OT Attacks Get Scary With 'Living-off-the-Plant' Techniques

OT Attacks Get Scary With ‘Living-off-the-Plant’ Techniques

Operational technology (OT) cyberattacks have been relatively tame due to attackers’ lack of understanding of bespoke and legacy systems, but early indications suggest that attackers are growing more interested in and accustomed to dealing with industrial machines. Ric Derbyshire, principal security engineer at Orange Cyberdefense, notes that attackers’ lack of “process comprehension” has limited the damage they can cause, but this may not remain the case for long.

Why This Matters

The lack of standardization in OT systems, with each network being a unique patchwork of specific and sometimes unpredictably dated technology, has contributed to the relative safety of these systems. However, as attackers gain a deeper understanding of OT systems and develop “living-off-the-plant” (LotP) attacks, the potential for damage increases significantly. The cost of such attacks could be substantial, with the potential to disrupt critical infrastructure and cause significant economic and environmental harm.

Key Insights

A decade ago, OT cyberattacks seemed to be on the rise, with high-profile attacks on Ukraine’s power grid and an Iranian nuclear facility, but the trend did not continue due to attackers’ lack of understanding of OT systems (Source: Dark Reading, 2026).
The concept of “living-off-the-land” (LotL) attacks, where attackers use legitimate tools and features of infected systems to carry out attacks, is well-established in IT, but the equivalent “living-off-the-plant” (LotP) attacks in OT are still in their infancy (Source: Ric Derbyshire, Orange Cyberdefense).
The use of proprietary protocols, such as Siemens’ S7comm, can provide a vector for attack, and manipulating configuration fields in these protocols can potentially leak sensitive data and transmit attacks across devices (Source: Ric Derbyshire, Orange Cyberdefense).

Working Example

// Example of S7comm protocol manipulation
// Note: This is a simplified example and should not be used in production
#include <stdio.h>
#include <string.h>

int main() {
    // Define the S7comm protocol structure
    struct S7comm {
        unsigned char header[2];
        unsigned char data[1024];
    };

    // Create a sample S7comm packet
    struct S7comm packet;
    packet.header[0] = 0x01;
    packet.header[1] = 0x02;
    strcpy((char *)packet.data, "Sample data");

    // Manipulate the configuration fields to leak sensitive data
    packet.data[0] = 0x03; // Set the configuration field to leak data

    // Print the manipulated packet
    printf("Manipulated packet: ");
    for (int i = 0; i < 1024; i++) {
        printf("%02x ", packet.data[i]);
    }
    printf("\n");

    return 0;
}

Practical Applications

Use Case: A water treatment plant uses a combination of older and newer systems, with varying levels of security and standardization. An attacker who gains a deep understanding of the plant’s OT systems could potentially carry out a LotP attack, disrupting the plant’s operations and causing significant environmental harm.
Pitfall: Relying solely on security by obscurity, rather than implementing robust security measures, can leave OT systems vulnerable to attack. As attackers become more sophisticated and gain a deeper understanding of OT systems, the potential for damage increases significantly.

References:

On This Page