How to Spot Malicious Lateral Movement in OT Environments

Detection of malicious lateral movement in operational technology (OT) environments is a non-trivial challenge. Unlike traditional IT networks, OT networks often rely on legacy protocols, have flat architectures, and prioritize availability over security. These factors make it difficult to spot an adversary hopping from system to system. Nonetheless, with a disciplined approach, keen understanding of both historical and modern networking, and collaboration across IT and OT teams, it is possible to unmask lateral movement—before the attacker reaches critical assets or disrupts plant operations.

Understanding Lateral Movement: From IT to OT

At its core, lateral movement refers to an attacker’s activities once inside a network, as they move from one compromised device to another in search of valuable data or control pathways. In traditional IT, this commonly takes the form of credential theft, remote desktop sessions, or use of administration tools. In OT, it may involve similar tactics, but is complicated by different protocols, unique endpoints (PLCs, RTUs, HMIs), and often, a lack of monitoring.

Historical Perspective: The Flatness Legacy

Historically, OT networks evolved with little or no segmentation. Early ICS (Industrial Control System) and SCADA (Supervisory Control and Data Acquisition) architectures trusted devices implicitly. Protocols like Modbus (since 1979), DNP3 (early 1990s), and EtherNet/IP were never designed with security controls in mind—they simply assumed a closed, air-gapped world. Security procedures, if present, prioritized physical access controls and relied heavily on “security by obscurity.”

The introduction of converged architectures, remote accessibility, and cloud integration over the past two decades shattered these assumptions. Today, PLC firmware can be updated over the network, and operators may monitor plants from home offices. This transformation has created a fertile ground for attackers to move laterally after a successful breach, often with little resistance.

Notable Incidents: A Brief Timeline

• Stuxnet (2010): Used multiple zero-days for lateral movement, hopping from Windows PCs to Siemens S7 PLCs, targeting uranium enrichment centrifuges.

• BlackEnergy (2015): Attackers pivoted through IT to OT networks in the Ukrainian power grid attack, disabling substations via unauthorized HMIs.

• Triton/Trisis (2017): Gained Windows access in a safety system engineering workstation, moving laterally to implant malware in a Schneider Electric Triconex safety PLC.

OT Lateral Movement: Patterns and Protocols

To spot lateral movement in OT, one must first understand what legitimate “East-West” traffic looks like. OT environments typically have deterministic communication patterns driven by scheduled polling and fixed control flows. Any deviation—new devices talking to PLCs, unusual workstation sessions, or unexplained management actions—should be closely scrutinized.

Common Lateral Movement Techniques in OT

• Compromised Engineering Workstation: Attackers leverage standard PLC programming tools to upload malicious logic, issue commands, or extract configuration data.

• Exploiting Remote Access and IT-OT Conduits: Remote desktop gateways, VPNs, or shared credentials facilitate traversing from IT to OT zones.

• Protocol Manipulation: Sending unauthorized Modbus “write” or “diagnostic” packets to manipulate process logic; using DNP3 unsolicited responses for command injection.

• Service Exploitation: Lateral movement via SMB, RDP, SSH, or legacy protocols if present—especially where IT stacks coexist for asset management or scheduling.

Network Architecture: Segmentation and Monitoring

A critical architectural response to lateral movement is network segmentation—a concept well-understood in IT but often under-implemented in OT. Drawing from the Purdue Enterprise Reference Architecture (an industry standard since the early 1990s), segmentation divides a plant into zones (Level 2 for control, Level 1 for I/O, etc.), protected by firewalls or data diodes at key conduits.

Deep Packet Inspection (DPI) and Protocol Awareness

Traditional NIDS (Network Intrusion Detection Systems) have limited efficacy in OT because they lack protocol awareness or are swamped by normal broadcast traffic. Modern OT DPI tools (Claroty, Nozomi, Dragos—no marketing intended, but for context) parse proprietary protocols, reconstruct session commands, and establish baselines. They can detect:

• Unusual write or diagnostic commands

• Unknown client devices initiating PLC programming

• Unexpected changes in poll intervals or source addresses

However, deployment requires mapping data flows and collaborating with process engineers to define legitimate traffic. False positives result if baseline profiles are poorly constructed or if process changes are not reflected in the detection logic.

Best Practices for Detection: Practical Steps

1. Asset Inventory and Network Mapping

Begin with a comprehensive asset discovery project:

• Identify all devices, their MAC/IP addresses, function, and process criticality.

• Map communication flows—who talks to whom, over what protocol, and at what intervals.

• Document legitimate remote access paths, including temporary project-based logins.

Annotation: Without understanding the baseline, every detection system will either be too sensitive (cry wolf) or not sensitive enough (miss everything).

2. Baseline and Profile Normal Operations

Collect network traffic for several weeks:

• Use span ports, network taps, or specialized sensors at key junctions.

• Record not just packet headers, but protocol-specific payloads (e.g., Modbus function codes, DNP3 objects).

• Collaborate with operators to validate that observed traffic represents standard operations, not out-of-band maintenance or emergency conditions.

3. Alerts on Anomalous Patterns and Suspicious Access

• Alert on new engineering workstation connections to PLCs or HMIs.

• Flag any “write” operations from non-designated devices.

• Detect “write-all-coils” or bulk memory operations on Modbus/TCP.

• Monitor user authentication events where supported (Windows, SSH-enabled devices).

When possible, correlate alerts to endpoint changes—new user accounts, logins at odd hours, configuration changes.

4. IT/OT Collaboration: Shared Playbooks

Effective lateral movement detection cannot live in an OT silo. IT and OT teams must establish joint incident response and forensics workflows:

• Share logs and alerts—IT SOC tools may see credential theft or malware staging; OT may see protocol misuse.

• Schedule joint threat hunts bridging both IT and OT data sources.

• Document response procedures that account for process safety and continuity (e.g., don’t just disconnect PLCs on a hunch).

Common Challenges and What (Not) to Do

Challenge: Legacy Devices and Protocol Limitations

Many OT endpoints cannot run agents or produce syslog. Older PLCs have no capacity for authentication logging or endpoint telemetry. For these devices, network-based detection and periodic manual inspection may be the only options.

Challenge: Process Awareness vs. Overreaction

Critical operations may break if traffic is blocked or devices are isolated without process context. False alarms can drive operators to mistrust security teams. Avoid default “block” policies and instead focus on high-fidelity alerting and staged investigation.

Challenge: Visibility Gaps Due to Air Gaps or Proprietary Networks

Despite industry folklore, true air-gapped OT networks are rare. Still, some segments may have wireless links, serial tunnels, or obscure fieldbus protocols. Map these out. Where monitoring is impossible, compensate with frequent manual reviews and configuration audits.

Looking Forward: Secure Connectivity by Design

Industrial enterprises modernizing their plants should prioritize secure connectivity by design:

• Adopt “zero trust” principles where feasible—assume any device may eventually be compromised.

• Insist on vendor support for protocol authentication and event logging in new OT purchases.

• Pilot segmentation and DPI in brownfield settings before wider rollouts.

Supply chain attacks, remote employee access, and modern ransomware mean that lateral movement is no longer an “if”, but a “when”. Technical vigilance, architectural rigor, and cross-disciplinary cooperation provide the best chance to stop adversaries before they trigger outages or sabotage.

Conclusion

Spotting lateral movement in OT environments is less an exercise in outsmarting attackers, and more about methodically deciphering what “normal” looks like in your plant, then watching carefully for deviations. With a solid grounding in the peculiarities of industrial protocols, robust network architecture, and principled IT/OT collaboration, defenders can tip the balance. Old control systems weren’t built for the current threat landscape, but evolving your processes—without relying on silver bullet solutions—is the path to true operational resilience.