Despite the rise of cloud identity platforms and the push toward modern authentication methods, Active Directory (AD) plays a critical role in many organizations, especially in environments with operational technology (OT). AD’s deep integration into on-premises infrastructure, legacy applications, and critical systems makes it extremely difficult to replace. This dependency runs even deeper in OT environments, as many industrial control systems (ICS) and legacy devices were designed to rely on AD for authentication, access control, and group policy management.
The cost and complexity of migrating these systems to alternative identity platforms, combined with the long lifecycle of OT assets, ensures that AD will remain a fixture in these environments for years to come. As a result, organizations must continue to secure and modernize their AD deployments while recognizing that a complete shift away from AD is neither practical nor imminent for most. With the latest release of Windows Server 2025, Microsoft signaled continued support for on-premises AD. You can read more about it here: Active Directory: The End of the Road? Not Quite Yet!
What is Operational Technology?
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
OT refers to the hardware and software that detects or causes changes through direct monitoring and control of physical devices, processes, and events within an industrial environment. In simpler terms, OT governs the technology responsible for making critical infrastructure work: power grids, water systems, transportation networks, manufacturing lines, and even hospital life-support systems.
Unlike Information Technology (IT), which primarily handles data, OT is concerned with physical processes, like making sure electricity flows through the grid, or that water treatment plants function correctly. OT has evolved over decades, merging with IT through network connectivity, but its core systems often still run on aging, specialized equipment that was never designed with modern cybersecurity in mind.
The Role of AD in OT Environments
In the past, OT systems were air-gapped and isolated from IT and the internet. However, modern OT increasingly connects to corporate IT networks, blurring the line between OT and IT environments. To manage access and identities for both IT and OT systems, many organizations use on-premises AD.
Why AD?
- AD is deeply embedded in enterprise environments
- Many OT vendors design systems to integrate with Windows and AD
- Legacy systems often have no alternative identity provider
- Critical OT services rely on domain authentication (file shares, configuration management, patching, etc.)
The result is that the compromise of AD often equates to a compromise of OT.
Common Active Directory Misconfigurations Leading to OT Compromise
1. Overprivileged Accounts
AD environments frequently suffer from overprovisioned accounts, both human and service accounts. OT systems often run with domain admin privileges, even when such access is unnecessary.
Risk: If an attacker compromises an overprivileged OT service account, they can pivot into broader IT systems and gain full control of AD, and thus OT.
2. Weak or Reused Credentials
Legacy OT systems sometimes store plaintext credentials in scripts or configuration files. Often, these credentials are shared across systems.
Risk: Credential theft from one system enables lateral movement, allowing attackers to gradually escalate to domain control.
3. Lack of Network Segmentation
OT networks are frequently flat, with little segmentation between corporate IT and OT control systems.
Risk: Once a low-privileged IT account is compromised, attackers can easily move laterally into OT systems.
4. Unmonitored Privileged Access
Many OT teams require elevated access to perform maintenance or troubleshooting, but these sessions are often unlogged or unmonitored.
Risk: Attackers who compromise these sessions can operate undetected for months.
5. Misconfigured Group Policies
OT systems that rely on domain-based policies often suffer from overly permissive GPO settings, such as disabling UAC, enabling SMBv1, or turning off logging.
Risk: Weak GPOs make it easier for attackers to persist and escalate privileges.
6. Aging Domain Controllers
Many OT environments rely on outdated Windows Server versions, sometimes as old as Windows Server 2008 or even Windows Server 2003.
Risk: These older domain controllers lack modern security features like LDAP Signing, channel binding, or secure NTLM handling.
Real-World Impacts of AD Compromise in OT Environments
Case Study 1: Colonial Pipeline (2021)
While this attack primarily targeted IT systems, it provides a textbook example of how AD compromise can trigger cascading impacts into OT environments. Attackers gained access through a compromised VPN password, reportedly linked to an unsecured AD account.
Once inside the corporate IT network, AD became a key enabler for lateral movement and further compromise. Although the actual pipeline control systems (OT) were not directly attacked, the company preemptively shut down the OT environment due to the uncertainty of how deeply the attackers had penetrated. This conservative response, driven by the potential for IT-to-OT crossover, halted fuel deliveries across the U.S. East Coast.
Key Takeaways
- A single AD account compromise led to operational paralysis across critical infrastructure
- Even indirect IT compromise can severely disrupt OT when systems rely on Active Directory authentication
- Preventive OT shutdowns can be catastrophic, even if OT itself is untouched
Case Study 2: Norsk Hydro (2019)
Norsk Hydro, a global aluminum producer, suffered a ransomware attack that crippled operations across multiple countries. The attackers initially gained access through a compromised Active Directory account tied to a legacy system. From there, they escalated to domain admin privileges, using Active Directory as a launch pad to deploy ransomware across both IT and OT environments.
The company was forced to switch many facilities to manual operation, drastically reducing output and creating safety risks in high-temperature smelting plants. The financial cost exceeded $75 million USD, but the potential physical risks from failing OT safety controls were even more concerning.
Key Takeaways
- AD served as the central conduit for ransomware deployment
- The attack affected both IT and OT, proving that identity compromise crosses the IT/OT boundary
- Manual failover in OT systems was possible but fraught with operational and safety risks
Case Study 3: Germany Hospital Ransomware Attack (2020)
In September 2020, a ransomware attack targeting the University Hospital of Düsseldorf resulted in the first confirmed human death linked to a cyberattack. The hospital’s AD environment was compromised, leading to widespread IT system failures, including critical systems responsible for patient care.
As part of the hospital’s building management and equipment control systems, OT devices such as MRI machines, ventilators, and laboratory automation were tied into the compromised AD domain. With systems offline, a patient requiring emergency treatment had to be diverted to another facility, resulting in fatal delays.
Key Takeaways
- In healthcare OT, AD compromise can lead directly to loss of life
- Many medical devices rely on domain authentication for imaging storage, result retrieval, and equipment calibration
- The integration of building management systems (BMS) into the hospital domain created additional risk, demonstrating the blending of IT and OT in healthcare
Case Study 4: Oldsmar Water Treatment Facility (2021)
In this high-profile incident, attackers remotely gained access to the water treatment plant’s operational systems in Oldsmar, Florida. Though the exact mechanism of initial access remains debated, investigations revealed that the plant’s OT systems were integrated into the broader IT network, sharing AD credentials for remote access.
The attackers attempted to increase the concentration of sodium hydroxide (lye) in the water supply, a potentially deadly alteration. Fortunately, operators noticed the tampering and reverted the changes before any water was released to the public.
Key Takeaways
- Weak identity and access controls (including shared credentials) enabled the breach
- AD served as a single point of failure spanning both IT and OT systems
- Water treatment plants represent high-impact OT environments where identity compromise can lead directly to loss of life and public health emergencies
Case Study 5: Maersk & NotPetya (2017)
Though this incident primarily affected IT systems, its downstream OT impacts were severe. The NotPetya malware crippled AD infrastructure at Maersk, wiping out all domain controllers globally within minutes. This AD compromise caused cascading failures across both IT and OT environments, from port operations systems to cargo handling machinery.
Without functional identity infrastructure, port cranes, container management systems, and scheduling software failed to authenticate operators, halting shipping operations worldwide. Maersk suffered over $300 million in damages, with significant disruption to global supply chains.
Key Takeaways
- The complete collapse of AD caused global operational outages
- Even systems not directly infected by malware (like OT equipment) were paralyzed due to authentication failures
- This illustrates the danger of over-centralizing identity in a single AD forest
Broader Implications Across Sectors
These case studies highlight a critical truth:
In modern OT, AD isn’t just an IT asset, it’s an operational dependency.
Compromise of AD leads to far more than data theft; it threatens:
- Critical Infrastructure Uptime: Power, water, and transportation systems grind to a halt
- Public Safety: Water contamination, disrupted emergency services, and tampered medical devices
- Loss of Life: Especially in healthcare, where uptime directly correlates to patient outcomes
- Economic Disruption: Factory shutdowns, port closures, and supply chain disruptions
AD as the "Crown Jewels" in OT
In many organizations with OT, AD is:
- The primary identity provider for both IT and OT
- A critical enabler for remote access, vendor support, and engineering workstations
- The heart of Group Policy, which governs device hardening, software patching, and login controls across both IT and OT
This makes AD a target of choice for attackers who want to impact critical infrastructure. If you own AD, you own everything.
Securing On-Premises AD in OT Environments
1. Implement AD Tiering Model
Adopt Microsoft’s Tier 0 / Tier 1 / Tier 2 model:
- Tier 0: Domain controllers and highly privileged accounts (direct access to AD itself)
- Tier 1: Servers and applications (including OT systems)
- Tier 2: Workstations, users
Why? This limits exposure, if a user workstation gets compromised, it can’t directly access OT systems or domain controllers.
Read more about it here: How to Mitigate Privilege Escalation with the Tiered Access Model for Active Directory Security
2. Harden Domain Controllers
- Disable SMBv1
- Enforce LDAP Signing and Channel Binding
- Apply LAPS for local admin passwords
- Enable Advanced Auditing and central log collection
- Patch regularly, no excuses
Why? Unpatched systems and old protocols are a primary reason for many compromises. By keeping up with these practices, many attack vectors are removed.
3. Privileged Access Workstations (PAWs)
Administrators and OT engineers should only access critical systems from hardened, dedicated PAWs. These PAWs should:
- Have no internet access
- Be single-purpose (admin work only)
- Be patched aggressively
- Use hardware-backed credential protection, like smart cards and YubiKey
Why? Separating workstations for administrative access from normal daily operations reduces the possibility of leaving credentials behind that could be used to compromise the organization.
Read more about it here: 2024 Guide to Privileged Access Workstations: Enhance Security
4. Account Segmentation and Just-in-Time (JIT) Access
- No shared accounts
- No persistent domain admin accounts
- Use Privileged Identity Management (PIM) or similar solutions to elevate accounts only when needed
Why? Reducing, or even eliminating, full-time administrators reduces the possibility that an account can be used to compromise the organization.
5. Secure Service Accounts
- Rotate passwords regularly
- Use gMSA (Group Managed Service Accounts) where possible
- Grant only the permissions needed, follow principle of least privilege
Why? Managing service accounts reduces the chance that credentials, typically privileged, can be compromised.
6. Robust Monitoring and Incident Response
- Continuous AD auditing
- Baseline and monitor privileged access
- Actively hunt for misconfigurations and anomalies
- Practice incident response tabletop exercises focused on AD and OT compromise scenarios
Why? Not having visibility into the daily operational events can leave you blindsided. Additionally, robust monitoring and continuous auding provides forensic information for any analysis.
7. Tested Backup and Recovery Plan
- Use AD aware backup products
- Regular testing to ensure the backups are functional
- Develop plans for different recovery events
Why? Being able to recover after an event is critical to surviving and making sure operations continue.
Read more about it here: Active Directory Forest Recovery | Disaster Prevention Strategies
Protecting Lives Through Identity Security
In the world of OT, AD security isn’t just about data, it’s about physical safety and even lives. Whether its ensuring ventilators remain operational or keeping water treatment plants safe from tampering, identity compromise in AD cascades into real-world disaster.
Modernizing and securing AD in OT environments is a critical life-safety issue. Organizations that treat identity security as a core operational risk, rather than an IT afterthought, will be best positioned to protect both infrastructure and lives.
Final Thoughts
The compromise of AD in an OT environment should not be thought of as an IT problem; it is a safety and operational resilience issue. Boards of directors, C-suite leaders, and operational managers must recognize this shift and treat AD security with the same rigor they apply to physical safety systems in their plants, hospitals, or utilities.
Get in touch with Ravenswood Technology Group today to schedule a free consultation. We would be happy to help your organization secure your OT environment.
