We’re joined today by Rupert Marais, our in-house security specialist with deep expertise in the complex world of operational technology. For years, the nightmare scenario of widespread, sophisticated cyberattacks against critical infrastructure has felt more like a distant threat than an immediate reality. Attackers often lacked the specialized knowledge to do real, physical damage. But the landscape is shifting. Today, we’ll explore the emergence of a new class of threat actor—one who learns to “live-off-the-plant,” turning the very systems designed to control our physical world into weapons. We’ll discuss how these advanced threats differ from the common IT ransomware spillover we’ve seen, what it takes for an adversary to truly master an industrial environment, and what defenders can do to prepare for this unnerving future.
A decade ago, major OT attacks seemed like a coming trend but fizzled out due to attackers’ lack of “process comprehension.” What specific indicators or attacker behaviors are you seeing now that suggest we are on the precipice of a more dangerous era?
It’s true, we saw some big, scary headlines about ten years ago—the Ukrainian power grid, for instance—and then things went relatively quiet on that front. The reason was that attackers, even if they broke in, were essentially digital tourists in a foreign land; they couldn’t read the signs or understand the machinery. What we’re seeing now is a change in behavior. Instead of crude, smash-and-grab attempts, there are early signs of attackers showing more patience and a genuine interest in learning these bespoke systems. The concern isn’t just that they’re getting in, but that they are starting to understand what they’re looking at, moving from fumbling around to actively trying to comprehend the industrial processes they’ve compromised. This shift from ignorance to education is the critical indicator that we’re on the verge of something much more dangerous.
Many recent OT disruptions resulted from IT-based ransomware spillover. How does a “living-off-the-plant” attack differ in its objectives and potential for physical damage? Can you walk us through a hypothetical step-by-step scenario comparing the two approaches?
The difference is night and day; it’s the distinction between a sledgehammer and a scalpel. An IT spillover, like the Colonial Pipeline incident, is collateral damage. The attackers hit the IT network with ransomware, and because the OT side couldn’t function without those business systems, the operators had to voluntarily shut everything down to prevent the infection from spreading. The objective was purely financial extortion, and the physical disruption was an indirect consequence.
Now, imagine a “living-off-the-plant” attack. The objective here isn’t a ransom; it’s physical manipulation or destruction. An adversary would first spend months quietly learning the plant’s unique operations. Instead of deploying noisy ransomware, they’d use the system’s own legitimate tools and protocols. They might subtly alter the configuration of a programmable logic controller (PLC) to slightly change a chemical mixture over time, or manipulate sensor readings so that a boiler overheats while the control room display shows everything is normal. The damage is physical, deliberate, and a direct result of weaponizing the industrial process itself, which is a far more terrifying prospect.
Gaining a holistic understanding of a unique OT environment seems incredibly complex. What are the key steps an adversary would need to take to move from crude access, like in the Norwegian dam incident, to mastering a specific plant’s operations for a sophisticated attack?
That incident at the Norwegian dam is the perfect example of step one: getting a foothold. They found default credentials on an internet-facing HMI and just clicked around, using basic functions without any real understanding. To evolve from that, an attacker needs to build a complete, holistic picture. This isn’t just about the technology; it’s about connecting the digital to the physical.
First, they’d have to map the physical process itself—how the pipes are connected, what the valves do, the purpose of each turbine. Then, they would need to understand how the OT layer—the PLCs and control systems—sits on top of that to monitor and automate it. Next comes the network architecture that connects all these devices, followed by the cybersecurity controls layered on top of that. Finally, and this is crucial, they must observe how people interact with it all. It’s a painstaking process of reconnaissance to understand how that specific plant, with its unique blend of equipment from the 80s, 2000s, and today, truly works as a single, living entity.
You’ve pointed to proprietary protocols like S7comm as a potential vector. Beyond this example, what other seemingly benign or overlooked operational functions could be weaponized by an attacker who truly understands the plant’s processes? Please share one or two specific examples.
Absolutely, the S7comm example is a real brain melter because it involves manipulating obscure configuration fields that most defenders would never even think to monitor. It’s a perfect illustration of blending in with normal operational traffic. Another example could be abusing maintenance or diagnostic functions built into industrial equipment. These are often trusted, privileged functions used by engineers to calibrate a device or pull diagnostic logs. An attacker with deep process comprehension could trigger a diagnostic routine on a critical pump at the worst possible moment, causing it to shut down and creating a cascading failure throughout the system.
Another subtle vector would be manipulating alarm thresholds. In any plant, operators are conditioned to see hundreds of low-priority alarms a day. A sophisticated attacker could slowly, incrementally raise the threshold for a critical temperature or pressure alarm, effectively blinding the operators to a dangerous condition that is building up over time. By the time a physical symptom appears, it would be far too late to prevent a catastrophic failure.
Given that OT environments are often a patchwork of technologies from different eras, security by obscurity seems to offer some unintentional protection. How can defenders leverage this complexity to their advantage, and what are the biggest risks of over-relying on this “accidental” defense?
It’s a double-edged sword, for sure. That patchwork nature, with systems from the 80s working alongside modern ones, means no two environments are alike. This uniqueness absolutely acts as a form of security by obscurity, and defenders can leverage it. By understanding that an attacker has to invest significant time to learn your specific, quirky setup, you can focus your defensive efforts on detecting that learning process. If you can deprive an adversary of understanding your environment, you deprive them of the certainty they need to launch a successful attack. This forces them to linger in the network longer, giving your detection and response teams a much better chance of finding them before they can act.
The huge risk, however, is complacency. You should never rely on obscurity as your primary defense. Attackers have resources. They can buy old PLCs on eBay to practice, they can read textbooks, and now they can even ask chatbots to explain how a protocol works. As we saw with the CyberAv3ngers campaign, attackers are already using tools like ChatGPT to ask for default credentials. Relying on obscurity alone is a losing game; it’s a temporary advantage that you must use to build more robust, active defenses.
With resources like ChatGPT helping adversaries understand OT systems, the barrier to entry is lowering. What practical, proactive steps should OT operators be taking right now to prepare for attackers who are rapidly educating themselves on industrial control systems?
The clock is ticking, so action is needed now. First and foremost, you can’t protect what you can’t see. Operators need to achieve deep visibility into their OT networks and understand what “normal” looks like. This means moving beyond just IT security tools and implementing OT-specific monitoring that can decipher proprietary industrial protocols and flag unusual commands or configuration changes. Second, they must prioritize hardening their systems. This includes eliminating trivial entry points like default credentials and unnecessary internet-facing devices—the kind of low-hanging fruit that enabled the Norwegian dam incident.
Finally, operators need to embrace the idea of proactive threat hunting within their OT environment. Don’t just wait for an alarm to go off. Assume an adversary is already inside, quietly learning your processes. Actively look for the subtle signs of their reconnaissance. By making the environment as difficult as possible for them to understand, you slow them down, and that’s how you buy yourself the time you need to detect and evict them.
What is your forecast for OT attacks over the next five years?
Over the next five years, I forecast a significant and concerning divergence in OT attacks. We will continue to see the background noise of IT-based ransomware spillover causing operational shutdowns, as it remains a profitable and relatively easy model for cybercriminals. However, the truly dangerous trend will be the rise of targeted, “living-off-the-plant” attacks from more sophisticated state-sponsored or high-tier criminal actors. We will move from seeing one or two major, publicly disclosed events every few years to a more regular cadence of subtle, physically damaging incidents. The attackers’ learning curve is accelerating rapidly with new AI tools, and I believe within this timeframe, we will witness a landmark attack that demonstrates a masterful and terrifying comprehension of a complex industrial process, serving as a wake-up call for the entire industry.
