OT Security: How to Protect Industrial Systems from Double Extortion Ransomware

In June 2025, the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory, warning US critical infrastructure entities and other organizations of disruptive cyberattacks targeting Internet-connected operational technology (OT).¹ The advisory warns them against an attack that could allow attackers to steal victims’ sensitive data and then leak it online.

CISA is referring to double extortion ransomware attacks.

This blog explores how double extortion attacks work and highlights OT security best practices that can help organizations safeguard their OT systems from these dangerous attacks.

What OT Security Covers and Why the Attack Surface Has Expanded

Operational Technology refers to programmable systems that monitor and control physical devices and industrial processes, which can span from manufacturing, utilities, and energy to transportation, healthcare, and beyond. As a whole, OT encompasses Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems, sensors, and connected industrial equipment.

Legacy OT deployments were air-gapped by design, or essentially isolated from external networks, in a way that made remote attacks next to impossible. Since this isolation minimized their exposure to outside cyber-threats and protected them from attacks, dedicated OT security was deemed unnecessary for quite some time.

Times have changed, and robust OT security is now critical to maintain the continuity, integrity, and safety of industrial operations and critical infrastructures. OT systems are no longer air-gapped, making them vulnerable to outside threats they were previously protected from by default. The modern-day increasing “OT-IT convergence” and connectivity to the internet are expanding the OT attack surface and introducing new vulnerabilities into OT systems, exposing them to dangerous cyber threats, including double extortion ransomware.

How Double Extortion Ransomware Works Against OT Environments

A double extortion ransomware attack is a sophisticated type of ransomware attack in which attackers attack organizations on two fronts:

1. They first steal the victim’s data and move it to their own servers. This is the first extortion layer, and it leads to data exfiltration.

2. Then they activate the ransomware to encrypt the data. This is the second extortion layer, and it prevents the victim from accessing their data.

Traditional ransomware follows a straightforward pattern: gain access, deploy encryption, and demand payment for the decryption key. The attack is primarily an availability problem. If an organization restores from backup in this case, the attacker’s leverage disappears.

Double extortion adds a second layer before the encryption step. Attackers first move laterally through the environment, locate sensitive data, and exfiltrate it to their own infrastructure. Only then do they deploy ransomware. The victim now faces two simultaneous threats: encrypted systems they can’t access, and stolen data the attacker can publish, sell, or use as leverage in a secondary extortion campaign.

Restoring from backup addresses the encryption problem but does nothing about the exfiltrated data. This is what transforms ransomware from an operational disruption with a defined recovery path into a legal, regulatory, and reputational exposure with an indefinite timeline. For OT environments specifically, the exfiltrated data can include network diagrams, equipment configurations, and process documentation that give adversaries a detailed map of the physical environment long after the immediate incident is resolved.

Three OT Security Practices That Reduce Double Extortion Risk

Network Segmentation

Complete air-gapping is no longer a realistic option for most OT environments, making network segmentation a practical alternative. By dividing OT networks into defined zones based on asset type, criticality, or risk level, segmentation limits how far an attacker can move after gaining initial access. An attacker who compromises one zone doesn’t automatically have a path to everything else.

As it applies to double extortion specifically, segmentation limits the scope of what an attacker can exfiltrate in a single attempt. Attackers need a strong foothold and time to exfiltrate data, and segments with restricted communication paths make that difficult to do, especially without being detected. Segmentation doesn’t necessarily make lateral movement impossible, but it does slow attackers down enough and gives security teams better visibility so they can detect and intercept them before exfiltration is complete.

Access Controls and Zero Trust Principles

Restricting access to OT assets is foundational. Unidirectional gateways, firewalls, and strong authentication prevent unauthorized users from reaching OT systems in the first place. But access controls only work if they’re designed around the assumption that credentials will be compromised at some point.

Zero trust architecture applies the “never trust, always verify” principle to every access request, regardless of where it originates. When it comes to OT, this means verifying users and devices before granting access, scoping permissions to the minimum required for specific tasks, and continuously validating that access patterns match expected behavior. In the event an attacker does obtain valid credentials, zero trust limits what those credentials can reach, and flags anomalies in usage patterns that wouldn’t trigger traditional perimeter controls.

Continuous Penetration Testing of OT Systems

OT systems, like ICS, SCADA, and connected industrial devices, carry vulnerabilities that don’t always surface through passive scanning or configuration review. Continuous penetration testing provides active validation of those gaps before attackers find them.

OT pentesting safely simulates real-world attack techniques against OT networks, systems, and devices to uncover vulnerabilities, misconfigurations, and exploitable attack paths. Pentesters typically work within established frameworks such as ISA/IEC 62443² or the MITRE ATT&CK ICS Matrix³ to ensure coverage aligns with recognized OT threat models and attacker behaviors.

Continuous penetration testing is more valuable than periodic assessments in OT environments where configurations change, new devices get connected, and the threat landscape evolves faster than annual test cycles can track. Vulnerabilities that emerge between testing cycles are exactly what double extortion actors look for, making it critical for organizations with dynamic environments to significantly ramp up testing frequency.

How BreachLock Can Help with OT Security Testing

BreachLock offers human-delivered, AI-powered penetration testing solutions for your entire internal and external attack surface, including OT and IoT ecosystems. Built on a standardized framework and delivered within the BreachLock Unified Platform, BreachLock maps your OT attack surface, uncovers and validates attack paths, and provides practical remediation guidance to reduce real-world risk. We offer both on-demand and continuous testing coverage, ensuring that newly introduced exposures are identified as they appear rather than at the next scheduled penetration test.

Learn more about BreachLock’s pentesting services today.

References

1. Cybersecurity and Infrastructure Security Agency. (2025, June). Iranian cyber actors may target vulnerable US networks and entities of interest. https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf

2. International Society of Automation. (n.d.). ISA/IEC 62443 series of standards. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

3. MITRE. (n.d.). ICS matrix. https://attack.mitre.org/matrices/ics/

About BreachLock

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries.

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

Author

BreachLock Labs