Module 3: Personnel & Credential Exposure
Overview
In Module 2, you mapped the external attack surface -- domains, subdomains, and exposed services. This module shifts focus to the people who access those services. Adversaries do not just scan for open ports; they target individuals whose credentials unlock the infrastructure you just discovered.
Why Personnel Exposure Matters for ICS/OT
In an OT environment, personnel exposure creates attack paths that lead to operational systems controlling physical processes. The priority is not corporate email compromise -- it is identifying whose credentials could unlock access to SCADA, EMS, distribution automation, and the network infrastructure that connects to those systems.
- Credential stuffing against OT-adjacent remote access -- Breached credentials (email + password) from third-party data breaches are tested against VPN portals and SSO systems discovered in Module 2. When the VPN terminates in an OT network -- or when the same credentials work on a jump host that bridges IT and OT -- a breached password becomes a path to control systems.
- Social engineering targeting engineers with system access -- Knowing a SCADA administrator's name, title, and specific responsibilities enables highly targeted phishing. A control system engineer who receives a fake vendor support email referencing the exact DCS platform they manage is far more likely to engage than a generic "IT department" message.
- Third-party integrators and vendor contacts -- Many OT environments rely on external integrators who maintain persistent remote access for support. These contacts often have credentials that bypass standard IT access controls and connect directly to operational systems.
- Executive and financial roles -- CEOs and CFOs are targets for business email compromise (BEC) and strategic intelligence. Important, but their compromise is primarily a financial and reputational risk -- not a direct threat to sustained operations.
What Breach Databases Reveal
When third-party services are breached, stolen data often includes:
- Email addresses -- confirms the person had an account on the breached service
- Passwords or password hashes -- if reused, these provide direct access to other systems
- Associated services -- reveals which external platforms employees use (LinkedIn, industry forums, cloud services)
- Breach dates -- a 2024 breach with plaintext passwords is more urgent than a 2015 breach with salted hashes
The risk is not that the breached service itself is compromised -- it is that the same credentials may work on your VPN portal, webmail, or administrative interfaces.
Role-Based Prioritization
Not all personnel exposures carry equal risk. A breached credential for a communications manager is less urgent than one for a SCADA administrator. Use a three-tier model to prioritize findings, anchored on proximity to operational technology:
| Tier | Priority | Roles | Rationale |
|---|---|---|---|
| Tier 1 | Immediate | Control system engineers, SCADA/OT administrators, cybersecurity leadership with OT scope, grid operations leadership, OT network administrators, CIO/IT leadership with system access | Direct access to systems that control physical processes -- their compromise can affect generation, transmission, or distribution operations |
| Tier 2 | High | IT administrators with OT bridge access, plant managers, distribution automation engineers, cybersecurity program staff, GIS/mapping specialists | Access to systems adjacent to OT (historians, jump hosts, VPN serving OT networks) or data that reveals operational infrastructure |
| Tier 3 | Elevated | Executives (CEO, CFO), financial officers, communications staff, vendor contacts without system access | Business email compromise and strategic intelligence targets -- important but primarily a financial/reputational risk, not a direct operational threat |
The combination of tier + breach severity determines urgency: a Tier 1 person found in a breach containing plaintext passwords is a critical finding that demands immediate action.
Professional Network Exposure
Beyond breach databases, adversaries mine professional networks and public postings for intelligence:
- Job postings reveal technology stacks, specific vendor products, and internal tools ("Must have experience with FortiGate, Cisco ISE, and Honeywell Experion DCS")
- Conference presentations reveal system architectures, security approaches, and named technologies
- Professional profiles reveal certifications, past employers, and project details that support targeted social engineering
This information does not require breach databases to collect -- it is freely available and provides adversaries with the context needed to craft convincing attacks.
Lab: Build Your Personnel Exposure Inventory
In this lab, you will identify key personnel at your target organization, check for credential exposure in breach databases, and prioritize findings by role. The output becomes Artifact 3.
Step 1: Personnel Discovery and Email Pattern Identification
Start by identifying personnel from publicly available sources. Review your target organization's:
- Leadership pages -- executives, directors, department heads
- Staff directories -- if publicly available
- Contact pages -- department contacts, support contacts
- Press releases and news -- quoted individuals, spokespeople
- Careers pages -- hiring manager names, team structure clues
Pay close attention to email format patterns. Most organizations use a consistent format (firstname.lastname@domain, first initial + lastname@domain, etc.). Once you identify the pattern, you can predict the email address for any discovered employee.
Use your AI client to automate the initial discovery and categorization. AI clients with web browsing can search the organization's websites directly:
I am building a personnel exposure inventory for [organization
name], a [sector] organization that operates [operations
description].
Review the [domain1, domain2] websites and obtain a list of
personnel. Search the internet to determine the email naming
scheme used by [organization name] and generate a list of ten
individuals and their email addresses.
For each person:
1. Assign a priority tier based on their likely access to
operational technology and critical systems:
- Tier 1 (Immediate): Control system engineers, SCADA/OT
administrators, cybersecurity leadership with OT scope,
grid operations leadership, OT network administrators,
CIO/IT leadership with system access
- Tier 2 (High): IT administrators with OT bridge access,
plant managers, distribution automation engineers,
cybersecurity program staff, GIS/mapping specialists
- Tier 3 (Elevated): Executives (CEO, CFO), financial
officers, communications staff, vendor contacts without
system access
2. Explain the rationale for the tier assignment, focusing on
their likely access to operational technology
3. Provide their predicted email address using the naming
pattern you identified
4. Identify which personnel represent the highest risk to
sustained operations if their credentials were compromised
IMPORTANT: For each person and the email format pattern, provide
the specific URL where you found this information. If you cannot
access a website directly, state that clearly rather than
generating names from memory.Verify AI results. AI clients with web browsing can perform this search directly, but may fabricate personnel names or titles for less-prominent organizations. Open each cited URL and confirm the person and title match before proceeding. If your AI client cannot browse websites, review the organization's website manually and paste the personnel list into the prompt for categorization only.
Worked Example: NRECA Personnel Discovery
Personnel with OT/Operational Relevance
Sources: cooperative.com contact pages (cybersecurity, T&D, BTS divisions), electric.coop articles, and professional profiles.
NRECA is an association serving 900+ member cooperatives, not a utility itself. Their personnel include cybersecurity leadership, grid operations staff, and technology strategists whose access and knowledge affect the security posture of the entire cooperative network.
| Person | Title | Tier | Rationale |
|---|---|---|---|
| Carter Manucy | Director, Cybersecurity | Tier 1 | Leads all co-op cybersecurity programs (TAC, RC3, TICCC-TAC, SPARK). Former IT/OT Cybersecurity Director at Florida Municipal Power Agency (27 yrs). Deep OT/ICS background. |
| Venkat Banunarayanan | VP, Integrated Grid | Tier 1 | Leads T&D, distribution automation, SCADA/ADMS, DER integration. Senior leadership over grid technology strategy. |
| Patti Metro | Senior Director, Grid Operations and Reliability | Tier 1 | Direct oversight of transmission, grid operations, and reliability. Access to operational systems and standards. |
| Meredith Miller | Principal Data Scientist, Electrical Power Grid | Tier 1 | TAC product lead. Grid resilience and cybersecurity threat modeling. Runs GridEx simulations -- access to co-op threat scenarios and response plans. |
| Wayne McGurk | CIO / SVP Information Technology | Tier 1 | IT infrastructure authority with likely OT network access. Controls VPN, firewall, and SSO systems that bridge IT and OT networks. |
| Ravindra Singh | Senior Principal, Distribution Automation | Tier 2 | SCADA/ADMS/DMS technology for co-ops. Technical access to distribution automation systems. |
| Adrian McNamara | Cybersecurity Program Manager | Tier 2 | Cyber risk quantification, tabletop exercises, incident response planning. Access to vulnerability assessments and response procedures. |
| Katherine Loving | Program Manager, GIS Services | Tier 2 | Geospatial data covering co-op service territories and infrastructure. GIS data reveals physical asset locations. |
Executives (CEO, CFO) are Tier 3 -- they are business email compromise targets, but their compromise is primarily a financial/reputational risk, not a direct threat to sustained operations. In an OT-focused inventory, Tier 1 and Tier 2 personnel with access to operational technology take priority.
Team Email Addresses
In addition to individual personnel, document shared team inboxes:
- membersecurity@nreca.coop -- NRECA Cybersecurity Team shared inbox
- DistributionAutomation@nreca.coop -- Distribution Automation team
Shared inboxes are credential targets in their own right. A compromised membersecurity@ account would allow an attacker to send communications as "the cybersecurity team" to 900+ member cooperatives -- a highly credible social engineering vector.
Email Format Discovery
Source: electric.coop/our-organization/contact-us
Key finding: Email format is firstname.lastname@nreca.coop -- confirmed across 10+ public contacts. This allows us to:
- Predict email addresses for any discovered employee (e.g., carter.manucy@nreca.coop)
- Generate targeted breach database queries
- Build a comprehensive email list for ongoing monitoring
Note that the email domain (nreca.coop) is different from the public website domain (electric.coop) -- this is a common pattern. If you only searched for breaches on the website domain, you would miss all personnel exposure.
Source Verification
Public data goes stale. People change roles, leave organizations, and retire. Always note the source and date for each personnel entry and cross-reference multiple sources. For example, Angela Strickland was formerly SVP of Business and Technology Strategies at NRECA, overseeing cybersecurity, grid research, and technology programs -- but professional profiles indicate she may have moved to the Smart Electric Power Alliance. A former employee's credentials from their time at the organization may still work if accounts were not properly deprovisioned, making stale entries a finding in their own right.
Step 2: Breach Database Checks
Check whether your target organization's personnel have appeared in known data breaches. HaveIBeenPwned (HIBP) is the primary free tool for this:
| Check Type | How | What It Shows |
|---|---|---|
| Individual email | Enter each email at haveibeenpwned.com | Which breaches included that email address, what data types were exposed |
| Domain search | haveibeenpwned.com/DomainSearch (requires domain verification) | All breached accounts across the entire domain |
For each person found in a breach, document:
- Breach name and date -- more recent breaches are higher risk
- Data types exposed -- plaintext passwords > hashed passwords > email-only
- Number of breaches -- multiple appearances suggest the email is widely used across external services
- The person's tier -- a Tier 1 person in a password-containing breach is a critical finding
Domain search requires verification. HIBP domain search requires you to prove control of the domain (via email, DNS record, or other methods). For your own organization, coordinate with IT to complete verification. For the NRECA practice exercise, use individual email checks instead.
Worked Example: NRECA Breach Database Findings (Hypothetical)
Note: The breach results below are hypothetical examples created for this workshop. They illustrate what real findings look like and how to document them. Do not interpret these as actual breach data for the named individuals.
Carter Manucy (Director, Cybersecurity) -- carter.manucy@nreca.coop found in 2 breach databases. One breach (2023) included bcrypt-hashed passwords. As the director leading cybersecurity programs for 900+ member cooperatives (TAC, RC3, TICCC-TAC, SPARK), Manucy has access to threat intelligence, vulnerability assessments, and incident response plans across the cooperative network. This is a Tier 1 / Critical finding -- credential exposure for someone with this scope of access to operational security programs demands immediate action.
Venkat Banunarayanan (VP, Integrated Grid) -- venkat.banunarayanan@nreca.coop found in 1 breach (email + password hash from 2022). As VP overseeing SCADA/ADMS strategy, distribution automation, and DER integration, compromised credentials create a path toward grid operations technology. Tier 1 / Critical finding -- this role has direct influence over operational technology strategy for the entire cooperative network.
Wayne McGurk (CIO/SVP IT) -- wayne.mcgurk@nreca.coop found in 1 breach (email only). As CIO, McGurk controls IT infrastructure including VPN, firewalls, and SSO systems that bridge IT and OT networks. Email-only exposure limits the immediate credential risk, but the confirmed active email enables targeted phishing. Tier 1 / High finding -- no password exposed, but the role's access to IT-OT bridge infrastructure makes this a monitoring priority.
Adrian McNamara (Cybersecurity Program Manager) -- adrian.mcnamara@nreca.coop found in 1 breach (email + plaintext password from 2019). Manages cyber risk quantification, tabletop exercises, and incident response planning. Access to vulnerability assessments and response procedures. Tier 2 / High finding -- plaintext password is directly usable without cracking, and the role has access to sensitive security documentation.
The critical finding pattern: Tier 1 role + password-containing breach + access to operational technology or OT security programs = immediate remediation priority. Notice how the prioritization is driven by operational access, not corporate rank.
Scaling Breach Monitoring
Individual email lookups work for small personnel lists, but become impractical as your inventory grows. Several approaches help scale breach monitoring:
- HIBP Domain Search -- If you can verify ownership of the organization's email domain (via DNS TXT record, specific email address, or metadata file), HIBP's Domain Search returns all breached accounts across the entire domain in a single query. This is the most efficient approach for your own organization. Coordinate with IT or domain administrators to complete the verification process.
- HIBP API v3 -- For programmatic access, the HIBP API allows automated breach lookups. API access requires a paid subscription key, but enables integration with scripts and monitoring tools that can check personnel lists on a recurring schedule -- useful for the ongoing monitoring cadence established in Module 5.
- SpiderFoot -- SpiderFoot is an open-source OSINT automation tool that can collect email addresses, check breach databases, enumerate subdomains, and correlate findings across multiple data sources. For a guided walkthrough of SpiderFoot for email collection and breach checking, see the ICS Summit 2025 OSINT Workshop - Task 5.
For this workshop lab, individual HIBP email lookups are sufficient. The scaling approaches above are relevant when you operationalize these checks as part of your ongoing monitoring program.
Step 3: Role-Based Prioritization and Attack Scenarios
Combine your personnel discovery (Step 1) with breach results (Step 2) to build a prioritized inventory. The three-tier model from the overview guides prioritization, but the combination of tier and breach severity determines actual urgency:
| Combination | Priority | Action |
|---|---|---|
| Tier 1 + password/hash breach | Critical | Immediate credential reset, MFA verification, review access logs |
| Tier 1 + email-only breach | High | Targeted phishing awareness, verify MFA on all accounts |
| Tier 2 + password/hash breach | High | Credential reset, MFA verification |
| Tier 3 + password breach | Elevated | Credential reset, BEC awareness for financial/executive roles |
| Any tier + no breach found | Monitor | Add to ongoing monitoring list for future breach appearances |
Use your AI client to generate prioritized analysis and attack scenarios for your findings:
I found the following personnel from [organization name] in breach
databases. Based on their roles at a [sector] organization that
operates [OT/ICS systems], rank them by risk priority and explain
potential attack scenarios for the top findings:
[paste personnel with breach details -- name, role, tier, breaches
found, whether passwords/hashes/email-only were included]
For each person found in breaches:
1. The most likely attack scenario given their role and access level
2. Whether credential reuse against VPN/remote access is plausible
3. Cross-reference their tier (1/2/3) with the severity of the
breach data exposed
4. Recommended immediate actionsWorked Example: NRECA Personnel Prioritization
Using the hypothetical breach findings from Step 2 with the prioritization prompt above:
Example AI Response (NRECA Personnel Prioritization)
NRECA Personnel Risk Prioritization
Priority 1 -- Critical (Immediate Action Required):
Carter Manucy, Director of Cybersecurity -- Tier 1 + 2 breaches (one with hashed passwords, 2023)
- Attack scenario: Attacker recovers password from bcrypt hash (offline cracking or dictionary attack). Tests recovered credential against NRECA VPN, email, and SSO systems. Manucy leads cybersecurity programs serving 900+ member cooperatives -- TAC (threat analysis), RC3 (response coordination), and SPARK (security program). Compromised access could expose threat intelligence shared across the cooperative network, vulnerability assessment data for member utilities, incident response playbooks, and the security architecture recommendations that cooperatives rely on.
- Credential reuse plausibility: Moderate. Security professionals are more likely to use unique passwords, but the presence of the credential in a breach means the external service account was not isolated from the NRECA email address. The 2023 breach date means the credential may still be current.
- Recommended actions: Immediate password reset on all systems. Verify MFA is enabled on VPN, SSO, and email. Review access logs for security program platforms and shared intelligence repositories. Audit whether any member-facing security advisories were accessed from unexpected locations.
Venkat Banunarayanan, VP Integrated Grid -- Tier 1 + 1 breach (password hash, 2022)
- Attack scenario: Recovered credential tested against VPN and administrative portals. As VP overseeing SCADA/ADMS strategy, distribution automation, and DER integration, Banunarayanan has access to grid technology roadmaps, SCADA system specifications, and distribution automation architectures across the cooperative network. Compromised access provides adversaries with detailed knowledge of operational technology deployments at member cooperatives -- the kind of reconnaissance that precedes targeted ICS attacks.
- Credential reuse plausibility: Moderate. Executive-level accounts on external platforms often share passwords with less-protected services.
- Recommended actions: Immediate password reset. Verify MFA on all systems. Review access to grid technology planning documents and SCADA/ADMS architecture specifications. Alert T&D team to potential exposure.
Priority 2 -- High (Action Within 1 Week):
Adrian McNamara, Cybersecurity Program Manager -- Tier 2 + 1 breach (plaintext password, 2019)
- Attack scenario: Plaintext password is directly usable without cracking. McNamara manages cyber risk quantification, tabletop exercises, and incident response planning. Compromised access could expose vulnerability assessment results, incident response procedures, and security posture data for member cooperatives. An attacker who knows the incident response playbook can design attacks specifically to evade the documented response steps.
- Credential reuse plausibility: Moderate. The 2019 breach date means the password may have been changed, but users often iterate on passwords (adding numbers or symbols to the same base). Plaintext exposure makes the original password available for pattern-based guessing.
- Recommended actions: Credential reset. Verify MFA on all cybersecurity program platforms. Review access to incident response documentation and tabletop exercise materials. Check whether the compromised password pattern appears in any current system credentials.
Priority 3 -- Monitor:
Wayne McGurk, CIO/SVP IT -- Tier 1 + 1 breach (email only)
- Attack scenario: Email-only exposure confirms the active email address but provides no credential material. As CIO, McGurk controls IT infrastructure including VPN, firewalls, and SSO systems that bridge IT and OT networks. The confirmed email enables targeted spear-phishing designed to harvest credentials for these high-value systems -- for example, a fake Fortinet security advisory requesting immediate VPN portal login.
- Recommended actions: Add to priority monitoring list for future breach appearances. Enhanced phishing awareness for this account. Ensure MFA is enforced on all administrative interfaces. No immediate credential action needed, but the IT-OT bridge access this role controls warrants ongoing vigilance.
Key Pattern: The highest-priority findings are personnel with access to operational technology programs and infrastructure combined with credential exposure. Manucy's access to cooperative-wide cybersecurity programs and Banunarayanan's access to grid technology strategy make them higher-priority findings than a traditional executive-focused analysis would suggest. The Module 2 attack surface inventory tells us what is exposed; this analysis tells us whose credentials could unlock it.
Step 4: Professional Network Exposure
Beyond breach databases, review what your target organization's personnel reveal through professional channels. This information does not require any breach data -- it is freely available and provides adversaries with targeting context.
Job postings: Review the organization's careers page and job boards for postings that reveal technology details. Look for:
- Specific vendor products and versions ("Experience with FortiGate 7.x required")
- Internal tools and platforms ("Must know ServiceNow, Splunk, and CrowdStrike")
- Network architecture clues ("Manage site-to-site VPN between 12 substations")
- Team structure and reporting relationships
Professional profiles and conference presentations: Search for the organization's name and key personnel on conference agendas, published papers, and industry forums. Presentations often reveal system architectures, security approaches, and named technologies in far more detail than any external scan.
Use your AI client to analyze what an adversary could learn from this information:
Review the following job postings and professional profile
information for [organization name]. Identify what an adversary
could learn about the organization's:
1. Technology stack (specific vendors, products, versions)
2. Network architecture (on-premise vs cloud, remote access)
3. Security tools and practices
4. Organizational structure and reporting chains
5. Information that could support targeted social engineering
[paste job posting text or profile summaries]Add professional network findings to your personnel inventory. Technology details discovered here also feed back to Module 2 (expanding your attack surface knowledge) and forward to Module 4 (additional products to correlate against vulnerability databases).
Output
Artifact 3: Personnel exposure inventory. A role-prioritized list of personnel with breach correlation, email pattern documentation, and professional network exposure findings. This inventory identifies whose credentials could unlock the remote access services discovered in Module 2, which personnel to monitor for future breach appearances (Module 5), and which roles require the most urgent remediation actions (Module 6 runbook).
Record your findings in the Personnel Exposure Inventory Template (download Excel).