If your historian can talk both ways, assume an attacker will use it as a router.

Here’s the pivot path I see repeatedly when incidents cross from IT into OT:

1) AD compromise (IT)
– Phished creds or token theft lands an attacker on a workstation/server.
– They enumerate AD, find service accounts, remote management paths, and “who talks to the historian.”

2) Lateral movement to the historian (the choke point)
– The historian is trusted, always-on, and connected to everything that matters.
– Dual-homed networking or shared credentials turns it into the bridge.

3) Ransomware on the historian = encrypted visibility
– Even before PLCs are touched, operations lose trending, alarms, reports, and context.
– Recovery is slow because historians often sit outside normal backup discipline.

4) Pivot into OT
– From the historian host, attackers reuse credentials, remote tools, or open routes to reach engineering workstations, HMIs, jump hosts, and OT management services.

Three places to stop this early:
A) Kill the credential chain
– Separate identity boundaries for OT, no AD trust shortcuts, rotate and scope service accounts, remove shared local admin.

B) Break the network bridge
– True segmentation between IT and OT, tightly controlled conduits, deny-by-default, and avoid dual-homed “convenience” paths.

C) Make the historian resilient
– One-way data transfer patterns where possible (data diode / brokered replication), immutable backups, and tested restore procedures.

Most teams model IT ransomware and OT safety separately. The historian is where those stories merge.

Where does your historian live in the trust model: a sensor, or a router?