When most people think about industrial cyberattacks, they picture elite hackers using sophisticated exploits to break through layers of defenses. Zero-days, custom malware, and nation-state resources all sound like something out of a thriller. And while those threats are real, they are rarely the starting point.

In most OT environments we encounter, the bigger risk is far more straightforward.

The Zero-Day Assumption Is Misleading

It is easy to assume that attacking a PLC requires the same kind of sophistication needed to breach a hardened enterprise IT environment. In IT security, that assumption has some merit because systems are built with authentication, role-based access, logging, and enforcement baked in. Attackers have to earn their access.

Industrial control systems were designed around a different philosophy entirely. Reliability and uptime were the priorities. Security was an afterthought, if it was considered at all. Protocols like Modbus, introduced in 1979, were built to move commands efficiently between devices, not to verify who was sending them or why.

The foundational assumption in most OT environments has always been: if you are on the network, you are supposed to be there. Every command received is treated as legitimate. That model made sense when a PLC lived in an isolated cabinet with no external connections. It does not hold up in today’s highly connected operations.

Default Credentials Are Still Everywhere

One of the most persistent and preventable issues in OT security is the use of default credentials. Most PLCs and industrial devices ship with vendor-provided usernames and passwords meant to simplify initial deployment. The expectation is that these get changed before the system goes live. In practice, that does not always happen.

Sometimes, defaults are never changed during commissioning. Sometimes they are reset after a firmware update and never reconfigured. Sometimes they are replaced with something predictable and reused across dozens of devices on the same network.

Attackers are well aware of this. They are not guessing randomly. They are working through published vendor default tables and commonly reused patterns. When it works, there is no exploit involved. They are simply logging in. (CISA, 2023)

In some environments, credentials are transmitted in cleartext over unencrypted protocols, meaning anyone with access to that network segment can capture them passively. No advanced tooling required.

Open Protocols Do Exactly What They Are Told

The design of industrial protocols compounds the credential problem. Modbus, DNP3, and older versions of EtherNet/IP were built for interoperability and deterministic performance. Authentication and encryption were never part of the design.

What this means in practice is simple: if a properly formatted command arrives at a PLC over the network, the device executes it. It does not check who sent it. It does not validate intent. A valid command from a legitimate operator and a valid command from an attacker look identical to the device.

For an attacker who has gained access to the OT network and understands the protocol, no exploit is needed. They just need to send the right instructions.

Flat Networks Make It Worse

OT environments have become significantly more connected over the last decade. Remote vendor access, IT/OT integration, centralized historians, and cloud-connected SCADA platforms have all expanded the attack surface in ways that the original network trust model was never designed to handle.

When those connections exist alongside poor network segmentation, flat architectures where OT devices share reachability with IT systems, or even external access points, an attacker who compromises one foothold may have a direct path to process control systems. No lateral movement through hardened systems. No zero-day required. Just network access and a protocol that trusts every sender equally.

This is why patching alone is not sufficient. A facility can have a clean vulnerability scan with zero known CVEs and still be significantly exposed if default credentials are in place and OT traffic is unauthenticated on a flat network.

Where OT Teams Should Focus First

At Insane Cyber, when we work with OT teams to improve their security posture, we consistently find that the highest-impact improvements come from the fundamentals, not exotic tooling or complex architectures.

Start with a credential audit. Inventory every PLC, HMI, managed switch, and remote access point on the OT network. Verify that vendor defaults have been removed, that passwords meet a reasonable complexity standard, and that credentials are not reused across devices. This process is time-consuming, but there is no technical shortcut that replaces it.

Review your network segmentation. Pull a current network diagram, not the one from the last capital project, but an accurate picture of how the network looks today. Identify every path between IT and OT environments, every remote access connection, and every device that bridges both sides. Each one represents an entry point that should be intentional, controlled, and monitored. Access between zones should never be implicit.

Get visibility into your industrial traffic. If you cannot see the commands being sent to your PLCs, you have no way to distinguish a legitimate operator action from unauthorized activity. Passive monitoring tools designed specifically for OT environments can provide this visibility without touching live traffic or risking process disruption. Once you have it, anomalies become detectable.

These are not novel recommendations. They are foundational controls that, when properly implemented, close the most commonly exploited attack paths in industrial environments.

The Barrier Is Lower Than Most Assume

The reality is that disrupting an industrial control system does not require a zero-day. In many environments, network access combined with weak credentials or an unauthenticated protocol is enough. That combination is more common than it should be.

The encouraging side of this is that the fixes are equally straightforward. Strong credential management, genuine network segmentation, and visibility into OT traffic address the vast majority of realistic attack scenarios. These are solvable problems.

Zero-days generate headlines because they are dramatic. Basic security gaps cause real-world incidents. (Cybersecurity 2, 2024) If the focus stays fixed on sophisticated threats while foundational issues go unaddressed, the simpler attacks will keep working.