The OT Perimeter Problem: Why Firewalls and VPNs Are the #1 OT Attack Vector

When people discuss OT security threats, attention typically gravitates toward dramatic scenarios: ICS malware manipulating PLCs, protocol exploitation against Modbus devices, zero-day attacks on engineering workstations. These represent genuine risks. However, empirical data reveals a different narrative about where OT compromises originate.

67% of malicious OT activity targets perimeter devices, routers and firewalls, rather than PLCs and HMIs behind them, per Forescout Vedere Labs research based on OT honeypot networks including industrial routers and control devices. Rather than targeting industrial controllers initially, attackers prioritize network equipment providing access to those controllers.

Over the past two years, critical vulnerabilities have been actively exploited across major perimeter vendors: SonicWall, Fortinet, Ivanti, Palo Alto, Citrix, and Cisco. Perpetrators include ransomware operators encrypting IT and OT environments, nation-state groups establishing persistent critical infrastructure access, and initial access brokers monetizing discovered footholds.

For most critical infrastructure organizations, the perimeter device represents simultaneously the most exposed and least monitored architectural component.

The Perimeter Exploitation Pattern

Every major OT compromise in recent years demonstrates a consistent methodology:

1. Exploit or credential-stuff a public-facing VPN/firewall. Perimeter devices are internet-facing by design, making them the most exposed architectural element.
2. Harvest credentials. Extract Active Directory credentials from IT environments or VPN session tokens providing authenticated access.
3. Move laterally toward OT. Leverage shared credentials, flat network segments, or identical remote access paths that OT engineers utilize.
4. Impact. Deploy ransomware across IT and OT, exfiltrate operational data, or establish persistent access.

The specific CVE changes periodically. The pattern remains constant. The perimeter device sits at the intersection of internet accessibility and OT network access, consistently representing the weakest link.

The CVE Evidence

Since 2023, critical vulnerabilities have been actively exploited across major perimeter vendors deployed at critical infrastructure sites:

Vendor	CVE	CVSS	Description	Exploited By
SonicWall	CVE-2024-40766	9.3	Improper access control in SonicOS SSLVPN	Akira, Fog
Fortinet	CVE-2024-47575	9.8	Missing authentication in FortiManager fgfmd	UNC5820
Ivanti	CVE-2024-21887	9.1	Command injection in Connect Secure (chained with CVE-2023-46805)	UNC5221
Ivanti	CVE-2025-22457	9.0 / 9.8	Stack buffer overflow in Connect Secure	UNC5221
Palo Alto	CVE-2024-3400	10.0	OS command injection in PAN-OS GlobalProtect	UTA0218
Citrix	CVE-2023-4966	9.4	Session token leakage in NetScaler (Citrix Bleed)	LockBit 3.0

Sources: Arctic Wolf (SonicWall), Mandiant (Fortinet, Ivanti), Unit 42 (Palo Alto), CISA (Citrix). Note: VOLTZITE and SYLVANITE linked to Ivanti exploitation by Dragos; specific CVE attribution not always confirmed.

Every score exceeds 9.0. All grant unauthenticated attackers remote access. All have been weaponized against production infrastructure. This represents only major incidents. Dozens of additional perimeter CVEs were weaponized during the same period.

The velocity accelerates. Dragos documented threat groups like SYLVANITE weaponizing edge device vulnerabilities within 48 hours post-disclosure.

Case Study: SonicWall and the Small Utility Problem

SonicWall demonstrates the perimeter problem at scale. Over 500,000 organizations globally deploy SonicWall products, with deployment concentrations in small and mid-sized critical infrastructure: regional utilities, water districts, manufacturing facilities, building management operations. Organizations requiring firewalls but lacking budgets for enterprise solutions like Palo Alto or Fortinet.

The Exposure

Bishop Fox conducted internet-wide SonicWall device scanning and discovered 430,363 unique SonicWall interfaces exposed to public internet, including management and SSLVPN login pages visible to anyone conducting network reconnaissance. Of those:

• Nearly 50% ran Gen 6 firmware. Aging platforms with expanding critical vulnerability lists
• Approximately 28% had critical or high-severity vulnerabilities based on running firmware versions
• As of early 2025, approximately 4,500 internet-facing SonicWall SSLVPN servers remained unpatched against CVE-2024-53704, a separate session-hijacking vulnerability

These are active login portals accepting authentication attempts from the public internet.

The Exploitation

Arctic Wolf documented at least 30 confirmed Fog and Akira ransomware intrusions beginning in August 2024, all utilizing SonicWall SSLVPN as initial access vector. Key findings:

• Akira accounted for approximately 75% of intrusions, with Fog responsible for remainder
• In most cases, ransomware encryption occurred identical day as initial network access, sometimes within hours
• Attackers logged from VPS hosting providers, rendering source-IP blocking ineffective
• In separate intrusion sets, Akira and Fog affiliates used identical VPS IP addresses. Suggesting shared infrastructure or coordinated affiliate operations
• Every compromised device ran CVE-2024-40766-vulnerable firmware

SSLVPN functionality specifically creates OT implications. These VPN services provide OT engineers remote SCADA system access, vendor technicians accessing PLCs and HMIs, and plant operators monitoring processes remotely. Compromising SSLVPN grants threat actors identical remote access paths that OT personnel utilize, frequently with direct OT environment routes.

Nation-State Groups Are Doing the Same Thing

Ransomware crews operate rapidly, encrypting accessible targets. Nation-state groups demonstrate patience and persistence focus. Both initiate perimeter attacks.

VOLTZITE and SYLVANITE at U.S. Utilities

Dragos identified SYLVANITE, a China-nexus initial access broker, exploiting Ivanti Connect Secure VPN vulnerabilities at U.S. electric and water utilities. SYLVANITE extracted Active Directory credentials and established persistent access, subsequently transferring established footholds to VOLTZITE for deeper OT intrusion.

VOLTZITE, elevated to Stage 2 of the ICS Cyber Kill Chain in Dragos’s 2026 assessment, was subsequently observed manipulating engineering workstation software for configuration file and alarm data extraction, and investigating process shutdown trigger conditions. In separate operations, VOLTZITE compromised Sierra Wireless Airlink cellular gateways for U.S. midstream pipeline operations access and pivoted to engineering workstations.

The VPN appliance functioned as mere entry point. Their actual objectives lay beyond: the industrial process itself.

Volt Typhoon: 300+ Days Through a Firewall

CISA confirmed Volt Typhoon compromised multiple U.S. critical infrastructure organizations by exploiting public-facing network appliances. At Littleton Electric Light and Water Departments in Massachusetts, attackers sustained persistence for over 300 days through compromised FortiGate 300D firewall, extracting Active Directory credentials providing operational systems access paths.

The utility implemented network segmentation. Diagrammatically, architecture appeared sound. Attackers circumvented perimeter device protections regardless.

Operation MidnightEclipse: Root Access on the Firewall

When threat actor UTA0218 exploited CVE-2024-3400 in Palo Alto PAN-OS, they achieved more than firewall access. They obtained root-level code execution on the firewall and deployed custom Python backdoor (UPSTYLE) directly on compromised devices, per Unit 42 documentation.

The device purchased to protect the OT network became the attacker’s foothold inside it.

Coordinated Campaigns Are Targeting All Vendors Simultaneously

This involves neither single vendor nor single CVE. Threat actors execute coordinated campaigns hitting multiple perimeter platforms from shared infrastructure simultaneously.

GreyNoise: Multi-Vendor Scanning from Shared ASNs

In October 2025, GreyNoise documented coordinated scanning targeting Cisco, Palo Alto, and Fortinet devices concurrently:

• A ~500% surge in unique IPs scanning Palo Alto GlobalProtect portals, from baseline levels to over 2,200 unique IPs peaking around day four
• Concurrent surges against Cisco ASA devices and brute-force waves targeting Fortinet SSL VPNs
• Shared TCP fingerprints across all three campaigns with overlapping subnets and temporal alignment
• Two ASNs identified as primary sources: AS200373 (3xK Tech GmbH) and AS11878 (tzulo, Inc.)

GreyNoise noted that historically, such scanning surges precede new vulnerability disclosures within six weeks. The scanning represents preparation, not opportunism.

Black Basta BRUTED: Automated Multi-Vendor Brute Force

Analysis of leaked Black Basta internal communications by EclecticIQ revealed BRUTED, a PHP-based automated brute-forcing framework operational since at least 2023, targeting seven perimeter platforms:

• SonicWall NetExtender
• Palo Alto GlobalProtect
• Cisco AnyConnect
• Fortinet SSL VPN
• Citrix NetScaler / Citrix Gateway
• Microsoft RDWeb
• WatchGuard SSL VPN

BRUTED extracts SSL certificate Common Names and Subject Alternative Names from target devices generating domain-contextual password guesses, enumerates VPN-related subdomain prefixes, and routes traffic through SOCKS5 proxies. This exemplifies industrialized perimeter compromise: automated, multi-vendor, continuous operation.

The Scale of the Problem

Individual cases. SonicWall, Ivanti, Fortinet, Palo Alto, receive isolated incident treatment. A CVE emerges, vendors issue patches, defenders prioritize updates, and cycles reset. Expanding perspective reveals unmissable patterns.

The ICS/OT vulnerability share that are perimeter-facing increased from 16% to 22% within single year, per Dragos 2025 Year in Review. This is not anomalous. It reflects industries continuously adding remote access, cloud connectivity, and vendor management portals to isolation-designed environments. Each new integration introduces additional edge devices, and every edge device represents one CVE away from front-door access.

Simultaneously, the groups exploiting this access expand. Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, a 49% increase over prior year, collectively impacting over 3,300 industrial organizations globally. These statistics exclude nation-state groups like VOLTZITE and SYLVANITE, operating quietly and rarely triggering ransomware incident reporting.

Meanwhile, the attack surface itself remains enormous and largely unmonitored. Bishop Fox’s scan identified 430,363 SonicWall interfaces exposed to internet, single vendor only. Adding Fortinet, Palo Alto, Ivanti, Cisco, and Citrix yields significantly larger internet-facing perimeter device counts at critical infrastructure sites. Forescout’s honeypot study quantifies resulting exposure: over 60 million inbound requests within 90 days. Most represented automated scanning and SNMP enumeration, but approximately 3.5 million were substantive attack events. Brute-force attempts, exploit payloads, and malware delivery. Of targeted attacks, 72% utilized SSH/Telnet brute force and 24% used HTTP/HTTPS exploits, overwhelmingly targeting perimeter devices.

The average OT environment dwell time sits at 42 days (Dragos). That represents six weeks between initial compromise and detection, sufficient for movement from VPN appliance to engineering workstation to process controller. With fewer than 10% of OT networks operating any network monitoring form, most movement occurs undetected.

Why OT Perimeter Devices Are Uniquely Vulnerable

Multiple factors render perimeter devices at critical infrastructure sites uniquely targetable:

1. They are internet-facing by design. Unlike accidentally internet-exposed PLCs and HMIs, VPNs and firewalls are deliberately exposed. They must be. This ensures constant attacker scan result inclusion.
2. They straddle the IT/OT boundary. Perimeter device compromise positions attackers identically to remote OT engineers, frequently with superior access levels.
3. Patching is slow. OT site perimeter devices often receive management from small IT teams or MSPs. Patching demands maintenance windows, and nobody volunteers responsibility for broken remote plant access. Bishop Fox identified 28% of exposed SonicWall devices running vulnerable firmware.
4. MFA adoption is low. Arctic Wolf’s data demonstrates SonicWall SSLVPN interfaces exploited by Akira and Fog lacked multi-factor authentication. For numerous small utilities and manufacturing facilities, VPN MFA remains prospective next-quarter priorities.
5. Nobody is watching. Fewer than 10% of OT networks implement any network monitoring form, per Dragos. Perimeter devices may generate logs, but unreviewed logs enable 300-day dwell times.

What Asset Owners Should Do

Immediate

• Discover every internet-facing perimeter device. Beyond inventory-listed devices. External scanning targeting management interfaces and SSLVPN portals across all IP ranges and subsidiaries functions as starting point.
• Patch perimeter devices first. Critical VPN or firewall vendor CVEs warrant patching within days, not weeks. Threat groups weaponize edge device vulnerabilities within 48 hours post-disclosure.
• Enforce MFA on all VPN connections. This single control blocks majority credential-based attacks. No acceptable justification exists for OT-accessing SSLVPNs lacking MFA.
• Audit VPN access policies. Determine which remote access users can reach OT network segments. Restrict access to minimum required. Remote access users should land in restricted zones, not directly on OT networks.

Structural

• Treat perimeter devices as OT-critical assets. Firewalls and VPN appliances aren’t IT infrastructure when controlling OT environment access. Include them in OT risk assessments, OT asset inventories, and OT incident response plans.
• Monitor for exploitation indicators. Track unusual SSLVPN authentication patterns: off-hours logins, unexpected geographic authentication, rapid credential cycling, and VPS hosting provider connections.
• Assume breach. With 119 ransomware groups targeting industrial organizations and nation-state actors maintaining network presence for months, your perimeter faces testing. Detection capability matters.
• Map to compliance frameworks. Electric sector operators require NERC CIP electronic security perimeters around BES Cyber Systems. All sectors benefit from IEC 62443 zone and conduit models explicitly addressing perimeter device security bridging trusted and untrusted networks.

Where OT Compromises Actually Start

The OT security community prioritized PLC vulnerabilities, protocol insecurity, and ICS malware for years. These represent genuine concerns. However, examining actual OT compromise origins yields less exotic answers: a vulnerable VPN appliance, a stolen credential, and a flat network enabling IT-to-OT attacker movement.

Every major perimeter vendor has experienced compromise. Campaigns exhibit coordination and automation. Nation-state groups and ransomware operators utilize identical entry points. And 430,000+ firewall interfaces sit exposed on the internet.

OT security begins with exposed perimeter knowledge. Not architectural diagrams, what the internet observes.