The Serpent in the System: How Attackers Are Quietly Spreading Through Industrial Networks

by

Author: Denis Avetisyan

New research reveals a stealthy technique for lateral movement in Operational Technology environments, allowing attackers to navigate between Programmable Logic Controllers without triggering traditional security alerts.

An attacker can compromise a Programmable Logic Controller (PLC) designated as PLC 3 by strategically traversing through multiple intermediary PLCs, effectively using them as stepping stones to reach the target.
An attacker can compromise a Programmable Logic Controller (PLC) designated as PLC 3 by strategically traversing through multiple intermediary PLCs, effectively using them as stepping stones to reach the target.

This paper details a novel approach to deep lateral movement in ICS environments leveraging native PLC functionality – ‘Living Off The Plant’ – to bypass network segmentation and reach previously isolated critical systems.

While enterprise IT security focuses heavily on lateral movement, operational technology (OT) environments lack comparable techniques for traversing between critical devices. This paper, ‘Industrial Ouroboros: Deep Lateral Movement via Living Off the Plant’, details the first programmable logic controller (PLC)-centric lateral movement technique that exploits native functionality-a practice termed “living off the plant” (LOTP). By leveraging existing PLC communications, this method enables deep, covert network penetration and even escape onto legacy serial networks. Does this fundamentally alter our understanding of OT security risks and necessitate a reevaluation of traditional defensive strategies?

The Inevitable Erosion of OT Security

The backbone of modern society – encompassing energy grids, water treatment facilities, and transportation networks – increasingly relies on Operational Technology (OT), and with that dependence comes escalating cyber risk. Recent years have witnessed a marked shift in the nature of attacks targeting these systems, moving beyond simple disruption to encompass sophisticated, targeted campaigns designed to compromise functionality and potentially cause physical damage. Adversaries are now leveraging advanced techniques, including ransomware variants specifically crafted for industrial control systems, as well as supply chain attacks to infiltrate OT networks. This evolving threat landscape demands a proactive and nuanced security posture, as vulnerabilities in these critical systems can have cascading consequences far beyond data breaches, potentially impacting public safety and national security. The convergence of IT and OT environments, while offering efficiency gains, simultaneously expands the attack surface and necessitates a fundamental rethinking of security protocols.

The cybersecurity principles effective in Information Technology frequently falter when applied to Operational Technology due to fundamental differences in system design and operational needs. OT environments often include devices with decades-long lifecycles, lacking the regular patching and updates common in IT, creating a substantial vulnerability window. Moreover, many OT processes demand real-time performance; security measures introducing latency – even fractions of a second – can disrupt critical functions like power grid stability or manufacturing processes. This necessitates a shift from preventative, signature-based detection, common in IT, towards resilience and anomaly detection that can identify and mitigate threats without interrupting the continuous, time-sensitive operations characteristic of industrial control systems. Consequently, a tailored security architecture acknowledging these unique constraints is paramount for protecting vital infrastructure.

Attackers Exploit the System, as They Always Do

Living Off The Land (LOTL) tactics represent a growing trend in adversarial behavior where attackers leverage existing, legitimate tools and processes within a target environment to achieve their objectives. Rather than introducing custom malware or exploits, adversaries utilize system administration tools, scripting languages, and pre-installed applications – such as PowerShell, WMI, or even common utilities – to navigate the network, escalate privileges, and execute malicious commands. This approach minimizes the attack surface and reduces the likelihood of detection by traditional security solutions that focus on identifying known malicious signatures or anomalous network traffic. By blending in with normal system activity, LOTL attacks significantly increase the dwell time within a compromised network and complicate incident response efforts.

Living Off The Plant (LOTP) represents a significant evolution in Operational Technology (OT) attack tactics, wherein adversaries leverage native Programmable Logic Controller (PLC) functionality to achieve malicious objectives. Recent research has demonstrated successful PLC-to-PLC traversal using only native PLC instructions and communication protocols, bypassing traditional security mechanisms designed to detect unauthorized access or modifications. This technique allows attackers to move laterally within the OT network without introducing external tools or malware, effectively blending malicious activity with legitimate operational processes and substantially complicating detection efforts. The exploitation focuses on inherent capabilities within PLCs, such as data transfer and function calling, to achieve unauthorized control or data manipulation.

Living Off The Plant (LOTP) attacks complicate intrusion detection by leveraging legitimate programmable logic controller (PLC) functions and protocols. Because malicious actions are executed using authorized system tools and communication pathways, they closely mimic standard operational activity. This blending effect reduces the signal-to-noise ratio for security monitoring systems, increasing the probability of false negatives and delaying the identification of compromise. Traditional signature-based detection methods are less effective, and anomaly-based systems require sophisticated behavioral analysis and finely tuned baselines to differentiate between legitimate operations and attacker-controlled PLC manipulations.

An attacker can compromise a non-routable Programmable Logic Controller (PLC) by exploiting an intermediary PLC as a stepping stone.
An attacker can compromise a non-routable Programmable Logic Controller (PLC) by exploiting an intermediary PLC as a stepping stone.

PLCs: The Core, and Therefore the Target

Programmable Logic Controllers (PLCs) function as the core control elements within Operational Technology (OT) environments, directly managing industrial processes such as manufacturing, power generation, and water treatment. These devices receive data from field instrumentation – sensors, switches, and other devices – and execute programmed logic to control actuators, motors, and valves, thereby regulating the physical process. Unlike Information Technology (IT) systems focused on data processing, PLCs are designed for real-time control, demanding high reliability and deterministic operation. Their prevalence in critical infrastructure makes them a central component of SCADA systems and Distributed Control Systems (DCS), and consequently, a key target for cyberattacks due to the potential for physical disruption.

Memory Address Interrogation is a reconnaissance technique employed by attackers targeting Siemens PLCs. This process involves sending specifically crafted S7 communication requests to PLC memory addresses to identify and enumerate Function Blocks. Function Blocks are reusable program modules within the PLC, and successful interrogation reveals their presence, data types, and memory locations. This information is crucial for subsequent exploitation, allowing attackers to pinpoint targets for manipulation and understand the relationships between different process parameters controlled by the PLC. The technique relies on the PLC’s standard communication protocols responding with information about the contents of the addressed memory locations, effectively mapping the PLC’s internal structure for malicious purposes.

Function Blocks within a PLC serve as containers for process data, including sensor readings, setpoints, and calculated values, making them attractive targets for malicious actors. The Siemens S7comm protocol, used for communication with and programming of these PLCs, enables attackers to read and write data directly to these Function Blocks. Successful manipulation of this data, achieved through exploiting vulnerabilities in the S7comm implementation or utilizing legitimate, yet misused, protocol commands, can alter process parameters, disable safety mechanisms, or cause equipment malfunction. This direct data manipulation bypasses typical application logic, offering a highly effective, albeit technically demanding, attack vector against industrial control systems.

An attacker successfully accessed Programmable Logic Controller (PLC) 2 via a serial connection through an intermediary PLC 1.
An attacker successfully accessed Programmable Logic Controller (PLC) 2 via a serial connection through an intermediary PLC 1.

Lateral Movement: It’s Not About Breaking In, It’s About Staying

Following initial network penetration, adversaries rarely remain confined to a single system. Instead, they utilize a range of ‘Lateral Movement’ techniques to navigate internally, seeking out valuable assets and expanding their control. This process involves identifying and exploiting trust relationships within the network, leveraging compromised credentials or vulnerabilities to jump from one system to another. Successful lateral movement allows attackers to escalate privileges, access sensitive data, and ultimately achieve their objectives – whether that’s data exfiltration, system disruption, or establishing a persistent foothold. The speed and efficiency of this traversal are critical for attackers, as quick access to high-value targets minimizes the risk of detection and response.

Deep lateral movement represents a particularly concerning evolution in cyberattacks, extending beyond typical IT systems to directly compromise Level 1 devices like Programmable Logic Controllers (PLCs). These PLCs are the foundational elements controlling critical physical processes-manufacturing lines, power grids, and water treatment facilities, among others-meaning successful compromise isn’t limited to data breaches but can result in physical disruption or damage. Recent implementations have demonstrated the feasibility of traversing between PLCs within a network, allowing attackers to move undetected between systems responsible for distinct operational functions. This capability bypasses traditional network segmentation and highlights a significant vulnerability: the potential for remote manipulation of industrial control systems, transforming a cyber incident into a physical event with real-world consequences.

Attackers increasingly leverage existing communication pathways to extend their reach beyond the initially compromised network segment. Exploiting Site-to-Site Communications – such as VPNs or dedicated WAN links – allows propagation across geographically dispersed locations, effectively turning remote offices or data centers into further points of control. Simultaneously, the often-overlooked vulnerability of Serial Communications, commonly used for device configuration and data transfer, provides a direct conduit for malicious code or unauthorized access. This combination is particularly potent, as it bypasses traditional perimeter defenses and enables attackers to establish a persistent presence across entire organizations, even those with segmented networks and robust security protocols. The ability to move laterally through these established, yet often unmonitored, channels dramatically increases the scope and impact of a successful breach.

An adversary successfully accessed Programmable Logic Controller (PLC) 2 in a remote site via a Wide Area Network (WAN) through an intermediary PLC 1.
An adversary successfully accessed Programmable Logic Controller (PLC) 2 in a remote site via a Wide Area Network (WAN) through an intermediary PLC 1.

Standards and Architecture: Trying to Build a Wall Before the Flood

The ISA/IEC 62443 standard offers a layered, risk-based approach to securing Operational Technology (OT) environments, acknowledging the unique challenges of industrial systems compared to traditional IT networks. Unlike a prescriptive checklist, it provides a flexible framework that allows organizations to define appropriate security levels based on the criticality of their processes and the potential impact of cyberattacks. This standard addresses all phases of the system lifecycle – from design and implementation to operation and maintenance – and emphasizes the importance of a holistic security program encompassing policies, procedures, and technologies. By focusing on establishing secure communication pathways, defining security zones, and managing access controls, the ISA/IEC 62443 standard enables organizations to build resilient industrial control systems capable of withstanding increasingly sophisticated cyber threats and ensuring continuous, safe operations.

The ISA/IEC 62443 standard utilizes a ‘Zones and Conduits’ model to establish a layered security approach for operational technology (OT) environments. Zones represent logically separated segments of the industrial network, each containing assets with similar security requirements – for example, a zone for sensitive process control, and another for less critical monitoring systems. Crucially, data doesn’t flow freely between these zones; instead, it passes through Conduits – rigorously controlled pathways that enforce security policies. These Conduits act as security checkpoints, inspecting and filtering data to ensure only authorized communication occurs. By defining clear boundaries and restricting data flow, the Zones and Conduits model minimizes the attack surface and limits the potential impact of security breaches, effectively containing threats within specific zones and preventing them from propagating across the entire industrial network.

Programmable Logic Controller (PLC) configuration relies heavily on components like the Address Data Block (ADDB), which defines memory regions used for data exchange between the PLC and external devices. A thorough understanding of how ADDB functions is paramount for robust operational technology (OT) security, as misconfigured or poorly secured ADDBs can create vulnerabilities exploitable by malicious actors. Specifically, improper access controls to ADDBs allow unauthorized modification of critical process parameters or injection of false data, potentially leading to equipment failure, production disruption, or even safety hazards. Therefore, a detailed assessment of ADDB usage, coupled with the implementation of strong authentication and authorization mechanisms, is crucial for establishing a secure and resilient industrial control system. Ignoring these details leaves vital system components exposed and susceptible to compromise, underscoring the importance of ADDB security as a fundamental aspect of overall OT cybersecurity.

The pursuit of airtight security in industrial control systems feels increasingly circular. This research into deep lateral movement via living off the plant confirms a grim suspicion: every layered defense eventually becomes a pathway for exploitation. The authors demonstrate how attackers can navigate the Purdue Model not by breaching walls, but by blending into the existing infrastructure. It’s elegant, in a horrifying way. G.H. Hardy observed, “The most profound knowledge is the knowledge of one’s own ignorance.” This feels particularly relevant; the more sophisticated the security, the more inventive the methods to circumvent it. The systems don’t fail randomly; they fail in predictable, yet frustratingly novel, ways. One begins to suspect that ‘zero trust’ is simply a more expensive form of trust, and we don’t write code – we leave notes for digital archaeologists.

The Cycle Continues

The demonstrated capacity for deep lateral movement within operational technology environments, achieved through native Programmable Logic Controller functionality, isn’t innovation. It’s a predictable consequence of complexity. Each layer of the Purdue Model, intended as a defensive boundary, merely presents a new surface for existing techniques to exploit. The focus on ‘Living Off The Plant’ simply acknowledges that attackers, given sufficient time, will exhaust external tools and revert to manipulating what’s already present. The architecture doesn’t prevent movement; it defines the terrain.

Future work will undoubtedly propose more granular segmentation, behavioral analytics, and ‘zero trust’ implementations. These are, historically, temporary reprieves. The problem isn’t a lack of detection mechanisms, but the inherent fragility of state. Industrial systems are, by design, deterministic. Introduce sufficient pressure, and even ‘secure’ states will transition to compromised ones. The research field chases indicators of compromise while ignoring the inevitability of compromise itself.

The long view suggests a need to reassess fundamental assumptions about isolation. Rather than building ever-more-complex barriers, attention should be directed toward systems resilient to undetected compromise. The goal isn’t to prevent lateral movement, but to minimize the consequences when, inevitably, it occurs. It’s not about building higher walls; it’s about accepting the flood and designing the foundations to withstand it. The problem isn’t a lack of tooling-it’s a surplus of illusions.

Original article: https://arxiv.org/pdf/2512.21248.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2025-12-28 11:19