Beyond Reconnaissance
For years, the standard OT threat model assumed adversaries would breach IT, pivot to OT, and look around. Reconnaissance. Maybe map the network topology, identify PLCs, catalog firmware versions. That was considered the dangerous phase.
The Dragos 2026 OT Cybersecurity Year in Review documents something worse. Threat groups — particularly AZURITE, one of three new groups identified in the report — are now systematically mapping control loops. They are not just learning what devices exist on your OT network. They are learning how your physical processes work, which commands produce which physical outcomes, and what sequence of actions would be required to manipulate those processes without triggering alarms.
This is the prerequisite for a Stuxnet-class attack. It deserves detailed attention.
What Is a Control Loop?
A control loop is the fundamental unit of automation in any industrial process. It consists of three components:
- Sensor — measures a physical variable (temperature, pressure, flow rate, position)
- Controller (PLC/DCS) — reads the sensor value, compares it to a setpoint, and computes a correction
- Actuator — executes the correction (opens a valve, adjusts a motor speed, activates a relay)
Example: A temperature sensor reads 185°F in a reactor vessel. The PLC's setpoint is 180°F. The PLC sends a command to open a cooling valve by 15%. The temperature drops. The loop continues.
Every manufacturing process — every assembly line, every chemical batch, every HVAC system — is built from dozens or hundreds of these loops running simultaneously.
How an Attacker Maps a Control Loop
An adversary with network access to OT segments can map control loops through passive traffic analysis without ever sending a single command:
- Capture OT protocol traffic — Modbus TCP, DNP3, EtherNet/IP, OPC-UA all transmit in cleartext by default
- Identify register reads — The controller polls specific sensor registers at regular intervals. The polling pattern reveals which sensors feed which controllers.
- Correlate write commands — After reading sensor values, the controller writes to actuator registers. Timing correlation reveals which actuator responds to which sensor input.
- Extract setpoints and logic — Many protocols expose configuration reads. PLC logic downloads, setpoint queries, and alarm threshold reads are all visible on the wire.
- Build the process model — With enough observation time (weeks to months), the attacker constructs a complete map: sensor A feeds controller B, which drives actuator C, with setpoint X and alarm threshold Y.
AZURITE, per the Dragos 2026 report, conducts exactly this type of long-duration passive collection against manufacturing and critical infrastructure targets.
The Attack Chain: From IT Breach to Process Manipulation
Here is the full progression, as documented across multiple Dragos-tracked threat groups:
- Initial compromise — Phishing, VPN exploit, or purchased access from an initial access broker (e.g., SYLVANITE)
- IT lateral movement — Privilege escalation, credential harvesting, domain controller compromise
- IT-to-OT pivot — Exploit of poorly segmented DMZ, compromised jump host, or dual-homed engineering workstation
- OT network reconnaissance — Device discovery, firmware fingerprinting, protocol identification
- Control loop mapping — Passive traffic analysis over weeks/months to understand physical process relationships
- Process manipulation or destruction — Crafted commands that alter setpoints, disable safety systems, or cause physical damage while appearing normal to operators
Steps 1-4 have been observed repeatedly. Step 5 is what the Dragos 2026 report flags as the new escalation. Step 6 has been executed twice in history — and both times changed the industry.
Historical Precedent: When Control Loop Knowledge Becomes a Weapon
Stuxnet (2010)
The attackers spent years mapping the control loops of Iran's uranium enrichment centrifuges. They understood exactly which frequency converter drives controlled which centrifuge cascades, what the normal operating speeds were, and what acceleration profiles would cause mechanical failure. The malware modified PLC logic to oscillate centrifuge speeds while replaying normal readings to the operators. Physical destruction while the HMI showed everything was fine.
TRISIS / TRITON (2017)
Attackers compromised a petrochemical facility's Safety Instrumented System (SIS) — the independent safety layer designed to shut down processes before they become dangerous. The adversaries had mapped the relationship between the SIS controllers and the process they protected. Their goal was to disable the safety system while a separate attack pushed the process into a dangerous state.
Both attacks required deep understanding of control loop relationships. Both required months of passive observation before the attack payload was deployed.
Defensive Controls Mapped to Attack Stages
| Attack Stage | What the Attacker Needs | Defensive Control | How It Helps |
|---|---|---|---|
| Initial compromise | External access point | Hardened remote access with MFA, no persistent VPN | Eliminates the most common entry vector |
| IT lateral movement | Valid credentials, flat IT network | IT network segmentation, credential monitoring | Limits blast radius, detects credential abuse |
| IT-to-OT pivot | Path between IT and OT networks | IT/OT segmentation with protocol-aware filtering | Blocks unauthorized cross-zone traffic |
| OT reconnaissance | Broadcast visibility on OT VLANs | Microsegmentation within OT zones | Restricts device-to-device visibility |
| Control loop mapping | Ability to sniff OT protocol traffic | Encrypted network overlays, microsegmentation | Prevents passive capture of cleartext protocol data |
| Process manipulation | Write access to PLCs/DCS | Least-privilege access control, allowlisted command sets | Blocks unauthorized writes to controllers |
What Actually Prevents Control Loop Mapping
Generic security advice ("patch your systems", "train your employees") does not address this threat. Control loop mapping is a network-level activity performed by adversaries who already have OT access. The defenses that matter are:
1. Microsegmentation That Eliminates Broadcast Domains
If an attacker on one VLAN can see traffic from every other device on the OT network, they can map every control loop passively. Microsegmentation — enforcing that each device or small group of devices can only communicate with its authorized peers — eliminates the broadcast visibility that makes passive mapping possible.
2. Encrypted Overlays for OT Traffic
Modbus TCP, DNP3, and most OT protocols transmit in cleartext. An encrypted overlay (such as WireGuard-based tunnels between network segments) prevents even an attacker with network access from reading protocol contents.
3. Protocol-Aware Monitoring
Monitoring that understands OT protocols can detect anomalous read patterns — an unauthorized device issuing Modbus function code 3 (Read Holding Registers) across a range of addresses is a strong indicator of reconnaissance or control loop mapping.
4. Strict Access Control on Engineering Workstations
Engineering workstations are the highest-value targets because they have legitimate read/write access to PLCs. Zero-trust access policies that authenticate every session, limit access duration, and log every action make it significantly harder for an adversary to use a compromised workstation for long-duration data collection.
The shift from OT reconnaissance to control loop mapping is the difference between an adversary who knows your network and one who knows your process. Segment your OT networks so that passive traffic analysis is impossible, encrypt protocol traffic so it cannot be read even if captured, and monitor for the read patterns that indicate mapping activity. The window between mapping and manipulation is your last chance to detect and stop the attack.
