Threat actors may leverage compromised transient devices—such as field maintenance laptops, diagnostic tablets, or calibration equipment—to gain initial access to the isolated Ground Station OT network. Since these assets move between untrusted external networks (e.g., public internet) and the trusted facility network for maintenance tasks, they act as a physical bridge, introducing malware directly into the local control environment without traversing the external firewall.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.