MFA coverage on OT-adjacent systems is incomplete because legacy HMIs and historians do not support modern authentication, so exceptions become permanent.
OT Impact and Compliance Risk
What breaks physically depends on what the stolen identity controls. An identity with write access to a controller can change ladder logic, alarm thresholds, or safety interlock parameters. An identity on a historian can corrupt the record operators rely on to trust their own process state. An identity on a remote access gateway becomes a persistent foothold that survives credential rotations elsewhere.
For compliance, this lands squarely on access control requirements. NERC CIP-004 and CIP-005 govern personnel access and electronic security perimeters, and a leaked credential that crosses the perimeter is a reportable access control failure, not a patch gap. IEC 62443-3-3 system requirements SR 1.1 through SR 1.9 address identification, authentication, and account management directly, and shared or non-expiring accounts violate them by design. For pipeline operators, TSA SD-02C mandates access control measures and segmentation that vishing-driven help desk compromise can quietly undercut. Water utilities under AWIA 2018 face the same identity exposure with thinner staffing to absorb it.
Compensating Controls
The vendor patch is not the answer here because there is no exploited software defect to patch. The control surface is identity and access topology.
- Enforce phishing-resistant MFA on every remote access path into OT, prioritizing the gateway over the endpoint. Where legacy systems cannot support it, place the MFA enforcement at the jump host they sit behind.
- Eliminate shared and non-expiring accounts on SCADA servers, historians, and engineering workstations. Move to per-individual identities with session logging so a vishing-driven access grant is attributable.
- Re-segment remote access termination so no external session lands directly on an engineering subnet. Force traffic through a brokered, monitored, and recorded jump host.
- Deploy a virtual patch posture at the network boundary. A Suricata rule concept worth implementing: alert on RDP or VPN-originated traffic reaching controller programming ports such as those used by S7comm, EtherNet/IP, or Modbus when the source falls outside an approved engineering allowlist. This catches the post-authentication lateral movement that identity theft enables, which is the only network-visible stage of an otherwise quiet intrusion. Do not active-scan to verify exposure, because active probing of industrial components can brick them.
- Harden the help desk process. Require out-of-band verification before any MFA reset or emergency OT access grant. The human authorization step is the actual attack surface.
Identity-driven intrusion is harder to detect than exploitation because the access is legitimate. Detection has to move from signatures to behavior: which identity, reaching which system, doing what, at what time.
BreachSpider Intel
BreachSpider tracks credential exposure and identity-driven intrusion patterns against the 25,000+ ICS CVEs and 175,000+ OT products in our dataset, so you can monitor the access paths into your plant before someone else uses them.