New Study Reveals PLC‑Centric Lateral Movement Technique in OT Environments

Global: New Study Reveals PLC‑Centric Lateral Movement Technique in OT Environments

A paper authored by Richard Derbyshire and posted to arXiv on 24 December 2025 describes a novel method for lateral movement that exploits the native functions of programmable logic controllers (PLCs) in operational technology (OT) settings. The technique, termed “living off the plant” (LOTP), enables adversaries to traverse between domain‑specific devices without relying on external vulnerabilities, and it can extend from IP networks onto legacy serial links via dual‑homed PLCs.

Background on OT Lateral Movement

Lateral movement is a common tactic in enterprise IT, allowing attackers to move laterally across compromised assets. In OT environments, however, the limited set of devices and protocols has historically constrained such activity, leading defenders to focus on vulnerability chains that are often noisy and patchable.

The LOTP Technique Explained

Derbyshire’s research outlines a PLC‑centric approach that leverages standard network communication functions already present in the victim environment. By using these built‑in capabilities, the attacker can issue commands, read data, and reconfigure PLCs without introducing additional code or exploiting known software flaws, thereby reducing the likelihood of detection.

Security Implications

The covert nature of LOTP challenges traditional OT security monitoring, which typically looks for signatures associated with external exploits. Because the technique operates within the expected behavior of PLCs, existing intrusion‑detection systems may miss the activity, prompting a reassessment of baseline traffic models and anomaly‑detection thresholds.

Potential Network Escape Paths

The study also demonstrates how dual‑homed PLCs can serve as bridges between modern IP networks and older serial communication buses. This capability allows an attacker who has compromised an IP‑connected PLC to pivot onto legacy serial segments, expanding the attack surface and complicating containment efforts.

Recommendations for Defenders

According to the author, organizations should consider augmenting their defensive posture with deeper visibility into PLC command patterns, stricter segmentation between IP and serial domains, and regular audits of PLC firmware and configuration baselines. Emphasizing “defense‑in‑depth” specific to OT may mitigate the risks introduced by LOTP techniques.

The paper, cited as arXiv:2512.21248 [cs.CR], was revised on 29 December 2025 (v2) and remains 563 KB in size. It contributes to the emerging body of research focused on securing industrial control systems against sophisticated, low‑noise attack vectors.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.