Please enable JavaScript.
Coggle requires JavaScript to display documents.
OT Cybersecurity architecture - Coggle Diagram
OT Cybersecurity architecture
Protocols
FIELDBUS
between Controllers and Field devices
Time sensitive
Profibus
Process FieldBus
advanced error checking
flexible topology
12 Mbit/s
Mastre/slave
Token Ring mechanism - multiple masters
-rs485, fibre, MBP
FDL - Fieldbus Data Link protocol at layer 2
Profinet
Profibus -DP
Decentralised periphery
multiple masters
master types:
-- Class 01- cyclic comm (real time corntol of process data)
-- Class 02 - acyclic comm (diagnostic na configuration)
only master with token can send data
Profibus PA
ProfiSAFE
Security vulnerabilities:
lack of authentication / access controls
spoofing: master or slave
DoS attacks - flood with invalid requests / responses and make it unresponsive
protocol disruption: false token can disrupt communication
no enryption - alter commuication
DNP3
Distributed Network Protocol
very reliable
support data of any type
exception based reporting communication (instead of constant pooling), better network efficiency:
-- slave sends update only when value changes
-- slave sends info about alarm to the master by itself (doesn't have to be pooled/asked)
-- slave responds only when pooled/asked
SecureDNP3
adds authentication - sender validation, for each message with session key
integrity with checksum
correct pair is talkig - by checksum
Security vulnerabilities
lack od authentication and encryption
known vulnerabilities
MiTM attacks and spoofing
DoS
unautorized control messages (spoofed)
Modbus
(most common)
CRC control summ err-checking
master (PLC, SCADA)/slave (field device) communication
request/response model
Protocol Data Units (PDU)
-- Modbus Request (from master)
-- Modbus Response (from Field Device)
-- Modbus Exception Reponse (errors from Field Device/Slave)
115,2 Kbit/s
Modbus TCP - port 502/tcp, ethernet
Modbus RTU - RemoteTerminalUnit (serial rs485 connection), binary
Modbus ASCII, asci characters - serial rs485
Security vulnerabilities:
lack of authentication / access controls
man in the middle - communcation can be intercepted
Replay attacks (capture legitimate pckets and repley them later)
DoS attacks - flood with invalid requests / responses and make it unresponsive
no message integrity - packets can be altered
MIDDLEWARE
between different systems like SCADA and MES, ERP
better security, modern
OPC
- most common
comes from Windows world (OLE, DCOM)
OPC-UA
unified architecture
security: authentication, encryption, access control
OS platfrom independent
wide range of data types
transport options: TCP, websockets, HTTPS
port tcp/4840
Components:
OPC Client
- requests data or actions
OPC servers
- provides data (proxy?) from Field Devices
Data sources
(field devices): server commnunicates with these devices via native Fieldbus protocols like Profibus/Modbus/Profinet
RPC - Remote Procedure Call
client invokes procedures on the server
local processing, remote execution
Vulnerabilities
lack of security
legacy Microsoft technologies (OLE, DCOM, RPC) and theirvulnerabilities
Malware frameworks like TRISIS, and Industroyer target these classics OPC,a d OPC-UA (session manipulations)
DoS
-MiTM
System run Admin by default
ICCP
Intercontrol Center Communications Protocol
common in Power industry
works over WANs (distances)
efficient power energy load between distributors
bilateral table: table based ACL, which client can do what
Components
ICCP client - requests data (like grid data)
ICCP server
uses XML for data exchange
Vulnerabilities
bilateral table itself as target (change ACLs)
no protection for insiders
WAN protocol = more exposed, than private, closed networks
runs on usual Windows OS which can be attacked
User Secure ICCP implementation!
Common Industrial Protocols (ICP)
standarized framework for industrial device communication
Object Models
Required
: manufacturer, serial number, for **identification
Application Objects:
define standard input/output parameters for devices for compatibility
Vendor Specific Objects:
allow manufacturers to add specific features, while remaining CIP-compatible
Protocols
Ethernet/IP
most common
layers 1-4 use normal networking
layers 5-7 - CIP takes over
DeviceNET
ControlNET
ProfiNET
uses RJ45
EtherCAT
efficiency by sending large amount of data in 1 chunk in a sinle ethernet frame
ethertype: 0x88A4
Suspicious Packets
Protocol Anomalie
unexpected write operations
invalid function codes
packet of wrong size/length
fucntion codes that force slave devices into "listen only" mode
any packet with Exception Code
Timing Irregularities
sudden change in pooling frequency
respond delays
sudden spike in requests
missing responses
Connection patterns
new IP addresses
port scanning
unexpected protocols
Common ports:
S7: 102/tcp
ICCP: 102/tcp
Modbus TCP: 502/tcp
DNP3: 20000/tcp
EtherCAT: 34980/tcp
Ethernet/IP: 44818/tcp
Purdue model
Level 4 - IT enterprise network
Level 3.5 DMZ
NO direct communicatio between IT (l4) and below DMZ levels (3 and below)
best 2 firewalls from different vendor
Level 3: Site-wide supervisory
Domain controllers and syslog servers
common system which don't need internet access
data historians (?)
Level 2: Local supervisory - process monitoring and control
operators and engineering stations
SCADA, HMI, DCS
Level 1: Process control
PLCs, filedbus protocols
control level 0
Level 0:
physical equipment interacting wih level 0
sensors, actuactors, pomps, etc
simple, low processing power
usually no OS (steered by PLCs)
Monitoring:
Nozomi
Claroty xDome
Network Design
DataDiode - 1way communication
for:
replicating historian data to DMZ
sending syslogs to DMZ
more secure than firewalls
Topologies
BUS
all devices connected to a single line
common with legacy fieldbus protocols like Modbus
single point of failure
each devices sees traffic from the others (problem with segmentations)
RING
closed loop, redundancy
common for Profinet and EtherCAT
common with critical processes
STAR
central switch
modern
layer 2 and 3 of purdue
easy for securing
MESH
devices connected to multiple others
commonly used in wireless
difficult to secure different paths
TREE
hierarchical from central branch
reflects purdue model
HYBRID
most common
Dual homed devices
Separation
complete isolation of network connectivity - true AIR GAP
Secure Remote access
Jump hosts / Jump servers
Channel all remote traffic via semi-trusted zones - DMZ
MFA
Princliple of least privilege
Policies and procedusres to terminate remore sessions in case of suspicious activity
Monitor and log all activity (SIEM)
Securing SIS (Safety Instrumeneted Systems)
SIS works when other security control systems fail
Air agpping SIS systems / or physical - separation from industrial networks - NO CABLES
NO Remote access to SIS at all! All changes locally only
SIS systems rearely need modifications, once created. Can be safely disconnected
keep engineering disconnected from SIS when no in use
monitor status of SIS via one-way communication with data-diodes
TRAFFIC PRIOTIZATION
Critical Control Traffic (PLC)
Process data and HMI updates
Engineering wokrstation access / logic changes
Routine Data Collection (Historian)
Background tasks (Syslog, SIEM, backups)
Cyber threats
Intial access
Social engineering
:
phishing campaings
USB drops
engineering software updates
vendor credential theft
Technical/Network Exploitation
internet exposed OT assets
remote access compromise
DMZ server compromise
Physical access:
badge cloning / theft
Wireless network penetration
maintenance port access (PLC)
- contractor laptop compromise
Network Manipulation
protocol manipulation
MiTM attacks
session hijacking
Denial of Service
Network flooding
Protocol exhaustion
Time synchronization attacks
System Compromise
HMI manipulation
engineering workstation access
Keylogging/HID attacks
firmware modifications
Blended attacks
combines multiple attack vectors and techniques
Attack Trends
Ransomware attacks - OT specific variants
-- process targeting
-- double extortion
Supply chains focus
-- vendor compromise
-- update system abuse
-- third party access
AI/ML integration
-- automated reconaissance
-- pattern learning
-- behaviour mimicking
Cyber Kill Chain
Delivery
phishing email
dropped USB drives
compromised vendor sites
watering hole attacks
supply chain compromise
compromised remote access
Exploitation
unpatched Windows systems
webservers in DMZ
engineering workstations
ICS Kill Chain
Stage 1 Obtaining Access to ICS:
Planning: Reconaissance
Preparation:Weaponizationn, Targetting
Intrusion: Delivery, Exploit, Install
Enablement: C2
Execution: Act
Stage 2 ICS Compromise and Impact:
Attack Development: Develop (create extra scripts to target PLCs)
Validation: Test
ICS Attack:
-- Deliver
-- Install / Modify
-- Execute ICS Attack
Key Differences
Focuses on progression from IT to OT
Extended time between stages to learn industrial process
Defense:
segmeneted architecture
remove internet exposure
- engineering workstations!
-- no internet access
-- app whitelisting
-- controlled software installation