Living-off-the-land attacks in OT use legitimate engineering tools to move laterally, escalate privileges, and gather intelligence. Because these tools are authorized, expected, and often unmonitored, they become the path of least resistance for attackers who have already breached your perimeter.
In OT networks, the legitimate tools are different from IT environments. Engineering software like Wonderware, FactoryTalk, and vendor-specific IDE suites have remote access capabilities that were designed for maintenance and troubleshooting, not security. An attacker with a stolen engineering account or a compromised engineering workstation can use these tools to interact with control systems without triggering detection.
Common Living-Off-the-Land Techniques in OT
We have observed attackers using legitimate SCADA software to enumerate connected devices, modify tags, and read memory from PLCs. Some have used vendor remote access tools meant for authorized support to establish persistent backdoors. Others have leveraged the credentials baked into engineering tools to bridge IT and OT network segments.
The challenge for defenders is that logging these tools is inconsistent. Many were built before security logging was standard. Even when logging is available, the volume of legitimate activity makes anomalies difficult to spot without machine learning or careful baselining.
Detection and Hardening Strategies
- Tool-specific logging: Enable and centralize logs from all engineering software, including connection sources, command history, and data read/write operations.
- Credential separation: Never reuse engineering credentials across multiple tools or systems. Enforce one credential per tool per user.
- Access controls: Restrict which workstations can run engineering software and which devices those workstations can contact.
- Behavioral baselines: Profile normal engineering activity—who uses which tools, when, and against which devices—then alert on deviations.
Moving Forward
Living-off-the-land attacks are difficult to prevent but not impossible to detect. The key is treating your engineering tools as you would any other potential attack vector. If you'd like to discuss engineering tool hardening or behavioral monitoring for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.