Beachheads and Safe Havens: How Threat Actors Gain Access and Maintain Control

How focusing on three key building blocks can help improve OT security.

Carlos Buenano
May 8, 2025
Industrial Cyber

Cyberattacks pose a significant threat to critical infrastructure. Common vulnerabilities and exposures (CVEs) in the manufacturing sector have been widely exploited and will continue to impact organizations in 2025 and beyond. Initial access, privilege escalation and persistence can all make use of legitimate system tools and processes, essentially enabling threat actors to hide in plain sight. 

The complexity of manufacturing environments makes securing these systems difficult. OT environments and industrial IoT devices tend to increase the attack surface while lacking the native capabilities needed to monitor and protect them. Ransomware and advanced persistent threats (APTs) have also increased in sophistication to target these vulnerable assets. 

According to recent research from Armis, 85 percent of global IT leaders confirm that offensive techniques regularly bypass their security tools. Unfortunately, if organizations are experiencing challenges with their cybersecurity, then they are likely facing similar challenges with their compliance programs. 

A more proactive approach to cybersecurity and compliance requires understanding the complexity of the attack surface and taking action. AI-enabled solutions can leverage behavioral analysis to detect unauthorized access and the suspicious use of legitimate tools, enabling organizations to shine a light on these beachheads and safe havens. 

Initial Access: The Path of Least Resistance 

Threat actors know that a chain is only as strong as its weakest link, so they tend to capitalize on zero-day exploits of previously unknown vulnerabilities to bypass defenses. If these devices are connected to the internet, bad actors may even be able to identify them for opportunistic attacks. 

In fact, many APTs specifically seek out networking devices, such as firewalls and routers to target their vulnerabilities. For example, CVE-2024-12856 is a vulnerability in Four-Faith industrial routers that enables attackers to execute OS commands. It is estimated that one in 10 manufacturing companies are exposed to this vulnerability, with approximately 15,000 internet-facing devices at risk. 

Supply chain vulnerabilities also present a major risk for organizations. CVE-2023-21554, for instance, is a vulnerability in Microsoft Messaging Queuing services that affects Mitsubishi Electric’s industrial equipment. It is estimated that more than half of organizations remain vulnerable to this CVE. 

Persistent Threats: A Pesky Problem 

Once threat actors establish a beachhead, they shift focus to maintaining control, most frequently by targeting legacy devices and system misconfigurations and leveraging living-off-the-land (LOTL) techniques. Lateral movement is the ability of threat actors to move across the network toward their goal. Privilege escalation can be accomplished by gaining administrative access to compromised systems. Persistence enables cybercriminals to maintain access even after system updates, reboots or password changes. 

LOTL techniques use legitimate admin tools to evade detection. For example, PowerShell and command-line execution enables threat actors to execute malicious commands without installing malware. All of these risks are much more challenging in OT environments since these devices are usually harder to monitor and patch. Standards-based compliance often requires organizations to address many of these fundamental risks.

Organizations must shift cybersecurity and compliance to a more proactive approach that prevents and detects initial access, privilege escalation and persistence to minimize the impact of a breach. And although there may be a map to guide this approach, this is a journey, not a destination. 

There are a series of fundamentals that build upon one another like bricks in a fort.

  • Visibility is the first of these fundamentals – both the ability to discover all enterprise assets as well as their device state, such as if they are running vulnerable software.
  • Context enables organizations to prioritize fixing their biggest risks first and continuously monitoring them enables organizations to detect indicators of compromise. AI-enabled solutions can bolster this behavioral analysis to detect suspicious use of legitimate enterprise resources.
  • Automation and orchestration can enforce response actions, such as isolating at-risk devices or requiring multi-factor authentication. Likewise, extending comprehensive visibility and continuous monitoring to compliance enables organizations to assess their gaps, implement compensating controls and ensure that new devices don’t create new risks. 

It should be noted that managing the complexity of IT and OT environments may also need to extend to the supply chain and cloud computing environments. Organizations should be careful not to overlook these assets and third-party risks. 

Don’t Wave the White Flag 

Armis research revealed that 81 percent of IT leaders say moving to a proactive cybersecurity posture is a top goal for their organization in the year ahead, yet 58 percent of organizations admit that they currently only respond to threats as they occur, or after the damage has already been done. 

It should be a critical concern that threat actors are targeting legacy devices since so many of these devices go undiscovered and unmanaged. The difficulty in detecting the malicious use of legitimate system processes also cannot be ignored. 

Adopting a proactive approach to cybersecurity and compliance is required to prevent and detect these threats before a data breach and to respond to them in real time. Organizations have become aware of these needs and need to act on their intentions.

Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
May 1, 2025
Phishing Tadamichi
The Top 4 Developments in Phishing Schemes
May 22, 2025
Encryption
Should Manufacturers Focus on Cybersecurity or Cyber Resilience?
May 22, 2025
Cybersecurity In A Bubble
Why Industrial Edge Cybersecurity Demands a Fresh Approach
May 22, 2025
Related Stories
General Cyberattack
Cybersecurity
Scenario-Based OT Solution Preps Industrial Teams
Phishing Tadamichi
Cybersecurity
The Top 4 Developments in Phishing Schemes
Encryption
Cybersecurity
Should Manufacturers Focus on Cybersecurity or Cyber Resilience?
Security Breach Podcast
Sponsor Content
Security Breach Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
May 1, 2025
Phishing Tadamichi
Cybersecurity
The Top 4 Developments in Phishing Schemes
The bad guys continue to evolve.
May 22, 2025
Encryption
Cybersecurity
Should Manufacturers Focus on Cybersecurity or Cyber Resilience?
One could be essential for the future of manufacturing.
May 22, 2025
Cybersecurity In A Bubble
Cybersecurity
Why Industrial Edge Cybersecurity Demands a Fresh Approach
Vulnerabilities persist because cybersecurity is an afterthought, rather than embedded from the ground up.
May 22, 2025
Coding
Cybersecurity
Shoring Up Digital Trust in Manufacturing: From DMARC Awareness to Full Protection
While most have this email guidance in place, the actual protection rate is significantly lower.
May 22, 2025
Us Binary Flag Mirsad Sarajlic
Cybersecurity
CISA Warns of New Threats Targeting U.S. Industrial Sector
Bad actors include a highly volatile infostealer, and cyber espionage schemes targeting support for Ukraine.
May 22, 2025
A bus passes a branch of Marks and Spencer in London, Tuesday, Aug. 18, 2020.
Cybersecurity
Retailer Says Cyberattack Will Cost $400 Million
And disruptions are ongoing.
May 22, 2025
Smishing Attack Fran Rodriguez
Cybersecurity
Cybercriminals Are Having More Success with Low-Tech, Human-Centric Attacks
The manufacturing sector remains the most targeted sector in the email threat landscape.
May 15, 2025
Hacking Alarm
Cybersecurity
The Pros and Cons of Implementing a Bug Bounty Program
While not new, the approach is gaining traction.
May 15, 2025
Soc
Cybersecurity
Building a Cybersecurity-First Culture in U.S. Manufacturing
Nation-state threats and AI tools have made it vital to embed cybersecurity into workplace culture.
May 15, 2025
Ep134
Cybersecurity
Security Breach: Dark AI, Hacker Evolutions Speeding Vulnerability Exploitation
Deeper dives into OT priorities will be key to making breaches more difficult.
May 15, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
Navigating Manufacturing’s Third-Party Access Risk
Ways to manage external access while reducing exposure to possible breaches.
May 15, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
MCP Server Could Revolutionize API Security
The tool allows for interacting with APIs using natural language.
May 8, 2025
General Cyberattack
Cybersecurity
Huntress Debuts Managed SIEM to Simplify Cybersecurity
The platform offers compliance support, investigation, detection, response and threat hunting.
May 8, 2025
Ai Safety Image
Oracle
AI in Manufacturing: Balancing Benefits, Risks, Security and Compliance
Hasty implementations of AI will create regulatory penalties, cyberattacks and operational disruption.
May 8, 2025