In this second part of the blog series, we dive into the critical boundary where attacks on industrial environments most often begin. The harsh truth is that a modern attacker no longer climbs over the factory fence—they walk in through an email in the office network.
As a reminder in the first part of this blog series, we explored the fundamental differences between IT and OT security. We noted that although the networks are converging, they still require different playbooks due to differing priorities.
When the “Air Gap” Disappeared, IT Became a Critical Protective Layer for OT
Historically, OT networks were protected through physical isolation, an “air gap.” Digitalization has, however, closed that gap. Data flows from production systems to ERP platforms, and remote access is commonplace. Work also no longer happens only in offices: IT systems must be accessible to remote workers, field technicians, and partners. This means vulnerabilities in the IT network or endpoints pose a direct threat to production continuity.
Norsk Hydro: When a Single Email Halted Global Production
The 2019 attack on aluminum giant Norsk Hydro is a textbook example of how fragile the boundary between IT and OT worlds can be. It all started with a single infected email opened in the IT network.
Why did an office-side incident reach the factory floor?
Although the LockerGoga ransomware used in the attack was not designed to destroy programmable logic controllers (PLCs), it paralyzed production for three typical reasons that characterize modern industrial operations:
Exploitation of Active Directory: The attackers gained access to the organization’s centralized identity management system (Active Directory). From there, they were able to automatically spread the malware to thousands of machines worldwide including those operating and monitoring production.
Lateral Movement: Network segmentation was inadequate. Once inside, the attacker could freely move toward servers that fed production recipes, work instructions, and operational data to production lines.
Hidden Dependencies: A modern OT environment is not an island. It relies on IT services to function:
ERP: The factory cannot know what to produce if order data does not flow.
Quality control: If measurement data cannot be stored in a central database, the process must be stopped for safety reasons.
Remote access: Maintenance and support depend on IT infrastructure.
The bottom line: Even though motors and pumps were functioning, they were like muscles receiving no signals from the brain. Without control data and visibility from the IT network, Norsk Hydro had to shift some plants to manual mode and shut down others entirely. The company estimated the total cost of the attack at around 800 million NOK (approximately 70–80 million euros), mainly due to lost profit margins and reduced production volumes.
Strategy: Zero Trust and Least Privilege
To avoid scenarios that threaten or halt production, organizations must adopt two core principles that enhance overall security:
Least Privilege: This applies not only to OT access but to the entire IT infrastructure.
Minimizing privileges: A sales manager does not need access to the server room, and IT administrators should not use admin accounts to read email.
PAM (Privileged Access Management): Critical permissions are granted only when necessary and under controlled conditions. If an attacker compromises a regular user account, they hit a dead end because the account has no access to critical systems.
Zero Trust: Zero Trust is built on an “Assume Breach” mindset: we assume the attacker is already inside the network.
Identity as the new perimeter: We do not trust a device merely because it’s plugged into an office wall port or connected via VPN. Every access request is verified with strong authentication (MFA).
Internal network segmentation and micro-segmentation: The IT network must not be one big open office. It should be divided into small rooms so that if one area is compromised, the attack cannot spread—much like fire doors prevent flames from moving through a building.
Securing IT Is an Insurance Policy for Production
The Norsk Hydro case showed that the IT team is not just a “support function”—it is the guarantor of industrial production continuity. By applying Zero Trust and Least Privilege throughout the IT environment, we make life so difficult for attackers that they never reach the OT network’s doorstep.
In the final part of this blog series, we’ll sit IT and OT at the same table: How does the IEC 62443 standard function as a translator and a practical tool when building a shared secure future?
