Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Living off the land in OT: are your segmentation controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Dragos’ 2026 OT Cybersecurity Year in Review found that 56% of penetration tests abused living off the land tools without triggering alerts, while 81% of architecture assessments found poor IT/OT segmentation, showing that OT defenders are fighting an architecture problem more than a detection problem. Segmentation, not endpoint telemetry, becomes the decisive control when native protocols and trusted admin paths are the attacker’s weapon.

NHIMG editorial — based on content published by Elisity: Living off the land attacks in OT and the microsegmentation fix

By the numbers:

Questions worth separating out

Q: What breaks when living off the land attacks are not blocked in OT environments?

A: What breaks is the assumption that trusted administrative tools and native industrial protocols are safe just because they are legitimate.

Q: Why do living off the land attacks in OT increase lateral movement risk so sharply?

A: They increase lateral movement risk because OT often contains shared jump hosts, VPNs, and flat communication zones that give trusted access too much reach.

Q: How can security teams know if OT segmentation is actually working?

A: Segmentation is working only if a compromised endpoint cannot reach devices outside its approved operational scope, even when it uses valid OT protocols.

Practitioner guidance

  • Define OT communication whitelists at the device level Map which engineering workstations, historians, HMIs, PLCs, and remote gateways truly need to communicate, then block all other east-west paths inside each process cell.
  • Separate privileged remote access from shared jump paths Remove shared VPN and jumphost exposure wherever possible, and require distinct access paths for IT administration and OT maintenance so a compromised enterprise account cannot pivot cleanly into control systems.
  • Align PAM scope to OT process boundaries Limit administrative access so service accounts and operator access are bound to a specific plant function, not a broad network segment.

What's in the full article

Elisity's full article covers the operational detail this post intentionally leaves for the source:

  • A deeper explanation of how identity-based microsegmentation is applied to OT zones and conduits in practice.
  • The article’s discussion of why VLANs, Purdue Model boundaries, and DMZs still leave lateral movement paths open.
  • Operational considerations for deploying enforcement without agents on fragile OT assets.
  • The article’s vendor-side framing of why segmentation, rather than detection alone, is the practical fix.

👉 Read Elisity's analysis of living off the land attacks in OT →

Living off the land in OT: are your segmentation controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Living off the land in OT is fundamentally a segmentation failure, not a detection failure. The article shows that attackers do not need novel malware once they can reuse trusted protocols, jump hosts, and administrative channels. That means the decisive control is not better alerting alone but narrower trust boundaries that prevent movement in the first place. For practitioners, the implication is clear: reduce the attack surface by constraining how far legitimate access can travel.

A question worth separating out:

Q: Who is accountable when OT living off the land abuse reaches production systems?

A: Accountability is shared across OT operations, IAM, PAM, and network security because the breach path depends on trust decisions made in each layer. IEC 62443-style zone and conduit design, plus identity governance for remote access and privileged accounts, should make ownership explicit before an incident proves the gap.

👉 Read our full editorial: Living off the land attacks in OT expose the segmentation gap



   
ReplyQuote
Share: