Real-life live demonstrations of cyber-attacks scenarios are the best way to educate and create awareness of the potential risks and damages to ICS/SCADA systems, using various attack vectors.
Such a demonstration was held at the February 2018 CS4ICS IET convention in London, UK. The demonstration used actual SCADA devices from leading manufactures and off-the-shelf attack tools.
After each attack showcase, the detection and prevention methods were shown using Radiflow solutions.
The London convention brought together cyber-security and industrial automation operators from critical infrastructure operators and industrial facilities. During a two hours session held in front of over 100 participants, three use-cases were presented addressing the main operational scenarios.
USE-CASE #1: MALWARE ON TECHNICIAN LAPTOP
One of the major known ICS/SCADA vulnerabilities is access to sites by third-party contractors/employees, either remotely, or by plugging into an on-site switch. If the event the technician’s laptop is not well-protected the maintenance session could be used to modify the operation of PLCs and HMIs.
The demonstration presented remote access to a site and change of the PLC ladder logic using a hidden malware on the technician’s laptop that was running in the background while it was connected to the operational network.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
Mitigation:
USE-CASE #2: OPERATIONAL TAMPERING USING AN SSH BRUTE FORCE ATTACK
In many cases, default, dictionary or common passwords are used for authentication of operators of SCADA servers, HMIs and PLCs. This can be used to gain access to those computers and tamper with the SCADA system.
In this case, SSH access to the SCADA server was achieved using a password brute force attack, based on password databases from GitHub, Certyfence or other sources. Once access is gained, the SCADA server is used to disrupt the operation of the industrial process.
Mitigation:
USE-CASE #3: RAILWAY TRACK SWITCHING USING MitM (MAN IN THE MIDDLE)
In MitM attacks, the attacker secretly relays, and possibly alters, the communication between two parties who believe they are directly communicating with each other.
In this case, the attack took advantage of the vulnerabilities in the network and in the Modbus automation protocol used between the HMI and the PLC.
In this scenario, the malware causes the track switch to divert trains to a alternate rail while sending false data to the operator as if the train is still on the right track.
The attack took place in two stages:
The attack logic was implemented in a Raspberry Pi device simulating a possible malware in a peripheral device in the network, such as a physical security sensor or CCTV camera whose cyber security was inadequate.
Mitigation
CONCLUSION
The demonstration at CS4ICS IET 2018 clearly highlighted the realization that a one-size-fits-all approach to OT network security is not sufficient, as it is safe to assume that cyber-threats, risks and attacks will only diversify and intensify.
ICS/SCADA operators need to engage in the process of installing multi-layer security measures, with detection and protection capabilities for different types of attacks, as demonstrated. Such a process should begin with a comprehensive security assessment, to map out all network devices, ports and connections, and should eventually include protections for known threats, as well as mechanisms for adapting to new threats as they are discovered.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3