Episode 47 — Identify OT Threat Surface: Vectors, Exposure, and Threat Actors in Context

In this episode, we’re going to learn how to think about the OT threat surface in a way that feels grounded and useful, not scary or vague. When you’re new to cybersecurity, it’s easy to imagine threats as random lightning bolts that could strike anywhere, which makes security feel like an endless list of worries. In operational technology, the threat surface is the set of ways something unwanted could reach or affect your systems, including paths that allow access, paths that allow changes, and paths that allow disruption. It includes technology, but it also includes people, processes, and the way work actually happens, especially during maintenance and troubleshooting. The goal of identifying the threat surface is not to assume you are under attack every second, but to understand where you are exposed so you can reduce the number of openings and strengthen the ones you must keep. OT adds extra complexity because systems control physical processes and often have long lifecycles, so exposure can hide in legacy designs and inherited practices. By the end, you should be able to describe vectors, exposure, and threat actors in a calm, structured way that leads to better decisions.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A helpful starting point is understanding what a vector is, because that word gets used in different ways. A vector is simply a path or method by which a threat can reach a target, like a road that leads to a building. In OT, vectors include network connections, remote access pathways, removable media, vendor laptops, shared credentials, and even direct physical access to control cabinets and consoles. Some vectors are obvious, like a remote support connection into the environment, while others are subtle, like a maintenance workflow that involves moving files from one system to another. A vector is not automatically a problem, because some vectors are necessary for operations, but each vector creates an opportunity for mistakes or misuse. Beginners sometimes think the vector is the same as the attack, but it is better to see it as the route the attack could take. If you identify routes, you can add controls like checkpoints, barriers, and monitoring along those routes. This is why mapping vectors is a practical activity, because it turns abstract threat talk into concrete paths you can manage. In OT, managing routes is often more effective than trying to harden every individual device equally.

Exposure is the condition that makes a vector more or less risky, and it is also commonly misunderstood. Exposure is about how reachable something is and how much access a vector provides, like whether a door is locked, monitored, and used only at certain times, or whether it is propped open all day. An always-on remote access path with weak authentication is high exposure, while a time-limited path that requires approvals and is closely monitored is lower exposure. Exposure also includes how many layers of trust a vector crosses, because a path that crosses from a business network into a control network crosses a major trust boundary. In OT, a vector that reaches an engineering workstation may be more exposed than a vector that reaches an operator display, because engineering tools can change logic and configurations that affect system behavior. Exposure can also be increased by complexity, because complex paths are harder to understand and easier to misconfigure. Beginners often focus on whether something is connected, but exposure is about how it is connected, what is allowed, and what is monitored. When you reduce exposure, you often reduce risk without needing to replace equipment.

Now let’s talk about why identifying the threat surface has to be done in context, because OT environments are not all the same. A water treatment facility, a manufacturing plant, and an oil and gas site might all use controllers, but the processes, safety requirements, and business dependencies can be very different. Context shapes both which vectors exist and how serious they are. For example, a site that relies heavily on remote vendor support will have a larger remote access threat surface than a site that rarely allows remote access. A site that frequently brings in portable equipment for maintenance will have a larger removable media threat surface than a site with tightly controlled media handling. A site undergoing expansion or modernization may have increased exposure because change activity creates temporary connections and exceptions. Beginners should understand that threat surface is not a universal checklist, it is a snapshot of how your environment actually operates. That is why the best threat surface work involves the people who know the workflows, not just the people who know the network. When you combine technical mapping with operational context, you see the real openings.

Network vectors are often the first thing people think about, and for good reason, but they need to be understood properly. In OT, the most important network question is not only whether the environment touches the internet, but how traffic moves between zones and where trust boundaries are enforced. Vectors can include connections from business systems to OT systems, connections between OT zones, and connections that allow remote support. They can also include indirect pathways, like a shared service that sits in a middle zone and communicates with both sides. The threat surface increases when segmentation is weak, when rules are inconsistent, or when there are undocumented pathways that bypass intended controls. Another critical factor is bidirectional communication, because one-way data movement can reduce exposure while two-way pathways allow commands and changes to flow back into OT. Beginners sometimes assume network risk means someone outside the company directly connects to OT, but many real scenarios involve someone entering through business systems and then moving toward OT using internal routes. That is why the threat surface must include the enterprise-to-OT boundary and the controls that shape it. When those boundaries are clearly defined and monitored, network vectors become more manageable.

Remote access deserves special attention because it is a high-value vector for both legitimate work and misuse. OT environments often depend on remote access for vendor troubleshooting, off-hours support, and specialized engineering tasks. The risk is not only that remote access exists, but that it can become permanent, widely shared, and poorly monitored over time. A remote access vector can be high exposure if accounts are shared, if sessions are not time-limited, if authentication is weak, or if there is no clear approval trail. It can also be risky if remote access lands deep inside a sensitive zone instead of terminating in a controlled boundary where additional checks occur. Beginners should understand that remote access is not inherently bad, but it must be shaped to match OT safety and reliability needs. Good controls can make remote access safer by making it predictable, visible, and limited to the minimum needed for the task. When you identify the threat surface, you should document each remote pathway, who uses it, what it reaches, and what controls exist. This turns remote access from a mystery into a manageable part of the environment.

Removable media and portable devices are another major OT vector, and they often matter more than beginners expect. OT work sometimes requires moving files, updates, logs, and configurations using drives or laptops that travel between systems and even between sites. These vectors are risky because they can bypass network boundaries, carrying problems directly from one environment into another. They can also create exposure because people may plug devices into sensitive systems during urgent work, when careful handling is hardest. The threat surface here includes not only the media itself, but also the process around it, such as where the media comes from, how it is scanned, and how transfers are controlled. Vendor laptops can be a particularly important vector because they may have been used in many environments and may connect to multiple networks during a single day. Beginners sometimes think of malware as something that arrives over the internet, but in OT, physical transfer pathways can be a major route. When you identify this part of the threat surface, you focus on the points where devices cross boundaries and where scanning and control can be applied. Reducing exposure here often involves standardizing handling practices, not adding complex technology.

People and workflow vectors can be harder to see, but they are often central to OT exposure. Shared credentials, informal access approvals, and undocumented changes are all examples of human-driven vectors that attackers can exploit and that mistakes can amplify. Social engineering is a common way to activate these vectors, because attackers can pressure staff into bypassing normal procedures, especially during urgent situations. In OT, urgency is common because downtime is expensive and safety issues demand rapid response, which means attackers can use urgency as a lever. A workflow vector can also be something like a contractor process where accounts are created quickly and not removed, leaving lingering access. Beginners sometimes assume security failures happen because someone is careless, but in many cases the system is designed in a way that makes shortcuts easy and safe behavior hard. Identifying the threat surface therefore includes looking for places where the workflow encourages risky behavior, such as unclear approval paths or complicated access procedures that people bypass. The goal is not to blame people, but to design processes and controls that support safe behavior under real conditions. When workflow becomes visible in the threat surface, you can improve it.

Physical vectors also matter, because OT systems often have physical interfaces and on-site equipment that can be accessed directly. Physical access can include access to control cabinets, network closets, console ports, and removable storage ports on equipment. A facility might have strong network controls but weak physical controls, creating exposure that is easy to overlook. Physical vectors are also connected to insider risk, not in a paranoid sense, but in the reality that trusted people have access that could be misused intentionally or accidentally. Beginners sometimes think physical security is separate from cybersecurity, but in OT they are closely linked because physical access can enable configuration changes, device replacement, or network tapping that bypasses logical controls. Identifying physical threat surface involves understanding who can access critical areas, how access is logged, and how equipment is protected from tampering. It also includes considering shared spaces, like contractor areas or maintenance rooms, where equipment might be accessible during busy periods. Physical exposure is often reduced through simple measures like access control and supervision, but it has to be recognized first. If you ignore physical vectors, you may overestimate how strong your boundaries really are.

Now we can talk about threat actors, because actors help you interpret which parts of the threat surface are most relevant. A threat actor is a person or group that could cause harm, and actors differ in capability, intent, and resources. Opportunistic criminals might target common weaknesses and then demand ransom, while more capable groups might target specific industries or organizations for strategic reasons. Insiders, including employees and contractors, can be actors either intentionally or through mistakes, because their access can bypass many controls. Vendors and integrators are not inherently threats, but their access and tools can become part of the threat surface if compromised or mismanaged. Beginners sometimes imagine that only highly skilled attackers matter, but many incidents result from relatively simple techniques applied to poorly controlled pathways. Threat actors also shape your priorities, because if your exposure includes always-on remote access and shared credentials, you are vulnerable to a wide range of actors, not just advanced ones. Identifying actors in context means asking which actors are plausible for your environment and what they would likely try to do. When you connect actors to vectors, your assessment becomes more realistic and your controls more targeted.

Finally, identifying the OT threat surface is valuable because it leads to practical ways to reduce exposure and strengthen boundaries without turning operations upside down. Once you can list vectors like remote access paths, media transfers, zone-to-zone conduits, engineering tool dependencies, and physical access points, you can decide which ones can be eliminated, which ones must be controlled, and which ones need better monitoring. You can also see where a small change, like tightening remote access approvals or improving segmentation at a single conduit, can reduce likelihood across many scenarios. For beginners, the most empowering lesson is that threat surface is not destiny, it is design and habit, and both can be improved. A well-managed threat surface has fewer unnecessary paths, clearer trust boundaries, and better visibility into what is happening at the edges. When you build that, you make it harder for attackers and accidents to reach critical systems, and you make it easier for your team to respond calmly when something unusual happens. That combination, reduced exposure and improved clarity, is what makes OT security more predictable and more effective.

Episode 47 — Identify OT Threat Surface: Vectors, Exposure, and Threat Actors in Context
Broadcast by