The dangerous intruder in OT today isn’t bombing the wall. They walked through the front door with a key that shouldn’t be in their hand.
OT credential abuse happens when an attacker uses a legitimate account, vendor connection, remote-access pathway, or service credential to enter an industrial environment without exploiting a software vulnerability. The login looks authorized, but the behavior afterward does not. Here’s why your scanner never sees it, and what does.
Half of dungeon design in the old Zelda games is locks and keys. You find a small key, you open a locked door, you go deeper. The whole system works on one quiet assumption: the key belongs to the person holding it. Nobody designed those dungeons for an intruder who already had a copy.
That assumption is exactly where OT security is getting hurt right now. The image we carry of an attacker is someone smashing through a barrier, exploiting a flaw, breaking something to get in. The reality across the threat data is quieter and more uncomfortable. More and more, attackers don’t break in at all. They log in. They use a valid credential, a vendor’s remote-access path, a service account that was set up years ago and never retired. As one summary of the landscape put it, threat actors increasingly exploit valid credentials rather than software flaws, so they log in rather than break in.
The door wasn’t forced. It was opened, by a key, exactly the way it was designed to be.
Why OT Credential Abuse Often Starts with Vendor Access
The keys that matter most in OT are rarely the ones your own team holds. They’re the ones you handed out. Compromised vendor credentials, poisoned software updates, and abused remote-access connections show up again and again as the leading way into industrial environments. That makes sense the moment you think about how OT actually runs. Integrators, OEMs, and maintenance vendors need access to keep the process healthy, and that access is legitimate, necessary, and standing. It is a key to your dungeon held by someone outside your walls.
We’ve written before about why the vendor relationship in OT is so different. Every legitimate key is a key that can be copied, stolen, or misused, and when it is, nothing about the entry looks wrong. The lock wasn’t picked. The window is intact. The logs say a known account opened a known door at a plausible time.
This is what makes credential abuse so effective in OT specifically. The whole environment is built on trust between known parties. An attacker using a real key isn’t triggering the trust model. They are using it.
Why Vulnerability Scanners Miss OT Credential Abuse
Here is why so much of our tooling misses this entirely.
A vulnerability scanner is built to find broken things. Unpatched software, exposed services, weak configurations. It is looking for the smashed window and the forced lock. That is genuinely useful work, and it is also completely blind to a valid key in the wrong hand. There is no CVE for a stolen credential. There is no patch for a vendor account being used by someone who is not the vendor. The flaw, if you can even call it that, is that the system did exactly what it was told by something that looked authorized.
If your security program is organized around finding and fixing vulnerabilities, the entire category of log-in attacks slips through the gap. You can be fully patched, fully scored, fully compliant on paper, and still have an intruder walking your halls with a borrowed key.
You Know the Dungeon. They Don’t.
So how do you catch a key you cannot un-issue, used by a hand you cannot see at the door?
You stop watching the door and start watching what happens after it opens.
A stolen key gets someone into the dungeon. It doesn’t give them the map. In Zelda, the player’s real advantage is never the key. It is knowing the layout cold, where every room connects, what is supposed to be behind each door, which path makes sense and which one does not. An intruder with a copied key is moving through a place they only partly understand, and that shows.
OT gives you that map for free, because the environment is so predictable. A specific engineering workstation talks to a specific set of controllers, in specific patterns, at specific times. When a valid credential logs in and then does something that account has never done, reaching devices it never reaches, issuing commands it never issues, moving at hours it never moves, that is the tell. The login looked fine. The behavior does not. You catch the wrong hand not by questioning the key, but by knowing the dungeon better than the thief ever could.
That means leaning on behavior over signatures, and on a baseline of normal per device rather than a list of known-bad. It is the kind of detection EmberOT is built to do, recognizing when a legitimate actor starts behaving illegitimately, because the account is trusted but the pattern is not. Pair that with the basics that make stolen keys less useful in the first place, least privilege so a single key opens fewer doors, retiring access nobody uses anymore, and tight control over remote sessions, and you have shrunk both the number of keys and the blast radius of any one of them.
The Login is Only the Beginning
The shift from breaking in to logging in can feel like the rules changed underneath you. In a way they did. But the advantage that matters did not move. It is your environment. You know how it is supposed to behave, room by room, device by device, and an intruder with a borrowed key never will.
Stop assuming the threat announces itself with a broken lock. Watch the behavior on the other side of the door. The key may be real. The hand holding it doesn’t have your map.
Become a Subscriber
EMBEROT WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.
