A Different Kind of Adversary
For most of the last decade, the archetype of a serious threat to critical infrastructure was custom malware built for industrial systems. TRITON, Industroyer, and their relatives were purpose-made tools that announced their intent through their very existence. Defenders learned to hunt for the unusual, the foreign, the thing that did not belong.
Volt Typhoon inverted that assumption. This state-linked activity, publicly attributed to interests aligned with the People's Republic of China and detailed in advisories from CISA and allied agencies, targeted communications, energy, water, and transportation infrastructure. Its defining characteristic was not a clever payload. It was the near-total absence of one. The adversary used the tools already present in the environment, blended into normal administrative activity, and positioned itself quietly for potential future disruption rather than immediate effect.
This approach, known as living-off-the-land, is one of the most important shifts in the critical infrastructure threat landscape, because it defeats the very detection strategies most organizations rely on. Understanding it is now part of the baseline for any OT security team.
What Living-off-the-Land Actually Means
Living-off-the-land, often shortened to LOTL, describes an adversary operating with the legitimate tools and features that already exist on the target systems, rather than introducing their own malware. On a typical enterprise and OT estate, that toolkit is generous:
- Built-in administrative utilities for remote management, scripting, and system configuration.
- Legitimate remote access through the same VPNs, jump servers, and management interfaces that operators and vendors use every day.
- Native operating system features for moving files, creating accounts, and executing commands.
- Valid credentials harvested from the environment, so that every action the adversary takes is technically authorized.
Because none of these are malicious in themselves, signature-based antivirus finds nothing to flag. There is no foreign binary, no known-bad hash, no unusual file dropped on disk. The activity looks like a busy administrator. That is precisely the point. The tradecraft is designed to hide inside the statistical noise of legitimate operations.
Why Critical Infrastructure Is the Target
The choice of victims tells you the objective. Volt Typhoon did not pursue data theft or immediate sabotage. It pursued persistent, quiet access to systems that matter during a crisis: the utilities and networks that a society depends on. The strategic logic is pre-positioning, which is establishing a foothold now that could be used to disrupt operations at a moment of the adversary's choosing later.
For OT specifically, this is a sobering shift. It means the relevant threat is not only the attacker trying to cause a visible incident today, but the one deliberately trying to remain invisible for years. The consequence of compromise is not measured only in what happens now, but in the option the adversary quietly holds over your operations in the future.
Several characteristics of industrial environments make them attractive for this tradecraft:
- Long-lived systems and infrequent change, which mean a foothold established once can persist for a very long time.
- Sparse monitoring, since many OT networks still have limited visibility into their own activity, giving a quiet adversary room to operate unseen.
- Trusted connectivity paths, such as vendor access and IT to OT bridges, which provide legitimate-looking routes toward the systems that control physical processes.
- Overworked teams, where a small number of staff manage large estates and cannot manually scrutinize every administrative action.
Why Traditional Defenses Miss It
The reason living-off-the-land is so effective is that it is invisible to the controls most organizations lean on hardest.
- Signature-based antivirus looks for known-bad files. There are none.
- Perimeter firewalls watch the boundary, but the adversary is using authorized access through that boundary and then operating internally.
- Indicator-of-compromise feeds distribute known malicious hashes and domains, which are of little help against an actor that uses your own tools and valid credentials.
- Compliance checklists confirm that controls exist, but a control being present does not mean an abuse of a legitimate feature will be noticed.
What defeats this tradecraft is not another list of bad things to block. It is an understanding of what normal looks like, so that legitimate tools used illegitimately stand out.
Detecting an Adversary That Leaves No Trace
Detection shifts from hunting foreign artifacts to recognizing anomalous behavior in legitimate activity. Several capabilities make that possible.
Behavioral Baselining
Because OT networks are predictable, defenders can establish a strong baseline of normal: which accounts perform administrative actions, from where, at what times, and against which systems. Living-off-the-land activity tends to violate that baseline in subtle ways, such as an administrative tool running from an unexpected host, a valid account active at an unusual hour, or a management connection to a controller that has no operational reason to receive one. Anomaly detection on a well-learned baseline is the single most effective counter to this tradecraft.
Identity and Access Scrutiny
Since the adversary relies on valid credentials, identity becomes a primary battleground. Monitoring for anomalous authentication, new or unexpected accounts, privilege changes, and reuse of credentials across zones surfaces behavior that file-based tools cannot see. Strong, phishing-resistant authentication on remote and administrative access raises the cost of obtaining those credentials in the first place.
Visibility Into OT Network Activity
You cannot detect what you cannot see. Passive OT monitoring that understands industrial protocols provides the record of normal communication against which anomalies become visible. Environments without this visibility are exactly the ones where a quiet adversary can persist indefinitely, because there is simply no data in which their activity could ever appear unusual.
Threat-Informed Hunting
Frameworks such as MITRE ATT&CK for ICS catalog the techniques adversaries use, including the abuse of legitimate tools and access. Using these to drive proactive hunting, rather than waiting for an alert, helps teams find the behavioral traces that automated detection might not surface on its own.
What OT Security Leaders Should Do Now
The rise of living-off-the-land tradecraft does not call for panic, but it does call for a specific reorientation of defensive priorities.
- Assume a quiet adversary is possible, and stop equating the absence of malware alerts with safety. The threat model now includes an actor whose entire goal is to generate no alerts at all.
- Invest in visibility before anything else. Behavioral detection is impossible without a record of normal OT activity. This is the foundation on which every other counter depends.
- Harden identity and remote access, since valid credentials and trusted access paths are the adversary's preferred entry. Enforce strong authentication, minimize standing access, and record privileged sessions.
- Segment ruthlessly, so that a foothold in one zone does not translate into free movement toward the systems that control the physical process. Every conduit an adversary must cross is another chance to detect them.
- Hunt proactively, using ICS-specific threat intelligence and frameworks to look for behavioral traces rather than waiting for a signature that will never fire.
The Enduring Lesson
Volt Typhoon's significance is not any single intrusion. It is the demonstration that the most capable adversaries targeting critical infrastructure may choose to be patient, quiet, and indistinguishable from your own staff. That reality rewards defenders who understand their environment deeply and punishes those who rely on catching the obviously foreign.
The path forward is the same path that strengthens OT security against every serious threat: know your assets, watch your network, control your identities and access, and segment your environment so that quiet persistence in one place does not become catastrophic reach into another. In Beacon Security's experience, the organizations most exposed to living-off-the-land tradecraft are precisely those that still cannot answer the basic question of what normal looks like on their own OT network.
Beacon Security helps critical infrastructure operators build the visibility, segmentation, and threat-informed detection needed to counter nation-state and living-off-the-land tradecraft in OT environments. Contact us to assess your detection readiness.

