Security · Week 1
The OT Threat You're Not Tracking: Why Living-Off-the-Land Is the New Ransomware
Attackers aren't deploying malware anymore - they're using your own tools against you. Here's what the latest ICS-CERT data reveals and what to do about it.
The Lead
The most dangerous intrusion in your OT environment right now probably doesn't have malware. It has PowerShell.
Living-off-the-land (LOTL) techniques - where attackers use legitimate system tools instead of deploying custom malware - have become the dominant intrusion method in critical infrastructure. CISA's multi-year advisory series on Volt Typhoon, the Chinese state-sponsored threat group, documented exactly how this works: compromised SOHO routers for initial access, then lateral movement using nothing but native Windows tools. No payloads to detect. No signatures to flag. Just RDP, WMI, PowerShell, and patience.
The reason this works is architectural. IT/OT convergence created the bridge. Active Directory domains now span corporate and operational networks. The same credentials that access email access the historian. The same RDP sessions that connect to engineering workstations can reach HMI consoles. Traditional detection - built for malware signatures and known-bad indicators - doesn't flag PowerShell execution or scheduled task creation, because those are normal.
What's not normal is the dwell time.
Volt Typhoon operations measured 365+ days inside victim networks before detection. Zero malware samples recovered. CISA assessed the group was pre-positioning for disruption of critical infrastructure - not espionage, not ransomware, but the capability to degrade or destroy operations on command.
Source: CISA Advisory AA24-038A. ITRADE OT Security Practice led by John Jaisaree.
OT makes this worse. Legacy SCADA systems running protocols like Modbus, DNP3, and OPC don't support modern authentication. They can't be patched quickly - or sometimes at all. A threat actor living off the land in an IT network adjacent to these systems has effectively unlimited time to map, understand, and eventually manipulate the control environment.
Three changes actually move the needle:
We're covering this on the OT Threat Roundtable live On-Air on July 22, 2026 from 2 pm ET - 4 pm ET.
- Enforce network segmentation as architecture, not just firewall rules - verify that IT credentials cannot authenticate to OT systems.
- Audit every remote access tool touching operational technology - if you can't enumerate them in 30 minutes, you have a problem.
- Shift from detection to hunting - LOTL operators don't trigger alerts, so you need analysts actively looking for anomalous patterns in admin tool usage, scheduled tasks, and lateral movement.
The attackers already adapted. The question is whether your detection strategy has.
Signals · This Week in STEM
Security
CISA updated ICS advisories - 17 new CVEs in April (Siemens, Rockwell, Schneider Electric). The pace of disclosed OT vulnerabilities continues to outpace most organizations' ability to patch.
Technology
68% of manufacturers have active digital transformation programs, but only 23% have completed IT/OT architecture assessments. The gap between adoption and security readiness continues to widen.
Talent
ISC2 cybersecurity workforce gap reached 4.8M globally, with a 2.8× demand-to-supply ratio for OT-specific roles. The convergence of IT and OT security requirements is creating a role that few training programs address.
Wellness
Biohacking market projected to hit $85B by 2030. Fort Lauderdale saw 3 new recovery and optimization facilities open in 6 months - the wellness infrastructure build-out is accelerating in STEM-heavy metros.
Technology
IIoT device deployments in manufacturing grew 41% YoY, expanding the attack surface faster than most security teams can inventory.
ONE STAT THAT MATTERS
0
Malware samples needed for full network compromise.
Volt Typhoon operators spent 365+ days inside critical infrastructure networks without deploying a single piece of custom malware - using only PowerShell, RDP, and native Windows tools.
Sources: CISA Volt Typhoon Advisory Series at cisa.gov/news-events/cybersecurity-advisories/aa24-038a and ISC2 Cybersecurity Workforce Study 2025 at isc2.org/workforce-study
Your detection stack was built for a threat model that no longer exists.
The ITRADE Lens
Your 60-Minute LOTL Exposure Audit
1
Inventory every remote access tool touching OT (15 min) - VPNs, jump servers, TeamViewer, AnyDesk, vendor-specific remote maintenance tools. If you can't produce a complete list in 15 minutes, your attack surface is unmanaged.
2
Check credential boundaries (10 min) - Can an IT domain admin authenticate to OT systems? Can an engineering workstation user RDP to the corporate network? Every "yes" is a lateral movement path a LOTL operator will use.
3
Review scheduled tasks on OT-adjacent systems for the last 90 days (15 min) - Look for tasks created by accounts that don't normally create them, tasks running at unusual hours, and tasks executing PowerShell, cmd, or WMI commands. This is the #1 LOTL persistence mechanism.
4
Baseline admin tool usage patterns (10 min) - Pull 30 days of PowerShell execution logs, WMI activity, and RDP session records from systems that bridge IT and OT. If you don't have these logs, that's your finding.
5
Cross-reference CISA Volt Typhoon IOCs (10 min) - Check advisories AA24-038A and AA23-144A against your environment. Focus on the TTPs, not just the indicators - LOTL operators change infrastructure but reuse techniques.
If you can't complete this audit in 60 minutes, the gap between your security program and your actual exposure is wider than you think.
Bianca Diosdado
Founder & CEO, ITRADE Innovations · Education Programs Chair, SIM South Florida
Bianca architects the systems most leaders buy in pieces - talent, technology, and security, designed to work as one.
ITRADE
The Dispatch · Weekly Intelligence for STEM Leaders
Fort Lauderdale's founding STEM security circle.
Share on LinkedIn: "Just read The ITRADE Dispatch - real security intelligence, no vendor fluff. This month: how LOTL attacks hide in your tools. Worth your time. itradedispatch.com"
