Industrial Ouroboros: Deep Lateral Movement via Living Off the Plant

TL;DR

This paper introduces 'living off the plant' (LOTP), a novel, covert PLC-centric lateral movement technique in OT environments that uses native functions, enabling stealthy asset traversal and network escape.

Contribution

It presents the first native-function-based lateral movement method for PLCs, highlighting OT security risks and challenging traditional defensive practices.

Findings

LOTP enables covert lateral movement in OT environments.

The technique allows escape from IP to serial networks via dual-homed PLCs.

LOTP leverages common network functions, making detection difficult.

Abstract

Lateral movement is a tactic that adversaries employ most frequently in enterprise IT environments to traverse between assets. In operational technology (OT) environments, however, few methods exist for lateral movement between domain-specific devices, particularly programmable logic controllers (PLCs). Existing techniques often rely on complex chains of vulnerabilities, which are noisy and can be patched. This paper describes the first PLC-centric lateral movement technique that relies exclusively on the native functionality of the victim environment. This OT-specific form of `living off the land' is herein distinguished as `living off the plant' (LOTP). The described technique also facilitates escape from IP networks onto legacy serial networks via dual-homed PLCs. Furthermore, this technique is covert, leveraging common network communication functions that are challenging to detect. This serves as a reminder of the risks posed by LOTP techniques within OT, highlighting the need for a fundamental reconsideration of traditional OT defensive practices.