In the world of industrial cybersecurity, the notion of an "air gap" between Information Technology (IT) and Operational Technology (OT) networks has long been touted as a fundamental safeguard. But let's be clear: the air gap is a story, not a control. Everyday workflows inevitably create crossings between these domains, whether through shared tools, data exchanges, or human processes. Attackers don't need to directly "hack the PLC" to cause havoc; they can simply traverse existing bridges in identity management, remote access, or data flows. As organizations in regulated industries like manufacturing, energy, and utilities grapple with increasing convergence, recognizing these hidden bridges is essential to building resilient defenses.

What Is a Hidden Bridge?

At its core, a hidden bridge is any pathway that allows access, identity, or data to move between IT and OT environments. These aren't always deliberate vulnerabilities but often emerge from practical necessities. Bridges can be technical, such as network connections or shared software; human, like engineers using the same laptop across both sides; or process-based, including undocumented policies that permit data sharing.

In regulated sectors, where compliance with standards like NIST 800-82 or ISA/IEC 62443 is paramount, these bridges can go unnoticed because they support critical functions. However, when unmanaged, they become conduits for threats, enabling lateral movement from a compromised IT asset to sensitive OT controls.

Why Bridges Exist (And Why Removing Them Blindly Backfires)

Bridges aren't accidents, they stem from legitimate business needs. Removing them without consideration can disrupt operations and erode efficiency. Here's why they persist:

They are Business Drivers: Organizations rely on IT-OT integration for reporting, analytics, billing, and compliance. For instance, pulling production data into enterprise systems enables real-time dashboards that inform executive decisions and meet regulatory reporting requirements.

They are used in Support: Vendors and engineers need access for troubleshooting and workflows. In remote or complex environments, this might involve temporary connections to diagnose issues in programmable logic controllers (PLCs) or supervisory control and data acquisition (SCADA) systems.

They can save time: Factors like remote sites, limited staffing, and uptime pressures force compromises. A small team managing multiple facilities can't afford siloed systems when quick interventions are needed to prevent downtime.

The key message for cybersecurity leaders: bridges are normal in modern operations. Unmanaged ones, however, introduce unnecessary risks. Blind elimination could lead to operational silos, increased costs, and non-compliance. Instead, focus on governance to make them defensible.

The Most Common Hidden Bridges and Why You Should Assume These Exist In Your Organization

In our assessments across regulated industries, we consistently uncover these bridges. Assuming they're present in your environment is a safe bet, and proactive identification is key.

Identity: Shared Active Directory (AD) domains, admin groups, or service accounts that span IT and OT. These allow credentials harvested from IT to grant OT access.

Remote Access: VPNs, Remote Desktop Protocol (RDP), or third-party support tools with "temporary" firewall exceptions that become permanent.

Data: Historians, OT reporting servers, or cloud connectors that pull sensor data into IT analytics platforms, often with bidirectional flows.

Endpoints: Engineering laptops or workstations that connect to both networks, or USB-based workflows for updates and configurations.

Wireless/Out-of-Band: Cellular modems for remote monitoring, unmanaged Wi-Fi access points, or switches that inadvertently link segments.

Process: Undocumented firewall rules without owners or review dates, leading to permissive paths that accumulate over time.

These elements are ubiquitous in sectors like utilities and manufacturing, where legacy OT systems meet modern IT demands.

3 Common Paths Attackers Take with Bridges

Attackers exploit these bridges through opportunistic, low-effort tactics rather than sophisticated zero-days. Here are three common scenarios drawn from real-world incidents:

Scenario 1 - IT Phishing to OT Pivot: A phishing email compromises an IT user's credentials. The attacker uses these to access a VPN or jump host, then moves to an OT workstation, potentially altering control settings.

‍Scenario 2 - Vendor Access Exploitation: A vendor's privileged remote session is hijacked or abused for lateral movement, escalating from support tools to core OT assets.

Scenario 3 - DMZ Compromise and Pivot: A historian server in the demilitarized zone (DMZ) is breached via misconfigured rules, allowing the attacker to tunnel into the OT network and disrupt processes.

These paths highlight why IT-OT convergence demands integrated security strategies, aligning with frameworks like the Cybersecurity and Infrastructure Security Agency (CISA) guidelines.

How to Find Bridges Without Breaking Operations

Discovery doesn't require disruptive scans. There are non-intrusive methods to understand and use strategically that illuminate your reality without halting operations. Here are a few we recommend at Koniag Cyber:

Interviews: Engage ops, engineering, IT, and vendors with questions like "How does work really get done?" to uncover undocumented practices.

Passive Validation: Review firewall rules, VPN logs, routing tables, and NetFlow data to map actual traffic without active probing.

Identity Review: Audit OT-capable accounts, groups, stale permissions, and service accounts for cross-domain risks.

Compare Diagrams to Reality: Cross-reference network diagrams with live configs and traffic patterns to spot discrepancies.

This approach minimizes downtime while building an accurate picture, essential for compliance audits.

Prioritize Bridges with a Simple Ranking

While illuminating your bridges is a key step, you can easily be overwhelmed by the volume you uncover. Keep this important phrase in mind: Not all bridges are equal. Use straightforward scoring to weigh them vs. another. 

We suggest this straightforward ranking formula:

Impact (e.g., potential safety incidents or downtime) + Exposure (reachability from external threats) + Control Strength (presence of MFA, logging, or time bounds). Rate each on a 1-5 scale and sum for prioritization. The higher the sum, the more prioritized that bridge should be. 

Post-ranking, prioritize and go at your top 5 bridges. Gain momentum, document your process and become more efficient with it as you learn and move onto the next prioritized batch.

Practical Patterns and Controls That Work with Limited or No Disruption

There are proven controls that are known and widely implemented that secure bridges without the need for overhauling infrastructure. Know them and use them to get into a better security posture.

• Brokered Access: Use jump hosts with MFA, time-bound sessions, allowlists, and full logging to mediate remote connections.
• Segmentation: Define clear zones and conduits per Purdue Model, enforcing strict data flows.
• Separate Privileged Identities: Apply least privilege, isolating OT accounts from IT
• Monitoring: Detect anomalous bridge behaviors, such as unexpected remote sessions, new devices, or config changes, using SIEM tools.

Use these established patterns to  enhance resilience in regulated environments, reducing mean time to detect (MTTD) threats.

What You Can Do Right Now: 30-Day Plan

If the aforementioned gaps exist and persist at your organization, you can kickstart improvements with a 30 day plan that will deliver real progress and improvement. Take these actions:

• Inventory all OT-capable remote access points and eliminate unknowns.
• Enforce MFA on every path reaching OT.
• Create a bridge register: Document each with owner, purpose, controls, and review date.
• Tighten boundary rules, removing overly permissive paths.

This sprint will build momentum toward comprehensive governance and will illuminate opportunities on what to prioritize and accomplish next. 

Make Bridges Visible, Then Make Them Defensible

Bridges between IT and OT are necessary for efficient, compliant operations. The real control lies in governance: making them visible through assessment, preventing misuse with robust measures, detecting anomalies early, and enabling swift response. By addressing hidden bridges systematically, organizations in regulated industries can achieve true resilience, safeguarding critical infrastructure against evolving threats. If your team needs support in this area, consider a tailored assessment to align your defenses with best practices.