Lateral movement is a tactic that adversaries employ most frequently in enterprise IT environments to traverse between assets. In operational technology (OT) environments, however, few methods exist for lateral movement between domain-specific devices, particularly programmable logic controllers (PLCs). Existing techniques often rely on complex chains of vulnerabilities, which are noisy and can be patched. This paper describes the first PLC-centric lateral movement technique that relies exclusively on the native functionality of the victim environment. This OT-specific form of `living off the land' is herein distinguished as `living off the plant' (LOTP). The described technique also facilitates escape from IP networks onto legacy serial networks via dual-homed PLCs. Furthermore, this technique is covert, leveraging common network communication functions that are challenging to detect. This serves as a reminder of the risks posed by LOTP techniques within OT, highlighting the need for a fundamental reconsideration of traditional OT defensive practices.

翻译：横向移动是攻击者在企业IT环境中最常采用的战术，用于在资产间进行渗透。然而，在运营技术（OT）环境中，针对特定领域设备（尤其是可编程逻辑控制器（PLC））之间的横向移动方法却鲜有存在。现有技术通常依赖于复杂的漏洞链，这些方法不仅会产生大量噪声，而且可能被修补。本文描述了第一种完全依赖受害环境原生功能的、以PLC为中心的横向移动技术。这种OT特有的“依赖环境生存”形式在此被区分为“依赖工厂生存”（LOTP）。所述技术还通过双宿主PLC实现了从IP网络到传统串行网络的逃逸。此外，该技术具有隐蔽性，利用了难以检测的常见网络通信功能。这提醒我们注意OT环境中LOTP技术所带来的风险，并强调了对传统OT防御实践进行根本性重新思考的必要性。