Cyber attack vectors
The concept of Cyber-security in the area of industry in general is connected with the proper identification and definition of all kinds of possible attacks on industrial infrastructure and in particular it concerns the area of OT (Operation Technology). In this entry, we would like to introduce you to the risks and methods of monitoring potential risks, as well as to point out the places in the OT area in the segments of industrial automation networks that are particularly vulnerable to these risks.
In today’s publication we will present potential cyber-attack vectors for industrial automation network segments where information and process data exchange takes place on serial buses.
Serial buses in the RS-232, RS-422, RS-485 standards were among the first to be used in industrial automation. Below on the block diagram we can see one of the possible configurations related to the above mentioned buses
Despite the rapid development of data exchange technology, in many areas of OT, such serial buses still function and successfully perform their tasks. On this example we have a classic system where the PLC collects information from object sensors and implements the appropriate control program, i.e. according to the algorithm of operation based on the collected information from sensors controls motors, pumps, valves, contactors, often directly or through inverters. Let us ask ourselves what actions or vectors of cyber attacks may cause interference in the operation of such a segment of the automation network, as well as what impact it will have on the SCADA (Supervisory Control And Data Acquisition) type master system, where we have a visualization of the entire OT process realized in this segment of the industrial automation network.
The elements of our industrial automation network segment susceptible to cyber attacks will certainly be the PLC itself, object sensors equipped with modules for serial transmission as well as indirect executive elements such as inverters. Of course, it is possible to disrupt the operation or damage any element as the sensor, motor, pump or valve, but in our considerations we will focus on the elements for which the operation of the cyber attack vector will not be visualized by the master system or SCADA. It is very important, because the task of SCADA is to visualize the proper work of all elements related to the implementation of controls in the OT area. Damage to the sensor, motor or serial bus itself will be quickly identified by the SCADA system. What is important, however, is what happens to the system after the replacement of the defective element. We can predict the following scenarios:
- Damage to the serial bus: after restoring the transmission we are sure that it was not the beginning of the process related to the cyber attack, maybe it was a pretext to connect a black-box device to the bus, which will monitor the movement in order to carry out an attack on the serial bus itself at a given time, or even simulate the operation of other elements in this network segment, such as the sensor, inverter, etc.
- PLC failure, of course, there is a break in the operation of this segment, there are generated huge costs with this downtime, as a result, in a short time the controller is damaged and replaced by a new controller. In this exchange we get a PLC with new identifiers of MAC type, ID, perhaps the type of driver will be changed, maybe the program implementing the control room will be loaded exactly the same as the damaged driver, but if it is the same program, certainly the new firmware will be uploaded to the controller, often replacing the old PLC with a newer type is associated with replacement and upgrade firmware.
- Replacement/damage of the inverter or object sensor taking part in serial communication may be the beginning of the cyber attack, similarly to the PLC we have the same scenario.
How will react after such a hardware or firmware replacement SCADA visualization system, so the SCADA system is not able to check whether the program realizing the control room or firmware is the same program / software before failure / damage. If the SCADA system will have access to the PLC, which periodically queries about the states of process variables from sensors or the control levels of actuators and receives values in the ranges provided for will not signal alarms associated with it.
In the case of how to protect against this type of threats, it may be the beginning of a large cyber attack on our industrial infrastructure, on our OT area.
One of the possible ways of detecting a cyber attack at such an early stage is to fully monitor the serial bus for the analysis of all packets and data transmission frames that are generated in a given segment of the industrial automation network. You should monitor the network traffic on the bus, develop a model of the behavior of such a network in time and predict its behavior. A new replaced device will have a different response time to the query, may have different IDs, these are the nuances that can not be extracted by the SCADA system, by analogy, you can say that each device has its characteristics, has its own individual DNA. For such small changes in the huge jungle of monitored data, we need to develop a mechanism based on mathematics related to Machine Learnig (ML), or even based on Artificial Intelligence (AI) and BIG DATA analysis. We are then able to effectively monitor such a segment of the industrial automation network and inform about any anomalies in network traffic and present it in dedicated SIEM (Security Information and Event Management) systems.
Such an IDS (Intrusion Detection System) system is SCADVANCE.