Operational technology (OT) environments have historically benefited including a degree of insulation against sophisticated cyber threats. This resilience has largely been due and the bespoke nature of legacy systems and a lack of specific domain knowledge among generalist threat actors. However, security researchers now warn that this dynamic is shifting. There are indications that unauthorized parties are developing a deeper interest in industrial machinery and are poised to overcome the knowledge gap that has previously limited the impact of their intrusions.
In the past decade, high-profile events involving power grids and manufacturing facilities raised concerns about a new era of kinetic cyber consequences. Yet, widespread systemic disruption has not become a common trend. Ric Derbyshire, principal security engineer at Orange Cyberdefense, attributes this to a lack of "process comprehension." Even when threat actors successfully access critical OT networks, they often lack the specialized understanding required to manipulate physical processes effectively.
This limitation may be temporary. At the upcoming RSAC 2026 Conference in San Francisco, Derbyshire will present findings on the evolution of these tradecrafts, demonstrating how actors may soon perform what he terms "living-off-the-plant" (LotP) operations—using native system functionality to achieve unauthorized objectives without relying on external malware.
The current state of OT security
In recent years, the volume of security incidents affecting OT systems has increased significantly. However, analysis suggests this surge is primarily a spillover from IT-based ransomware and extortion campaigns rather than targeted manipulation of control systems.
Ransomware affecting IT environments often impacts OT availability due to system interdependencies or precautionary measures. "This can occur due to convergences within the IT environment that the OT simply cannot function without," Derbyshire explains. "Or a complete lack of trust in security controls or network architecture... so they voluntarily shut down the OT systems or sever the connection to prevent the spread." The 2021 Colonial Pipeline incident serves as a primary example of this defensive containment strategy.
When threat actors do access critical systems, they often fail to leverage them for physical impact. A recent incident involving a dam in western Norway illustrates this gap. According to Derbyshire, unauthorized parties accessed a human-machine interface (HMI) via the internet using default credentials. While they interacted with the interface, their actions revealed a lack of understanding of the underlying physical process. They utilized the functionality of the OT environment crudely, without the sophistication required to cause intentional physical damage.
This contrasts sharply with IT environments, where experienced actors frequently employ "living-off-the-land" (LotL) techniques. In those scenarios, actors use legitimate, pre-installed administrative tools to conduct operations, blending in with normal network activity to evade detection.
Defining 'Living-off-the-Plant'
Adapting the concept of LotL to industrial environments requires more than just network access; it demands "process comprehension."
"You need to know the whole, holistic picture," Derbyshire notes. This includes understanding the physical process, the OT layer controlling and monitoring it, the network architecture, the security controls, and the human workflows interacting with the system.
Achieving this holistic view is difficult because OT environments are highly heterogeneous. Unlike enterprise IT networks, which often follow standardized architectures, industrial sites vary wildly. A modern consumer goods plant differs fundamentally from a water treatment facility built decades ago. Even within a single organization, sites may employ disparate technologies based on the era of their construction.
"Some might be from the '80s, some might be from the 2000s... and they'll be architected differently depending on what was optimal at the time," Derbyshire says. Therefore, understanding OT at an abstract level is insufficient for actors attempting LotP operations; they must understand the specific physical environment they intend to influence.
With this level of comprehension, new vectors emerge. Actors can blend malicious activity with legitimate operational commands. Derbyshire’s research highlights how the S7comm protocol—Siemens’ proprietary standard for communication between programmable logic controllers (PLCs)—can be leveraged. By manipulating often-overlooked configuration fields within S7comm, an actor could potentially leak sensitive data or transmit unauthorized commands across devices, all while using valid protocol structures.
System complexity as a defensive asset
The unique, patchwork nature of OT environments presents a challenge for defenders, but it also creates friction for threat actors. The heterogeneity of these systems means that knowledge does not scale easily from one target to another.
"If you can deprive an adversary of understanding your environment, you can deprive them of certainty in how their operation is going to work," Derbyshire suggests. When actors are forced to spend time learning a bespoke system, they remain present in the network longer, providing defenders with extended windows for detection and response.
However, the barrier to entry for acquiring OT knowledge is lowering. Resources such as textbooks, AI-driven chatbots, and secondhand marketplaces for PLCs are making it easier for actors to research proprietary systems.
Derbyshire points to the 2023 CyberAv3ngers campaign involving Unitronics PLCs as an indicator of this shift. Reports indicated that the actors likely utilized large language models to query for default credentials and technical specifications. As availability of this information improves, threat actors may increasingly ask, "How does this protocol work?" and apply that knowledge to target critical infrastructure more effectively.
For security teams, the implication is clear: defense requires a deep understanding of one's own environment. By mapping not just the network, but the physical processes and the specific protocols that control them, organizations can better detect the subtle anomalies that signal a "living-off-the-plant" intrusion.