An in-depth discussion on how an industrial network might be attacked, including possible target systems, and the potential consequences should those targets be compromised. Learn how a hacker thinks, how malware works, and what to do if your industrial network becomes infected.
Table 7.1
The Potential Impact of Successful Cyber-Attacks
Incident Type | Potential Impact |
Change in a system, operating system, or application configuration | Command and control channels introduced into otherwise secure systems Suppression of alarms and reports to hide malicious activity Alteration of expected behavior to produce unwanted and unpredictable results |
Change in programmable logic in PLCs, RTUs, or other controllers | Damage to equipment and/or facilities Malfunction of the process (shutdown) Disabling control over a process |
Misinformation reported to operators | Inappropriate actions taken in response to misinformation that could result in a change to operational parameters Hiding or obfuscating malicious activity, including the incident itself or injected code |
Tampering with safety systems or other controls | Preventing expected operations, fail safes, and other safeguards with potentially damaging consequences |
Malicious software (malware) infection | Initiation of additional incident scenarios Production impact resulting from assets taken offline for forensic analysis, cleaning, and/or replacement Assets susceptible to further attacks, information theft, alteration, or infection |
Information theft | Leakage of sensitive information such as a recipe or chemical formula |
Information alteration | Alteration of sensitive information such as a recipe or chemical formula in order to sabotage or otherwise adversely affect the manufactured product |
Table 7.2
Attack Targets
Target | Possible Attack Vectors | Possible Attack Methods | Possible Consequences |
Access control system |
- Identification cards
- Closed-circuit television (CCTV)
- Building management network
- Software vendor support portal
|
- Exploitation of unpatched application (building management system)
- RFID spoofing
- Network access through unprotected access points
- Network pivoting through unregulated network boundaries
|
- Unauthorized physical access
- Lack of (video) detection capabilities
- Unauthorized access to additional ICS assets (pivoting)
|
Analyzers/analyzer management system |
- Subcontractor Laptop
- Maintenance Remote Access
- Plant (analyzer) network
|
- Exploitation of unpatched application
- Network access via insecure access points (analyzer shelters)
- Remote Access VPN via stolen or compromised subcontractor laptop
- Remote Access VPN via compromise of maintenance vendor site
- Insecure implementation of OPC (communication protocol)
|
- Product quality - spoilage, loss of production, loss of revenue
- Reputation - product recall, product reliability
|
Application servers |
- Remote user access (interactive sessions)
- Business application integration communication channel
- Plant network
- Software vendor support portal
|
- Exploitation of unpatched application
- Installation of malware via unvalidated vendor software
- Remote access via “interactive” accounts
- Database injection
- Insecure implementation of OPC (communication protocols)
|
- Plant upset / shutdown
- Credential leakage (control)
- Sensitive / confidential information leakage
- Unauthorized access to additional ICS assets (pivoting)
|
Asset management system |
- Plant Maintenance Software / ERP
- Database integration functionality
- Mobile devices used for device configuration
- Wireless device network
- Software vendor support portal
|
- Exploitation of unpatched application
- Installation of malware via unvalidated vendor software
- Remote access via “interactive” accounts
- Database injection
- Installation of malware via mobile devices
- Access via insecure wireless infrastructure
|
- Calibration errors - product quality
- Credential leakage (business)
- Credential leakage (control)
- Unauthorized access to additional business assets like plant maintenance / ERP (pivoting)
- Unauthorized access to additional ICS assets (pivoting)
|
Condition monitoring system |
- Subcontractor Laptop
- Maintenance Remote Access
- Plant (maintenance) network
- Software vendor support portal
|
- Exploitation of unpatched application
- Installation of malware via unvalidated vendor software
- Network access via unsecure access points (compressor / pump house)
- Remote Access VPN via stolen or compromised subcontractor laptop
- Remote Access VPN via compromise of maintenance vendor site
- Remote access via “interactive” accounts
- Database injection
- Insecure implementation of OPC (communication protocols)
|
- Equipment damage / sabotage
- Plant upset / shutdown
- Unauthorized access to additional ICS assets (pivoting)
|
Controller (PLC) |
- Engineering workstation
- Operator HMI
- Standalone engineering tools
- Rogue device in Control Zone
- USB / removable media
- Controller network
- Controller (device) network
|
- Engineer / technician misuse
- Network exploitation of industrial protocol - known vulnerability
- Network exploitation of industrial protocol - known functionality
- Network replay attack
- Network DoS via communication buffer overload
- Direct code / malware injection via USB
- Direct access to device via rogue network (local / remote) PC with appropriate tools / software
|
- Manipulation of controlled process(es)
- Controller fault condition
- Manipulation / masking of input / output data to / from controller
- Plant upset / shutdown
- Command-and-control
|
Data historian |
- Business network client
- ERP data integration communication channel
- Database integration communication channel
- Remote user access (interactive session)
- Plant network
- Software vendor support portal
|
- Exploitation of unpatched application
- Installation of malware via unvalidated vendor software
- Remote access via “interactive” accounts
- Database injection
- Insecure implementation of required communication protocols
- Exploitation of unnecessary / excessive openings on perimeter defense (firewall) due to insecure communication infrastructure between applications
|
- Manipulation of process / batch records
- Credential leakage (business)
- Credential leakage (control)
- Unauthorized access to additional business assets like MES, ERP (pivoting)
- Unauthorized access to additional ICS assets (pivoting)
|
Directory services |
- Replication services
- Print spooler services
- File sharing services
- Authentication services
- Plant network
- Software vendor support portal
|
- Exploitation of unpatched application(s)
- Installation of malware via unvalidated vendor software
- DNS spoofing
- NTP Reflection attack
- Exploitation of unnecessary / excessive openings on perimeter defense (firewall) due to replication requirements between servers
- Installation of malware on file shares
|
- Communication disruptions via DNS
- Authentication disruptions via NTP
- Authentication disruptions via LDAP / Kerberos
- Credential leakage
- Information leakage - file shares
- Malware distribution
- Unauthorized access to ALL domain-connected ICS assets (pivoting)
- Unauthorized access to business assets (pivoting)
|
Engineering workstations |
- Engineering tools and applications
- Non-engineering client applications
- USB / Removable media
- Elevated privileges (engineer / administrator)
- Control network
- Software vendor support portal
|
- Exploitation of unpatched applications
- Installation of malware via unvalidated vendor software
- Installation of malware via removable media
- Installation of malware via keyboard
- Exploitation of trusted connections across security perimeters
- Authorization to ICS applications without sufficient access control mechanisms
|
- Plant upset / shutdown
- Delay plant startup
- Mechanical damage / sabotage
- Unauthorized manipulation of operator graphics - inappropriate response to process action
- Unauthorized modification of ICS database(s)
- Unauthorized modification of critical status / alarms
- Unauthorized distribution of faulty firmware
- Unauthorized startup / shutdown of ICS devices
- Process / plant information leakage
- ICS design / application credential leakage
- Unauthorized modification of ICS access control mechanisms
- Unauthorized access to most ICS assets (pivoting / own)
- Unauthorized access to business assets (pivoting)
|
Environmental controls |
- HVAC control
- HVAC (building management) network
- Software vendor support portal
|
- Exploitation of unpatched application (building management system)
- Installation of malware via unvalidated vendor software
- Network access through unprotected access points
- Network pivoting through unregulated network boundaries
|
- Disruption of cooling / heating
- Equipment failure / shutdown
|
Fire detection and suppression system |
- Fire alarm / evaluation
- Fire suppressant system
- Building management network
- Software vendor support portal
|
- Exploitation of unpatched application (building management system)
- Installation of malware via unvalidated vendor software
- Network access through unprotected access points
- Network pivoting through unregulated network boundaries
|
- Unauthorized release of suppressant
- Equipment failure / shutdown
|
Master and/or slave devices |
- Unauthorized / Unvalidated firmware
- Weak communication problems
- Insufficient authentication for “write” operations
- Control network
- Device network
|
- Distribution of malicious firmware
- Exploitation of vulnerable industrial protocols via rogue PC on network (local / remote)
- Exploitation of vulnerable industrial protocols via compromised PC on network (local)
- Exploitation of industrial protocol functionality via rogue PC on network (local / remote)
- Exploitation of industrial protocol functionality via compromised PC on network (local)
- Communication buffer overflow via rogue PC on network (local / remote)
- Communication buffer overflow via compromised PC on network (local)
|
- Plant upset / shutdown
- Delay plant start
- Mechanical damage / sabotage
- Inappropriate response to control action
- Suppression of critical status / alarms
|
Operator workstation (HMI) |
- Operational applications (HMI)
- non-SCADA client applications
- USB / Removable media
- Elevated privileges (administrator)
- Control network
- Software vendor support portal
|
- Exploitation of unpatched applications
- Installation of malware via unvalidated vendor software
- Installation of malware via removable media
- Installation of malware via keyboard
- Authorization to ICS HMI functions without sufficient access control mechanisms
|
- Plant upset / shutdown
- Suppression of critical status / alarms
- Product quality
- Plant / process efficiency
- Credential leakage (control)
- Plant / operational information leakage
- Unauthorized access to ICS assets (pivoting)
- Unauthorized access to ICS assets (communication protocols)
|
Patch management servers |
- Software patches / hotfixes
- Patch management software
- Vendor software support portal
- Business network
- Plant network
- Software vendor support portal
|
- Insufficient checking of patch “health” before deployment
- Alternation of automatic deployment schedule
- Installation of malicious software via trusted (supplier) media
- Installation of malware via unvalidated vendor software
|
- Malware distribution server
- Unauthorized modification of patch schedule
- Credential leakage
- Unauthorized access to ICS assets (pivoting)
|
Perimeter protection (firewall/IPS) |
- Trusted connections (Business-to-Control)
- Local user account database
- Signature / rule updates
|
- Untested/unverified rules
- Exploitation of unnecessary / excessive openings on perimeter defense (firewall)
- Insecure office and industrial protocols allowed to cross security perimeter
- Reuse of credentials across boundary
|
- Unauthorized access to business network
- Unauthorized access to DMZ network
- Unauthorized access to control network
- Local credential leakage
- Unauthorized modification of rulesets / signatures
- Communication disruption across perimeter / boundary
|
SCADA servers |
- Non-SCADA client applications
- Application integration communication channels
- Data historian
- Engineering Workstation
- Control network
- Software vendor support portal
|
- Exploitation of unpatched applications
- Installation of malware via unvalidated vendor software
- Remote access via “interactive” accounts
- Installation of malware via removable media
- Exploitation of trusted connections within control network
- Authorization to ICS applications without sufficient access control mechanisms
|
- Plant upset / shutdown
- Delay plant startup
- Mechanical damage / sabotage
- Unauthorized manipulation of operator graphics - inappropriate response to process action
- Unauthorized modification of ICS database(s)
- Unauthorized modification of critical status / alarms
- Unauthorized startup / shutdown of ICS devices
- Credential leakage (control)
- Plant / operational information leakage
- Unauthorized modification of ICS access control mechanisms
- Unauthorized access to most ICS assets (pivoting / own)
- Unauthorized access to ICS assets (communication protocols)
- Unauthorized access to business assets (pivoting)
|
Safety systems |
- Safety engineering tools
- Plant / emergency shutdown communication channels (DCS / SCADA)
- Control (safety) network
- Software vendor support portal
|
- Exploitation of unpatched applications
- Installation of malware via unvalidated vendor software
- Installation of malware via removable media
- Installation of malware via keyboard
- Authorization to ICS applications without sufficient access control mechanisms
|
- Plant shutdown
- Equipment damage / sabotage
- Environmental impact
- Loss of life
- Product quality
- Company reputation
|
Telecommunications systems |
- Public key infrastructure
- Internet visibility
|
- Disclosure of private key via external compromise
- Exploitation of device “unknowingly” connected to public networks
- Network access through unmonitored access points
- Network pivoting through unregulated network boundaries
|
- Credential leakage (control)
- Information leakage
- Unauthorized remote access
- Unauthorized access to ICS assets (pivoting)
- Command and control
|
Uninterruptible power systems (UPS) |
- Electrical management network
- Vendor / subcontractor maintenance
|
- Exploitation of unpatched application (building management system)
- Installation of malware via unvalidated vendor software
- Network access through unprotected access points
- Network pivoting through unregulated network boundaries
|
- Equipment failure / shutdown
- Plant upset / shutdown
- Credential leakage
- Unauthorized access to ICS assets (pivoting)
|
User – ICS engineer |
- Social engineering - Corporate assets
- Social engineering - Personal assets
- E-mail attachments
- File shares
|
- Introduction of malware through watering hole or spear-phishing attack on business PC
- Introduction of malware via malicious email attachment on business PC from trusted source
- Introduction of malware on control network via unauthorized / foreign host
- Introduction of malware on control network via shared virtual machines
- Introduction of malware via inappropriate use of removable media between security zones (home - business - control)
- Propagation of malware due to poor segmentation and “full visibility” from EWS
- Establishment of C2 via inappropriate control-to-business (outbound) connections
|
- Process / plant information leakage
- ICS design / application credential leakage
- Unauthorized access to business assets (pivoting)
- Unauthorized access to ICS assets (pivoting / own)
|
User – ICS technician |
- Social engineering - Corporate assets
- Social engineering - Personal assets
- E-mail attachments
- File shares
|
- Introduction of malware on control network via connection of unauthorized / foreign host
- Introduction of malware on control network via shared virtual machines
- Introduction of malware via inappropriate use of removable media between security zones (home - business - control)
- Exploitation of applications due to unnecessary use of administrative rights
- Network disturbances resulting from connection to networks with poor segmentation
|
- Plant upset / shutdown
- Delay plant startup
- Mechanical damage / sabotage
- Unauthorized manipulation of operator graphics - inappropriate response to process action
- Unauthorized modification of ICS database(s)
- Unauthorized modification of status / alarms settings
- Unauthorized download of faulty firmware
- Unauthorized startup / shutdown of ICS devices
- Design information leakage
- ICS application credential leakage
- Unauthorized access to most ICS assets (pivoting / own)
|
Users – plant operator |
- Keyboard
- Removable media - USB
- Removable Media - CD / DVD
|
- Introduction of malware on control network via unauthorized / foreign host
- Introduction of malware via inappropriate use of removable media between security zones (home - business - control)
- Exploitation of applications due to unnecessary use of administrative rights
|
- Plant upset / shutdown
- Mechanical damage / sabotage
- Unauthorized startup/shutdown of mechanical equipment
- Process / plant operational information leakage
- Credential leakage
- Unauthorized access to ICS assets (pivoting)
- Unauthorized access to ICS assets (communication protocols)
|
Table 7.3
Lessons Learned from Stuxnet
Previous Beliefs | Lessons Learned from Stuxnet |
Control systems can be effectively isolated from other networks, eliminating risk of a cyber incident. | Control systems are still subject to human nature: a strong perimeter defense can be bypassed by a curious operator, a USB drive, and poor security awareness. |
PLCs and RTUs that do not run modern operating systems lack the necessary attack surface to make them vulnerable. | PLCs can and have been targeted and infected by malware. |
Highly specialized devices benefit from “security through obscurity.” Because industrial control systems are not readily available, it is impossible to effectively engineer an attack against them | The motivation, intent, and resources are all available to successfully engineer a highly specialized attack against an industrial control system. |
Firewalls and Intrusion Detection and Prevention system (IDS/IPS) are sufficient to protect a control system network from attack. | The use of multiple zero-day vulnerabilities to deploy a targeted attack indicates that “blacklist” point defenses, which compare traffic to definitions that indicate “bad” code are no longer sufficient, and “whitelist” defenses should be considered as a catchall defense against unknown exploits. |