How TEIA Combats “Living Off the Land” (LOTL) Threats

Posted On

By TEIA Team


The law enforcement and signal intelligence authorities of five nations (Australia, Canada, New Zealand, UK and the USA) recently issued guidance on how organizations can mitigate “Living Off the Land” (LOTL) attacks. LOTL attacks are techniques used by sophisticated cybercriminals to disguise malware as computing processes native to the device. Given the clandestine nature of these attacks, they can be very difficult to detect and remediate. The designers of these attacks often hold malware in place, waiting for the right opportunity to sow destruction. Also, many cybersecurity technologies such as VPNs and firewalls, are totally ineffective against LOTL-based attacks and often admit them surreptitiously. This is because most of these technologies provide a secure authenticated channel but assume the endpoints are trusted. When a bad actor uploads malware from a device that is a compromised endpoint, it passes to the other side undetected. Compromising devices in the field is easier as these devices operate in what security experts call a “zero trust environment”.

Organizations that operate critical infrastructure, such as power companies, are a known target for LOTL attacks, making them a significant security threat and attracting the attention of the intelligence and law enforcement authorities. Their issued guidance for organizations is quite comprehensive and totals 46 pages. A lot of the so-called “attack surface” includes IoT and network routing devices that are weakly protected and lack a hardened secure computing environment. Since these devices are sold by numerous vendors, relying on applying guidance to a single source does not work. For a comprehensive remedy, an open standards based approach to a global secure system is necessary.

Founded in 2022, The Trusted Energy Interoperability Alliance, or TEIA, has dedicated an entire Working Group to delivering a specification for a secure federated “trust model” to solve this problem. If broadly deployed, TEIA’s Trust Model is specifically geared towards defending against LOTL and similar attacks 

The core of the TEIA standard is its trust model, a robust example of a zero trust architecture.

which provides  a powerful tool for energy companies to mitigate a number of sophisticated threats, including LOTL attacks. As a zero trust model, the TEIA specification is being designed to not rely on traditional network-based security such as VPNs or TLS. Zero trust operates under the maxim of “never trust, always verify.

The TEIA Trust Model specification is under development, slated to issue shortly. One of its guiding principles is that energy systems will only accept data from authenticated devices and comply with strict compliance and robustness regimes. Products built on TEIA will ensure that the device authentication process includes a secure and verifiable check of the software to ensure that no malware is operating on the device and can be declared “known good.” There are many other aspects of the TEIA trust model that will be useful in preventing LOTL and other attacks. TEIA is open to anyone in the energy technology sector to join and invites all innovators to be part of developing the specification. It’s a myth that open standards cannot deliver secure systems. In fact, it’s the best way to do this as the  transparency provided by open standards makes for the strongest secure systems; it just takes a lot of finesse to do it right. 

Billions of devices made over the last few decades in the mobile and CE industries follow these best practices and a vibrant consumer friendly and safe economy exists on top of many such standards. 

TEIA’s goals go beyond increasing the trustworthiness of digital energy systems and resiliency of the energy systems we all depend on, but its first priority is to do just that. If you are interested in participating in TEIA and would like to learn more, fill out the form here. We look forward to hearing from you!