Using Active Directory (AD) in ICS

2 min readJan 19, 2022

Microsoft Active Directory (AD) is commonly used in corporations networks. Industrial organizations are no exception. AD acts as a directory service to manage permissions and control access to network resources. A typical industrial organization is composed of two networks : business and ICS. AD exists normally in the business network. Most ICS experts do not advocate linking an ICS network to AD in the business network for security reasons. Taking over a domain admin account of an AD, privileged accounts or other ICS-accessible accounts can open an opportunity for attackers to pivot to ICS networks. There are also other techniques that attackers use to exploit AD configurations. For more AD attack techniques, refer to reference [1].

On the other hand , ICS experts recommend using a dedicated ICS AD located on the OT DMZ (Purdue model level 3) see references [2] [5] for more details. The benefits of using this architecture:

Centralized management of accounts.
Centralized logging of Windows activities.
Establishing security policies to harden passwords and assets.
Managing users/groups roles.

Like every technology, there are downsides and risks. When AD is introduced to ICS, it is recommended that AD is run and maintained by knowledgable admins. Security testing of ICS networks should be a priority for every organization’s red team. For example, AD penetration testing is an exercise that should be performed on ADs in the business and ICS environments. There are many tools and frameworks that accomplish this . Please check out this reference [3] for more information about techniques and tools for AD pen testing. For the blue team, this guide offers a comprehensive guide on how to protect AD (see reference 4).

References:

https://zerontek.com/zt/2022/01/19/using-active-directory-ad-in-ics/

Using Active Directory (AD) in ICS

References:

Written by Sulaiman Alhasawi