Lateral movement is a tactic that adversaries employ most frequently in enterprise IT environments to traverse between assets. In operational technology (OT) environments, however, few methods exist for lateral movement between domain-specific devices, particularly programmable logic controllers (PLCs). Existing techniques often rely on complex chains of vulnerabilities, which are noisy and can be patched. This paper describes the first PLC-centric lateral movement technique that relies exclusively on the native functionality of the victim environment. This OT-specific form of `living off the land' is herein distinguished as `living off the plant' (LOTP). The described technique also facilitates escape from IP networks onto legacy serial networks via dual-homed PLCs. Furthermore, this technique is covert, leveraging common network communication functions that are challenging to detect. This serves as a reminder of the risks posed by LOTP techniques within OT, highlighting the need for a fundamental reconsideration of traditional OT defensive practices.

翻译：横向移动是攻击者在企业IT环境中最常采用的策略，用于在不同资产间穿行。然而，在操作技术（OT）环境中，尤其是在特定领域设备（如可编程逻辑控制器PLC）之间实现横向移动的方法却寥寥无几。现有技术通常依赖于复杂的漏洞利用链，这些方法不仅会产生大量可被检测的痕迹，且可能通过补丁修复。本文首次提出了一种完全基于受害者环境原生功能的、以PLC为核心的横向移动技术。这种OT领域特有的“利用本地资源”攻击形式在此被区分为“利用工厂资源”（LOTP）。所述技术还支持通过双宿主PLC实现从IP网络向传统串行网络的逃逸。此外，该技术具有隐蔽性，利用了难以检测的常见网络通信功能。这提醒我们关注OT环境中LOTP技术带来的风险，并强调有必要从根本上重新审视传统的OT防御实践。