Living-off-the-land attacks reshape ICS and OT incident response as engineering-led defense becomes critical

Industrial control system (ICS) and operational technology (OT) incident response has to evolve for the current threat landscape, where adversaries increasingly use ‘living-off-the-land’ techniques that exploit legitimate engineering tools, credentials, and control system functionality rather than traditional malware. A recent SANS Institute analysis argues that conventional IT incident response playbooks focused on rapid isolation and system rebuilds can cause physical disruption or safety risks in ICS environments, because many OT systems cannot be taken offline without affecting reliability or safety. 

Instead, effective response in industrial settings requires engineering-led, process-aware approaches tailored to the realities of physical systems, deeper visibility into protocol-level activity, and coordinated readiness exercises. Against this backdrop, LotL attacks that misuse native tools and access paths pose a detection challenge for automated defenses, underscoring the need for ICS-specific practices that balance operational continuity and cybersecurity.

“Applying IT-centric IR actions in OT—such as aggressive containment, indiscriminate isolation, or automated shutdowns—can halt production, could damage equipment, or create unsafe operating conditions,” Dean Parsons, SANS Certified instructor and CEO of ICS Defense Force, wrote in a Friday SANS post. “This creates a massive and dangerous gap in critical infrastructure defense. ICS/OT incidents require response plans built around engineering context, process awareness, and operational continuity, not IT recovery playbooks. Without purpose-built ICS/OT incident response planning, organizations risk turning a cyber event into a self-inflicted control system outage.”

Citing the ‘2025 SANS State of ICS/OT Security Survey,’ Parsons notes that more than one in five organizations reported an ICS/OT cyber incident in the past year, many resulting in operational disruption and prolonged recovery. Detection and containment times have improved in parts of the industrial sector, but remediation and safe restoration of operations remain stubborn pain points.

“While detection and containment times have improved across some industrial sectors, remediation and safe recovery remain persistent challenges,” he added. “This gap highlights a core reality many organizations are still grappling with: ICS/OT incident response is fundamentally different from traditional IT incident response. ICS/OT demands a tailored approach, and traditional IT incident response controls and processes can sometimes cause more harm than good when applied directly to industrial environments.”

In IT environments, Parsons mentioned that incident response is typically optimized around confidentiality, data protection, and rapid isolation of compromised systems. That approach works well for IT, and it should not change. In ICS/OT environments, however, priorities shift. Safety and operational integrity come first, followed closely by reliability. Taking an HMI (human-machine interface), PLC (programmable logic controller), or protection relay offline, isolating a production line segment, or terminating access at the wrong time may reduce cyber risk, but it can also introduce immediate physical risk, disrupt critical services, or create unsafe process conditions.

Thus, ICS/OT incident response must be engineering-led, process-aware, and deeply informed by how industrial systems actually operate.

Parsons outlined that industrial incidents are no longer dominated by malware alone. Increasingly, adversaries rely on LotL techniques, abusing legitimate engineering systems, tools, credentials, and control system functionality already present in ICS/OT environments. These attacks are often far more difficult to detect than traditional malware-based intrusions.

He highlighted that adversaries often move from IT into OT using valid credentials, trusted remote access paths, or shared identity infrastructure. Once inside the ICS network, they can leverage standard engineering software, HMIs, scripting tools such as PowerShell, and industrial protocols to interact directly with physical processes. No vulnerability, exploit, or custom malware is required if authorized access, often obtained through stolen credentials, already exists.

Real-world incidents demonstrate this clearly, from power distribution disruptions to water treatment system intrusions. In these cases, adversaries manipulated HMIs, issued legitimate control system protocol commands, or reprogrammed controllers using standard engineering workflows. In such scenarios, traditional security tools like anti-malware agents frequently fail because nothing appears overtly malicious from a software perspective.

From a defensive standpoint, several priorities consistently stand out when addressing living-off-the-land risk. Organizations need network segmentation aligned to the Purdue Model so they can contain suspicious activity without triggering unsafe shutdowns. They also require ICS-aware remote access controls backed by strong monitoring and governance to reduce misuse of legitimate access paths.

Equally important is protocol-aware visibility capable of detecting unauthorized control activity that blends into normal operations. Engineering change monitoring and system baselining help teams distinguish routine adjustments from malicious manipulation. Finally, regular, scenario-driven incident response exercises that involve engineers and operators ensure that technical and operational teams can respond in a coordinated and safe manner when an incident unfolds.

Parsons noted that one of the most important distinctions in ICS/OT incident response is that containment does not always mean shutdown. “If a threat is understood, constrained, and not actively impacting the physical process, maintaining controlled operations while containing the threat may be safer than aggressive isolation or shutdown. This requires real-time situational awareness and close coordination among cybersecurity teams, engineers, operators, and leadership.”

He added that when IT personnel are responsible for ICS/OT security without understanding these nuances, response actions are more likely to cause additional damage. Anyone responsible for an ICS/OT SOC or incident response function must be trained specifically in ICS/OT incident response.

Organizations that involve, or lead with, ICS/OT engineering and operations staff in incident response planning and exercises consistently report stronger readiness and faster recovery. Their response decisions are grounded in engineering and process realities rather than traditional IT security assumptions.

“These realities place new demands on ICS/OT incident response programs. While it is important to leverage what works from IT incident response, those approaches must be deliberately adapted for industrial environments,” he concluded. “Effective industrial response depends on having ICS-specific incident response plans.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.