A Major Industrial Cybersecurity Threat: Living off the Land Attacks

Malicious actors understand industrial systems and critical infrastructure facilities, according to a Honeywell report, and they are using that knowledge to put those systems at risk. Eighty-two percent of detected malware was found to be capable of causing significant operational impacts. And, largely, those bad actors are deploying “living off the land” (LotL) strategies to disrupt those systems.

As the Honeywell 2024 USB Threat Report noted, malware frequently targets document vulnerabilities and uses scripting and command-line techniques. These LotL, or “silent residency” attacks, define malware or an attacker’s ability to reside within a system for an extended period without detection. In the context of cyber-physical systems (CPS) attacks, malicious software can remain dormant or operate low-profile within industrial control systems (ICS) and Operational Technology (OT), only activating at specific times or under certain conditions.

This tactic differs from traditional cyber-attacks in several ways, explained Chris Warner, senior security consultant for operational technology at GuidePoint Security. These attacks focus on remaining undetected for extended periods (stealth or covert recon), ensure their presence over time despite reboots and updates (persistence); and activate based on specific triggers such as dates or operational states (trigger-based actions). “This approach often uses legitimate processes and tools, making it harder to distinguish from normal operations to blend in,” he said.

LotL Attacks Pose Significant Threat

LotL attacks are becoming a significant threat to industrial and critical infrastructure facilities because they already exploit legitimate tools and software in the environment. “This makes them difficult to detect and mitigate since they blend in with normal operations,” Warner said.

These attacks can leverage existing system features, administrative tools and scripts to perform reconnaissance, corporate espionage or malicious activities without introducing new, suspicious files or processes.

In industrial and critical infrastructure environments, where systems often rely on specialized and legacy software, LotL attacks can be devastating because the necessary monitoring and detection capabilities may be less advanced or comprehensive.

The report also found USB-borne malware poses a growing risk to industrial environments, with the majority (51%) of malware designed to spread via USB, up from 9% in 2019.

USB devices play a significant role in facilitating LotL attacks due to their widespread use in industrial environments and the ease with which they can transfer data and execute code, Warner explained. “They are effective vectors because they can be easily connected to critical systems, especially in environments with stringent network segmentation and limited internet access,” he said. “They can introduce malware directly to isolated networks, bypassing network-based security controls.”

Organizations can mitigate the risk of malware spreading via USB devices by implementing USB port controls to allow only authorized devices and turning off auto-run and auto-play features to prevent the automatic execution of malicious software. “Regularly scanning USB devices on a stand-alone machine with updated antivirus software before connecting them to critical systems is essential,” Warner said. “Educate employees about the risks of using unknown or untrusted devices.”

Additionally, network segmentation should isolate critical systems from those interacting with USB devices to limit malware spread. “Finally, strict policies regarding USB device usage and handling should be developed and enforced,” Warner advised.

Industrial Interruption, Significant Financial Impact

Interruption of industrial processes can have significant financial impacts, explained Jose Seara, CEO and founder at DeNexus. Among them: revenue loss if a production chain is stopped, contract penalties for a manufacturer that is unable to deliver on contractual obligations and interruption of critical services when the electricity grid is disrupted.

“Other factors include reputation damages and service fees for transportation systems that do not deliver on set expectations, or more costly physical damages to people and resources,” Seara said.

While air-gapping industrial environments is nearly impossible, strict network segmentation with the least privileged access should absolutely be deployed, Seara said. “Restricting the usage of USB to load documents or any other digital materials is obviously a must.”

Monitoring and inspecting systems and networks for integrity and anomalous behavior can help detect potentially malicious activities. “Malware brought through USB seems like a behavior that can be stopped with adequate cybersecurity awareness training,” Seara said.

First and foremost, industrial corporations can stay one step ahead of threats by understanding their cyber risks. Quantifying cyber risk and identifying where they face the greatest financial losses from potential cyber events will enable them to direct resources and budget towards the most effective risk mitigation strategies.

Seara said there has been a convergence between IT systems and Operational Technology (OT) for industrial environments. “While the usage of modern, internet-connected applications and systems to pilot physical assets delivers unprecedented efficiencies, this also brings with it the cyber threats faced by IT,” he explained. CISOs responsible for industrial environments should apply to OT the same strict rules they apply to IT and work around the constraints of obsolete, hard-to-patch systems.

Photo credit: Markus Winkler on Unsplash