TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources ICS/OT SECURITY CYBER RISK CYBERSECURITY OPERATIONS PHYSICAL SECURITY NEWS OT Attacks Get Scary With 'Living-off-the-Plant' Techniques Ironically, security by obscurity has helped prevent dangerous OT attacks in recent years. It won't be that way forever. Nate Nelson, Contributing Writer February 9, 2026 5 Min Read SOURCE: TONY VINGERHOETS VIA ALAMY STOCK PHOTO Operational technology (OT) cyberattacks in recent years have been relatively tame, thanks to attackers' ignorance of bespoke and legacy systems. But there are early indications that attackers are growing more interested in and accustomed to dealing with industrial machines, and that they might be on the precipice of causing much more serious damage to them. A decade ago, it might have seemed like the world was entering a new, more dangerous era of cyberattacks. Russia hacked Ukraine's power grid. Israel and the United States sabotaged an Iranian nuclear facility. Attackers were targeting dams, and manufacturing plants. This was cyberactivity with real-world, sometimes life-threatening consequences. In the end, it didn't develop into a trend. The reason for that, says Ric Derbyshire, principal security engineer at Orange Cyberdefense, is a lack of "process comprehension." If they ever do manage to reach critical OT systems, attackers don't know their behinds from their elbows. Related:Critical Telnet Server Flaw Exposes Forgotten Attack Surface LOADING... But certain evidence suggests that this might not stay true for long. And in a presentation at the RSA Conference 2026 in San Francisco next month, Derbyshire is going to demonstrate just how dangerous it will be when attackers do figure out OT, and start performing what he calls "living-off-the-plant" attacks. The State of OT Cyberattacks Today Cyberattacks affecting OT systems surged in the early 2020s, by an order of magnitude beyond anything seen before. However, this was almost entirely a spillover from IT-based ransomware and extortion attacks. LOADING... "For a number of reasons, ransomware against IT is affecting OT," Derbyshire explains. "This can occur due to, for example, convergences within the IT environment, that the OT simply cannot function without relying upon. Or a complete lack of trust in security controls or network architecture from the IT or OT security teams, so they voluntarily shut down the OT systems or sever the connection to kind of prevent the spread [of an IT attack]. Colonial Pipeline style." When attackers do stumble into critical systems, they might not bother or not know how to make the most of it. Last April's attack on a dam in western Norway is one such example. In that attack, Derbyshire recalls, "They found default credentials on a human-machine interface (HMI) that was attached to the Internet. They got in, and they just clicked around with basic functionality. They were using functionality of the OT environment, but using it in a really crude way. They were not learning how the environment works. It was quite scary, they could have done something bad, they eventually just didn't." Related:Trio of Critical Bugs Spotted in Delta Industrial PLCs Compare that with IT, where even above average hackers are so experienced with the technology they're dealing with that they can perform full cyberattacks using only legitimate tools and features of the systems they've infected — a trick commonly referred to as living-off-the-land" (LotL). Living-off-the-Plant What might LotL look like in an OT environment? Derbyshire argues that merely understanding how the pipes and the wires are connected isn't enough. "You need to know the whole, holistic picture," he says. "The physical process, how the OT sits on top of that, controlling, monitoring, automating, how the network architecture sits on top of that, how the cyber security controls might sit on top of the network, how people might be interacting with it all." Beyond any conceptual understanding, there are the specifics of any given OT environment. Enterprise IT networks carry few surprises, but a brand new consumer goods manufacturing plant and a half-century-old water treatment system will look totally alien to one another. In fact, even within an older site, there might be hugely unpredictable systems at play. Using his local water treatment company as an example, Derbyshire explains how it has a number of individual sites across a large geographic area that have been built at different time periods. Related:AI in OT Sparks Cascade of Complex Challenges "Some might be from the '80s, some might be from the 2000s, some might be from the 2020s, and they'll be architected differently depending on what was optimal at the time," he says. "They'll use specific types of technology from different times that may have not been updated, and therefore everything will be different." So, Derbyshire adds, "it's not enough to understand OT at an abstract, technological level. You have to go in and understand quite specifically how the physical environment that you want to impact works." With a holistic understanding of how OT works, and knowledge of how a given OT site works, suddenly new threat vectors come into focus, which can blend with operational systems as elegantly as LotL attacks do Windows or Linux systems. For instance, Derbyshire plans to demonstrate at RSAC how an attacker can weaponize S7comm, Siemens' proprietary protocol for communication between programmable logic controllers (PLCs). He'll show how, by manipulating frequently overlooked configuration fields in S7comm, an attacker could potentially leak sensitive data and transmit attacks across devices. He calls it "an absolute brain melter." Security by Obscurity: Back in Vogue? An unexpected implication of Derbyshire's argument is that the concept of security by obscurity might still be working for OT operators. Because each OT network is, at the end of the day, such a unique patchwork of specific and sometimes unpredictably dated technology. "I think security by obscurity is absolutely not something that you should rely upon, but it's something that you can use," he says. "If you can deprive an adversary of understanding your environment, you can deprive them of certainty in how their attack's going to work. So they're going to sit there [in your network], they're going to wait for longer, which allows you to hopefully have more time to spend to detect them and then to start recovery." On the other hand, he warns, there are plenty of resources attackers can turn to to understand OT products better, be they textbooks, chatbots, or even just buying a PLC on a secondhand marketplace. "It still takes a bit of investment or a bit of time going out of your way to find these obscure things. But it's never been impossible and it's only getting easier," Derbyshire says. As a case in point, he points to the 2023 CyberAv3ngers campaign involving Unitronics PLCs: "OpenAI put a report out that was like, 'Yeah, we saw these guys speaking to ChatGPT to [among other things] ask for default usernames and passwords.' It's not much of a stretch for them to start going, 'Well, how does this protocol work?'" About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like ICS/OT SECURITY Undocumented Radios Found in Solar-Powered Devices by Robert Lemos, Contributing Writer SEP 12, 2025 ICS/OT SECURITY Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs by Nate Nelson, Contributing Writer FEB 27, 2025 ICS/OT SECURITY How Has IoT Security Changed Over the Past 5 Years? by Arielle Waldman SEP 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK Dark Patterns Undermine Security, One Click at a Time byArielle Waldman FEB 3, 2026 7 MIN READ CYBERATTACKS & DATA BREACHES Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days byJai Vijayan, Contributing Writer FEB 3, 2026 4 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers The Threat Prevention Buyer's Guide FInd the best AI-driven threat protection solution to stop file-based attacks. Assess