TL;DR: Dragos’ 2026 OT Cybersecurity Year in Review found that 56% of penetration tests abused living off the land tools without triggering alerts, while 81% of architecture assessments found poor IT/OT segmentation, showing that OT defenders are fighting an architecture problem more than a detection problem. Segmentation, not endpoint telemetry, becomes the decisive control when native protocols and trusted admin paths are the attacker’s weapon.
At a glance
What this is: The article argues that living off the land attacks in OT succeed because flat or coarse segmentation lets attackers reuse trusted tools, protocols, and credentials to move from IT into control environments.
Why it matters: For IAM, PAM, and OT security teams, the key lesson is that identity and network trust must be constrained together, or compromised administrative access can translate directly into process-level impact.
By the numbers:
- 56% of Dragos penetration tests in 2025 successfully abused living off the land tools without triggering a single alert.
- 81% of architecture assessments identified poor IT/OT segmentation.
- 73% of all-time incident response cases involved compromised VPN or jumphost credentials.
- 119 ransomware groups impacted 3,300 industrial organizations in a 49% year-over-year increase.
👉 Read Elisity's analysis of living off the land attacks in OT
Context
Living off the land in OT is not primarily a malware problem. It is a governance problem created by trusted administrative paths, broad east-west communication, and industrial protocols that were built for availability rather than hostile environments. In that setting, identity controls and network controls have to work together because a compromised engineering account can become an operational control path, not just an access event.
The article’s core claim is that OT security leaders should stop treating detection as the main answer to lateral movement. That matters to IAM and PAM teams because shared credentials, jump hosts, and remote access into plant environments create the bridge from enterprise compromise to process disruption. In other words, the trust model around privileged access is part of the OT attack surface, not separate from it.
Key questions
Q: What breaks when living off the land attacks are not blocked in OT environments?
A: What breaks is the assumption that trusted administrative tools and native industrial protocols are safe just because they are legitimate. If segmentation is weak, a compromised engineering workstation or remote access channel can move laterally, enumerate assets, and issue valid commands that affect production. The failure is architectural because the attacker is using normal pathways, not abnormal binaries.
Q: Why do living off the land attacks in OT increase lateral movement risk so sharply?
A: They increase lateral movement risk because OT often contains shared jump hosts, VPNs, and flat communication zones that give trusted access too much reach. Once an attacker has one foothold, the environment may let them use ordinary industrial protocols to move into adjacent systems without needing exploits or malware. That turns privilege into pathway access.
Q: How can security teams know if OT segmentation is actually working?
A: Segmentation is working only if a compromised endpoint cannot reach devices outside its approved operational scope, even when it uses valid OT protocols. The strongest test is whether an engineering workstation can talk to unrelated PLCs, HMIs, or control loops. If it can, the policy model is too broad to limit living off the land movement.
Q: Who is accountable when OT living off the land abuse reaches production systems?
A: Accountability is shared across OT operations, IAM, PAM, and network security because the breach path depends on trust decisions made in each layer. IEC 62443-style zone and conduit design, plus identity governance for remote access and privileged accounts, should make ownership explicit before an incident proves the gap.
Technical breakdown
Why native OT protocols make living off the land hard to detect
Industrial control protocols such as Modbus/TCP, EtherNet/IP, OPC-UA, DNP3, and IEC 104 were designed to keep plants running, not to authenticate every command. In many deployments, a read or write request from a legitimate engineering workstation looks identical to the same request from a compromised host. That means attackers do not need custom malware to enumerate assets, issue commands, or map process logic. They can use the protocol itself as the attack vehicle, which makes traditional signature-based detection weak against native command abuse.
Practical implication: inventory which OT protocols carry control authority and restrict them to the smallest possible communication paths.
Why endpoint detection cannot cover the full OT attack surface
EDR depends on agents, but many OT assets cannot run them because of operating constraints, firmware limitations, or safety requirements. Even where agents exist on engineering workstations, normal administrative activity in OT can resemble attacker behavior closely enough to overwhelm detections. That leaves a blind spot around PLCs, HMIs, relays, and other devices that still represent the most critical control points. Visibility tools help, but they do not prevent an attacker from moving through the environment once a trusted path is open.
Practical implication: pair OT visibility with preventive controls that remove unnecessary communication paths rather than relying on alerts alone.
How microsegmentation changes the attack path
Microsegmentation shifts enforcement from broad zones to device- and role-specific policy. Instead of allowing every asset in a VLAN to talk to every other asset, it limits which engineering workstations, historians, HMIs, and PLCs can communicate, based on operational need. That directly reduces lateral movement opportunities even when the attacker controls a trusted endpoint. In OT, this works best when the policy model is aligned to zones and conduits and enforced without agents on fragile devices.
Practical implication: build per-device communication policy for OT zones so a compromised workstation cannot fan out across a process cell.
Threat narrative
Attacker objective: The objective is to move from initial enterprise access into control systems, then use trusted tools and native protocols to disrupt operations, steal process intelligence, or persist for future access.
- Entry typically begins with phishing, compromised VPN access, or stolen third-party credentials that gives the attacker a foothold in the IT environment.
- Escalation follows when the attacker harvests domain credentials, abuses shared jump infrastructure, or pivots through dual-homed systems into OT-adjacent networks.
- Impact occurs when native OT protocols are used to reconnoitre, manipulate, or disrupt control assets while blending into legitimate operational traffic.
NHI Mgmt Group analysis
Living off the land in OT is fundamentally a segmentation failure, not a detection failure. The article shows that attackers do not need novel malware once they can reuse trusted protocols, jump hosts, and administrative channels. That means the decisive control is not better alerting alone but narrower trust boundaries that prevent movement in the first place. For practitioners, the implication is clear: reduce the attack surface by constraining how far legitimate access can travel.
Protocol trust gap: industrial protocols expose a control path that many teams still treat as ordinary traffic. OT protocols often lack the authentication and encryption assumptions that defenders rely on in IT, which makes command validity a poor proxy for command legitimacy. When a valid OPC-UA or EtherNet/IP request can be harmful, the governance problem is about reachability and policy, not inspection depth. Practitioners should treat OT protocol authorization as a segmentation question, not just a monitoring question.
Shared administrative access is the bridge that turns IT compromise into plant impact. The article’s repeated emphasis on VPNs, jumphosts, engineering workstations, and service access shows that privilege concentration is doing the attacker’s work. Once an adversary inherits a trusted path, flat or weakly separated OT architecture gives that path operational scope it should never have had. For identity teams, this is a reminder that PAM boundaries must extend into OT remote access design.
OT zero trust has to be enforced at the communication layer, not just the identity layer. Identity proof alone does not stop a compromised workstation from issuing legitimate-looking industrial commands if the network still allows those commands to reach every asset. The article therefore validates a narrower model of trust: identity, role, and device context must all bound communication. For security architects, the lesson is to align access policy with process topology, not with convenience.
Microsegmentation is the named concept this article sharpens for OT security. The practical value is that it translates a broad architectural principle into enforceable device-to-device rules that limit blast radius when credentials or workstations are compromised. That makes it directly relevant to NIST CSF, IEC 62443-style zone thinking, and least-privilege access design. For practitioners, the conclusion is to treat microsegmentation as an operational control, not a network tidy-up exercise.
What this signals
Standards-based segmentation is becoming an identity control as much as a network control. OT environments that still depend on broad trust zones will keep seeing the same failure mode: valid credentials and valid commands used at the wrong scale. As organisations align to IEC 62443 and NIST CSF, the practical shift is toward policy that limits who and what can talk to each device, not just who can log in.
The strongest programmes will treat engineering workstations, jumphosts, and service access as governed trust assets. That means the control question is no longer whether remote access exists, but whether it is bounded tightly enough to prevent an attacker from using it as a lateral movement highway. Where identity is involved, the control boundary has to extend into the OT communication model.
A related concept is protocol-aware blast-radius control: if an attacker can use a valid industrial protocol command, the environment must still prevent that command from reaching everything. That is where microsegmentation, PAM, and asset-aware policy converge. For practitioners, the forward look is simple: reduce the number of paths before you try to detect abuse on them.
For practitioners
- Define OT communication whitelists at the device level Map which engineering workstations, historians, HMIs, PLCs, and remote gateways truly need to communicate, then block all other east-west paths inside each process cell. Use this to reduce the reach of legitimate protocols that attackers can abuse.
- Separate privileged remote access from shared jump paths Remove shared VPN and jumphost exposure wherever possible, and require distinct access paths for IT administration and OT maintenance so a compromised enterprise account cannot pivot cleanly into control systems.
- Align PAM scope to OT process boundaries Limit administrative access so service accounts and operator access are bound to a specific plant function, not a broad network segment. That reduces the chance that one compromised credential can traverse from one process area to another.
- Validate segmentation with adversary-style testing Test whether a compromised engineering workstation can enumerate assets, issue native protocol commands, or reach unrelated devices within the same zone. Measure failure by reachable paths, not by alert volume alone.
Key takeaways
- Living off the land in OT succeeds because attackers can reuse trusted protocols and administrative paths, not because they have superior malware.
- Dragos’ data points to an architecture problem, with 56% of penetration tests abusing LOTL tools undetected and 81% of assessments finding weak IT/OT segmentation.
- The limiting control is device-level segmentation tied to identity and process scope, because that is what shrinks the attacker’s reach when trust is already compromised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centers on credential abuse and lateral movement into OT control environments. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and constrained communication are the core defensive themes. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly challenged by shared remote access and broad device reach. |
| CIS Controls v8 | CIS-5 , Account Management | Compromised and over-broad administrative accounts are part of the attack chain. |
| ISO/IEC 27001:2022 | A.8.20 | Network security controls are required to enforce OT zone and conduit restrictions. |
Map OT attack paths to credential access and lateral movement tactics, then close reachable paths between zones.
Key terms
- Living Off The Land: A technique where attackers abuse legitimate tools, protocols, or administrative paths already present in the environment. In OT, that often means using native industrial commands or trusted remote access rather than dropping malware, which makes malicious activity harder to distinguish from normal operations.
- Microsegmentation: A network control approach that limits communication at a much finer level than traditional VLANs or perimeter firewalls. In OT, it means allowing only the exact device-to-device paths needed for operations, which reduces lateral movement and constrains the blast radius of compromised credentials or workstations.
- Zones And Conduits: An industrial security model that groups assets into zones with shared security requirements and defines controlled conduits between them. It is most effective when the conduits are enforced at a granular level, because coarse segmentation often leaves too much trust inside each zone.
- Engineering Workstation: A workstation used to configure, monitor, or maintain industrial systems such as PLCs, HMIs, and control logic. Because these systems often have privileged access to plant devices, compromise of an engineering workstation can become a direct route into operational control if segmentation is weak.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- A deeper explanation of how identity-based microsegmentation is applied to OT zones and conduits in practice.
- The article’s discussion of why VLANs, Purdue Model boundaries, and DMZs still leave lateral movement paths open.
- Operational considerations for deploying enforcement without agents on fragile OT assets.
- The article’s vendor-side framing of why segmentation, rather than detection alone, is the practical fix.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM, and secrets management for teams responsible for privileged access and lifecycle control. It helps practitioners connect identity discipline to the broader security architecture their programmes depend on.
Published by the NHIMG editorial team on 2026-03-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org