ICS networks: how secure are they?
A major topic discussed at BlackHat 2019 was the vulnerability and attack vectors exposed in Industrial networks, which also gave an eye-opening insight into the possible repercussions of a successful attack.
Industrial Control Systems (ICS) covers a wide range of machinery including anything from factory conveyor belts and fraction distillation sensors to CNC equipment. Supervisory control and data acquisition (SCADA) is used for high level supervisory management of these devices.
Nearly all of these devices and their sensors are connected to the internal network in some way to give statistical feedback, maintenance information or to obtain configuration information. Some of these sensors and devices are even connected to the internet to allow remote management in an ever-expanding and distributed industry, making an IoT network stretching across the globe. This is often referred to as Industrial IoT, IIoT or Industry 4.0 which is predicted by 2020 to reach 20.8 billion connected devices Barracuda.
However, the connection to the network and the internet can make this technology a perfect surface area for attack and with a large majority of these systems being mission-critical, a successful attack can cost the industry billions or bring a country’s industrial production processes to its knees.
A physical access attack would be the most efficient attack vector for already established networks. Presence on the physical network allows for the visibility of the internal traffic moving across the network, showing protocols moving from machine to controller and back again passing the earlier mentioned information.
As shown in the grab of the Wireshark trace conversations from an ICS network (Figure 1), the conversations are loud and plentiful, with a good percentage being made up of Modbus protocol traffic which is a commonly used TCP communications protocol between controllers and industrial sensors and devices.
Figure 1 – Wireshark trace conversations from an ICS network
A very simple way to cause a denial of service to this type of network would be to aggressively scan the endpoints on the network. Although not the most subtle technique, it is relatively effective, potentially disrupting the communication between endpoints and their controllers and bringing a stop to production.
Another area of vulnerability is the Human Machine Interface (HMI), these direct user interfaces to the machines mostly run embedded Windows operating systems (a lot of which are quite old and possibly minimally patched) and this allows a whole host of pre-written vulnerabilities via exploit frameworks.
What does this all mean?
The Operational Technology (OT) industry has a lot of surface area for attack and has mostly gone unchecked and unchallenged in their security practices. This piece highlights only one possible attack vector with many more viable methods available.
As Industry 4.0 approaches and IT and OT environments converge, this sector needs more focus and support on its Cyber Security because this is a hugely lucrative and effective target for hacktivist groups trying to disrupt production, cyber-criminal groups looking to gain data to sell on the dark web or Advanced Persistent Threats (APT) to potentially undermining our Critical National Infrastructure.
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification