The 2026 Iran–Israel–U.S. conflict didn’t just redraw the kinetic battlefield — it sent a shockwave through every industrial network connected to the internet. Within hours of the first airstrikes on February 28, Iranian state-aligned groups and hacktivist proxies pivoted to operational technology (OT) and industrial control systems (ICS) as primary targets, claiming intrusions into grain storage systems, water infrastructure, and energy-sector control environments. If your organization operates any form of OT — PLCs, SCADA, DCS, HMIs, RTUs — this conflict is the most urgent wake-up call of the decade.

This guide gives you a practical, step-by-step methodology to audit your OT exposure now, before the next wave hits.

Understanding the 2026 OT Threat Landscape

The scale of the problem cannot be overstated. A 2026 Palo Alto Networks intelligence report documented a 332% increase in unique internet-exposed OT devices, with nearly 20 million OT-related devices now discoverable on the public internet. Dragos’s 2026 OT Cybersecurity Year in Review found that only 30% of OT networks have meaningful visibility into their own assets, 56% cannot see below the IT/OT boundary, and a staggering 88% struggle with detection and response.

The attacker playbook has evolved to match this exposure. In 2025 alone, there was a 46% increase in ransomware attempts against industrial operators in a single quarter, with entirely new threat groups emerging that focus exclusively on OT and ICS environments. Iranian APTs have historically targeted water, energy, healthcare, and ICS environments through brute-force, credential stuffing, and vulnerability exploitation — and current conflict conditions have elevated that risk to a critical tier.

Phase 1: Asset Discovery and Inventory

You cannot protect what you cannot see. The first and most foundational step of any OT audit is building a complete, living asset inventory.

  • Passive network discovery first — Use OT-aware tools like Dragos, Claroty, Nozomi Networks, or Tenable.ot to passively monitor industrial protocol traffic (Modbus, DNP3, EtherNet/IP, OPC-UA) without sending active scan traffic that can destabilize PLCs or RTUs

  • Map every endpoint — Identify all PLCs, HMIs, engineering workstations, RTUs, historian servers, and data diodes, including wireless and cellular-connected assets that may have been provisioned outside of IT’s awareness

  • Identify vendor remote-access pathways — Third-party vendor connections represent one of the largest and most overlooked OT exposure points; catalog every jump server, VPN credential, and remote desktop session provisioned for OEM or maintenance access

  • Classify by zone and criticality — Using the Purdue Model or IEC 62443 zone-and-conduit model, assign each asset to a security zone (Level 0 through Level 4) and tag it by operational criticality, process dependency, and patch status

  • Confirm offline backups exist — Verify that offline backups of engineering workstation software and controller configurations are current and air-gapped, as these are the primary recovery assets in a wiper-style or ransomware attack

Phase 2: Network Segmentation Validation

Proper segmentation is the single most effective structural control in OT security — and the most commonly misconfigured. The goal is to ensure that a breach in the IT environment cannot pivot laterally into OT, and that individual OT zones are sufficiently isolated from each other.

  • Verify the IT/OT boundary — Confirm that the Demilitarized Zone (DMZ) between IT and OT is enforced with stateful firewalls, unidirectional gateways, or data diodes where appropriate, and audit every firewall rule to remove overly permissive or legacy rules

  • Test segmentation with red-team-style validation — Don’t assume segmentation works because it was configured; use protocol-aware penetration testing or breach-and-attack simulation to validate that traffic cannot cross zones unexpectedly

  • Audit remote access pathways — Every remote-access path into OT (vendor VPNs, jump servers, remote desktop) should enforce multi-factor authentication, time-limited session windows, and full session logging; remove persistent standing access entirely

  • Validate wireless and cellular isolation — Cellular-connected RTUs and wireless field devices are frequently outside the scope of segmentation reviews; confirm these are on isolated network segments with no path to corporate IT or the internet

Phase 3: Vulnerability Assessment and Prioritization

OT environments are notoriously difficult to patch — many PLCs and RTUs run embedded firmware that hasn’t been updated in years, and vendors often don’t release patches at all. The audit must assess vulnerabilities through a risk-based, operationally-aware lens, not a standard IT CVSS score.

Key steps include:

  • Run an OT-specific vulnerability scan using tools that understand industrial protocols and will not crash sensitive devices; correlate results against vendor advisories and ICS-CERT bulletins

  • Apply the 70% rule — Dragos and SANS both note that roughly 70% of OT vulnerabilities reside deep within networks on devices that are difficult or impossible to patch; focus remediation energy on the highest-risk, highest-reachability exposures rather than trying to patch everything

  • Assess legacy system risk specifically — Identify end-of-life Windows operating systems (XP, 7, Server 2008) running on engineering workstations or historian servers; these are primary entry points for Iranian APT tradecraft and require immediate compensating controls like application whitelisting, network isolation, and enhanced monitoring

  • Map vulnerabilities to attack scenarios — Use threat modeling (MITRE ATT&CK for ICS framework) to assess which vulnerabilities could be chained into a realistic attack path from internet-facing IT to OT process control

  • Prioritize by operational impact, not just CVSS — A vulnerability on a PLC controlling a high-pressure pump is categorically more dangerous than the same CVE on a historian server; score risk in terms of safety, production continuity, and regulatory impact

Phase 4: Detection and Monitoring Readiness

The Dragos 2026 report confirms that 88% of OT organizations struggle with detection and response. Standard IT SIEM tools are effectively blind to industrial protocol behavior, making OT-specific detection platforms essential.

  • Deploy OT-aware behavioral monitoring — Platforms that build baselines for normal PLC behavior (expected write commands, communication patterns, polling intervals) can flag anomalies that traditional signature-based tools completely miss

  • Establish cross-domain correlation — IT and OT event streams should flow into a single detection layer; when identity anomalies in IT (unusual login, credential reuse) correlate with unusual OT traffic, analysts need to see both signals together

  • Enable deep packet inspection for industrial protocols — Deploy protocol-aware DPI that understands Modbus, DNP3, PROFINET, and BACnet to detect unauthorized command sequences, unauthorized device additions, or protocol tunneling used to exfiltrate data

  • Log everything, retain purposefully — Ensure all remote access sessions, authentication events, engineering workstation commands, and firewall traversals are logged, tamper-protected, and retained for a minimum of 12 months to support incident investigation

  • Test your detection with simulated ICS attacks — Annual attack surface analyses and tabletop exercises that simulate ICS-specific attack scenarios (e.g., unauthorized PLC ladder logic modification, historian data exfiltration, HMI takeover) are now considered a baseline requirement

Phase 5: Incident Response Readiness for OT

Most IT-centric incident response plans fail catastrophically when applied to OT environments, because the priorities are fundamentally different: safety and process continuity come before data integrity.

Your OT-specific IR plan must address:

  • Safety-first shutdown procedures — Define clear criteria and authority for initiating a controlled process shutdown versus attempting containment while the plant stays running; this decision tree must be pre-approved by operations leadership, not left to the security team in the moment

  • Offline recovery playbooks — Pre-stage offline backups of PLC logic, HMI configurations, and historian databases; practice restoring them in a test environment so recovery time is measured in hours, not days

  • Vendor coordination protocols — For every major OEM whose equipment you operate, identify the emergency contact, contractual support terms, and lead time for replacement hardware; supply-chain disruptions during a regional conflict can make hardware replacement unpredictably slow

  • Regulatory notification timelines — Know your sector-specific reporting obligations (NERC CIP for energy, TSA directives for pipelines, EPA for water utilities) and build notification workflows into your IR plan before an incident, not during one

Phase 6: Compliance Alignment for 2026

The regulatory baseline for OT security is tightening rapidly in 2026, driven partly by conflict-related threat intelligence. Key frameworks your audit should validate against include:

FrameworkSector ApplicabilityKey OT Controls
IEC 62443All industrial sectorsZone/conduit model, security levels, patch management
NIST SP 800-82 Rev 3U.S. critical infrastructureOT-specific risk management, IR, asset inventory
NERC CIPElectric utilitiesAccess control, configuration management, incident reporting
CISA KEV CatalogAll sectorsExploited vulnerability prioritization
TSA Pipeline DirectivesOil and gas pipelinesSegmentation, access control, detection

The Iranian APT OT Playbook: What to Specifically Look For

Given the current conflict context, your audit should specifically hunt for Iranian APT tradecraft in your OT environment. Canadian Centre for Cyber Security, CISA, and Unit 42 have all documented specific Iranian TTPs to prioritize:

  • Brute-force and credential-stuffing against VPN and RDP endpoints — especially targeting internet-exposed HMIs and engineering workstations

  • Exploitation of unpatched VPN appliances (Fortinet, Pulse Secure, Citrix) as the initial access vector into environments that bridge IT and OT

  • Living-off-the-land techniques using legitimate remote admin tools like AnyDesk, TeamViewer, or native Windows tools to avoid detection

  • Wiper malware disguised as ransomware deployed after extended dwell time, targeting historian servers, HMIs, and engineering workstations simultaneously

  • ICS-specific reconnaissance including enumeration of Shodan-visible SCADA systems, OPC server discovery, and PLC model fingerprinting ahead of destructive operations

Your OT Audit Checklist: Start Here

If you need a rapid-start prioritization, begin with these ten actions this week:

  1. Run a passive asset discovery scan and build your first complete OT asset inventory

  2. Identify every internet-facing OT device and either remove access or enforce MFA immediately

  3. Validate your IT/OT DMZ firewall rules and revoke all legacy or overly permissive rules

  4. Confirm offline backups of all PLC logic and HMI configurations are current and air-gapped

  5. Audit all vendor and third-party remote-access credentials — revoke standing access, enforce session-limited tokens

  6. Deploy protocol-aware monitoring on your OT network if you have none today

  7. Confirm your SIEM or SOC has visibility below the IT/OT boundary

  8. Run a tabletop exercise simulating an Iranian-style wiper attack on your historian and HMI systems

  9. Review and update your OT incident response plan with safety-first shutdown decision trees

  10. Map your compliance gaps against IEC 62443 and NIST SP 800-82 Rev 3 and prioritize the highest-risk findings

The window between “we should do this” and “we needed to do this yesterday” has closed. The 2026 conflict has proven that OT is now a primary theater of state-level warfare, and organizations that treat their industrial environments as isolated or unimportant will find themselves in the crosshairs of the most capable threat actors in the world.