---

In today’s rapidly evolving industrial landscape, securing Operational Technology (OT) is more critical than ever due to increased connectivity and sophisticated cyber threats. Throughout this blog post series, we will dive into the world of Operational Technology Security.

This edition of the series focuses on how Red Team assessments can assist companies in identifying and mitigating threats in OT environments. After giving some background about the current threat landscape and terminology, we start by explaining how an external attacker gains an initial foothold in the network. Next, we explore the methods attackers use to gain access to OT systems, illustrated through two case stories targeting critical components such as SCADA (Supervisory Control and Data Acquisition), PLCs (Programmable Logic Controllers), and HMIs (Human-Machine Interfaces).

Operational Technology and Industrial Control Systems

First, let’s clarify some terminology. The NIST Computer Security Resource Center defines Operational Technology (OT) as “Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.”

Industrial Control Systems (ICS) are further defined as “An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.” In context of this blog post series the term OT will be used to describe infrastructure in which OT is deployed.

Red Team Assessments & APTs

Unlike regular penetration testing, which focuses on identifying and exploiting vulnerabilities within a specific scope, Red Team operations are driven by specific objectives that are defined for the unique environment. In OT settings, these objectives are often a proof of the access to field devices or the IT-to-OT boundary. For further details about Red Team operations refer to this description.

A Red Team operation simulates realistic attacks based on adversary tactics, techniques, and procedures (TTPs) used by known Advanced Persistent Threats (APTs). A Red Team operation supports a company to assess their own people, processes, and technology in terms of prevention, detection and response to determine the impact of a realistic attack and identify improvement areas.

A notable APT in the context of OT is Electrum, known for its role in the 2016 Kiev power outage within the CRASHOVERRIDE incident, which highlights the real-world impact of OT-targeted attacks. The corresponding CRASHOVERRIDE malware is a framework containing multiple modules to interact with different ICS network protocols as for example IEC 101, IEC 104, IEC 61850, and OPC. During the power outage in 2016, the group used malware to attack circuit breakers on Remote Terminal Units (RTUs), which are devices that connect to physical equipment in substations, resulting in the de-energizing of these substations. The group is known for its sophisticated techniques and operational role in disrupting critical infrastructure. According to recent reports, the group is still active and may also target regions beyond Ukraine.

Another outstanding event is FrostyGoop, a sophisticated ICS malware. FrostyGoop is engineered to exploit the ModbusTCP protocol, commonly used in industrial control systems, to manipulate control system operations. This malware highlights the increasing threats faced by critical infrastructure sectors. FrostyGoop allows adversaries to inject unauthorized commands, causing disruptions such as the de-energizing of substations or malfunctioning of heating systems. For a detailed description, see FrostyGoop: The Latest ICS Malware Targeting Critical Infrastructure.

Why OT Security is More Critical Than Ever

The reasons behind the increasing need and interest for OT security can be summarized in three points:

• Increased Connectivity
• Worsening Threat Landscape
• Regulations

Increased Connectivity

Many benefits, as greater efficiencies and lower costs, can be achieved with modernization of OT, but this in turn also often increases the attack surface of the environment. With the development of the technology, many previously air-gapped or isolated systems now become interconnected, and many of these devices were never designed for this connectivity, which makes securing them even more challenging.

Worsening Threat Landscape

The importance of adequate safety measures has long been clear. The need is strengthened by the surge in global tension, which led to increased cyber threat activity. The worldwide conflicts in Ukraine-Russia, Israel-Hamas, and the South China Sea region encourages adversaries and hacktivists to develop and use new as well as old techniques. As a consequence, threat actors enhance their cyber capabilities.

Besides this, a rise in ransomware attacks focusing on OT environments can be stated. From 2023 to 2024 an increase of 87% was reported by Dragos, showing that threat actors are extending their reach and understanding the impact and costs an interruption in OT environments, as for example manufacturing, energy and other critical infrastructure means.

Regulations

Last but not least, there are regulations that a company must or may want to comply with. Focusing on the European area, the following can be highlighted:

1. NIS2 Directive: Enhances cybersecurity measures and reporting obligations for various sectors. Non-compliance can lead to fines.
2. IEC 62443 Standards: Offers cybersecurity guidelines to improve resilience and reputation, though not legally enforced.
3. KRITIS: In Germany, mandates security measures for critical infrastructures.

This list is not exhaustive, and it is not the aim of this blog post to describe them in detail, but regulations are still an important driver for OT security.

The differences between OT and IT

An often heard statement is that OT is not IT. That is a true and very important fact. Another is that 38% of the incidents in OT environments started in IT networks, which highlights the dependency these two areas have to each other despite their differences. As stated earlier, air-gapped and isolated OT networks are more and more a relic of the past and therefore it is much more important to properly secure the border between IT and OT.

There are multiple differences to highlight, that have to be considered by comparing “regular” IT Red Teams with the ones in OT. One can’t simply apply IT security concepts to OT environments. In industrial cybersecurity, the acronym AIC (Availability, Integrity, Confidentiality) is used instead of CIA because availability is the highest priority, reflecting the need to ensure continuous and reliable operation of critical systems, which differs from the IT focus on confidentiality first.

Conducting a red team assessment in an OT environment requires all the more careful planning. It’s crucial to involve all relevant asset owners, identify critical systems, and assess potential risks to prevent harm to systems, people, and the environment.

Also from a technical perspective, there are important differences. Vulnerability scanning in OT environments must be performed with extreme caution to avoid unpredictable and undesirable effects on safety, unlike IT environments where such scans are routine. Similarly, encryption in OT must consider real-time communication requirements and the limited processing power and bandwidth of legacy devices, which contrasts with most IT environments. Moreover, patching in OT often requires extensive testing and planned downtime to ensure updates do not impact critical operations, differing from the more frequent and automated processes seen in IT. Additionally, endpoint security in OT must avoid frequent internet-based updates and manage false positives carefully, with application allowlisting being particularly valuable. Finally, while firewalls and network segmentation are crucial in both OT and IT, there are still differences; for example do OT environments benefit more from using Intrusion Detection Systems (IDS) instead of Intrusion Prevention Systems (IPS) to avoid dropping important ICS traffic. For more details see the SANS ICS Cybersecurity Field manual.

How Red Team Operations can strengthen the cyber resilience of Industrial Control Systems

There are many ways an attacker can gain initial access to an OT environment. The following image provides an overview of possible attack vectors that an OT environment may face; however, this is not meant to be an exhaustive list. On the left side you can see the different network level that are related to the Purdue model. In the image the different attack vectors are highlighted in red.

• Infected USB: USB devices can introduce malware into OT environments, compromising critical control systems and causing potential disruptions or unauthorized access.
• Infected Laptop: Laptops, especially those used by engineers or technicians, can spread malware to ICS networks when infected, posing risks to sensitive control systems.
• Insecure WiFi: Attackers can exploit insecure WiFi networks in OT environments to gain unauthorized access to control systems, threatening the integrity and security of operations.
• Insecure Remote Support: Remote support systems that lack proper security measures can serve as entry points for attacker, facilitating unauthorized access to OT systems.
• Bad Access Rules: Poorly defined access rules for network borders can lead to unauthorized access and misuse of OT systems, increasing the risk of malicious activities and operational disruptions.
• Insecure Internet Connection: Direct internet connections to OT networks expose them to external threats, making them vulnerable to attacks from the internet.
• Supply Chain Attack: Supply chain attacks compromise OT environments through infected third-party vendors or software updates, potentially introducing malicious elements into critical systems.
• Physical Attacks: OT facilities that lack proper physical perimeter protection may be attacked physically by adversaries, which potentially install network implants (a device or software used to maintain unauthorized access), malware on unlocked workstations or cause direct physical damage to the environment.

Red Team Case Stories

To better understand how Red Team operations can improve the security of OT environments, we will have a look at two case stories. We will detail the methods and techniques employed to achieve our objectives, effectively compromising the target.

Case 1: From IT to OT

This case story illustrates the challenges of securing the IT-to-OT boundary, demonstrating how attackers can leverage weaknesses in IT networks to gain access to OT systems. In this scenario we gained access to the IT network via a successful phishing campaign. From here we tried to find further information about the OT environment in knowledgebase, shares and the environment, for example the company’s Active Directory. Further OSINT can be a valuable approach to gain information about the ICS deployed in a company. This reconnaissance phase can last for a long time, and as an attacker you try to gather everything of value to further learn about the environment and determine a potential attack path in the company IT infrastructure.

To gain access to the OT environment, we needed two things:

• Knowledge about how to access the OT environment
• Privileges to access the OT environment

Since we started without high privileges on a workstation, a good next step was to escalate our privileges within the IT office network. During the reconnaissance phase, we did not determine many weaknesses, but we identified a few readable and writable network shares. Nothing interesting could be identified on these shares, but it opened the way for an attack called File Share Poisoning.

For this attack, we put a malicious LNK file on a writable network share. When an employee accesses the share, Windows Explorer tries to retrieve an icon for the LNK file from an attacker-controlled directory. In Windows environments this request also contains the password hash of the employee. And indeed we could successfully capture NetNTLM hashes (a type of password hash used in Windows authentication) of multiple users. These NetNTLM hashes can then be cracked offline. And indeed we were successfully in cracking the password of a workstation admin.

That was a good start, but still we needed to find our way to the OT world, in the hope that we could access the corresponding systems. So the reconnaissance started again with the newly gained credentials. Active Directory descriptions typically provide a lot of insights in an unknown environment. In this assessment, it revealed several systems suggesting that the SIEMENS TIA portal is installed on them.

Very interesting! The TIA portal is an engineering software suite developed by Siemens for configuring, programming, and maintaining automation systems. Systems that have this software deployed are very likely to also be connected to the OT world of the company.

Fortunately for the attacker, unfortunate for the company, the previously compromised credentials could be used to access one of these systems. And the assumption was right, the targeted host was part of two network segments and used as jump host in the OT network. The following image displays the TIA portal, showing the available devices.

With the TIA portal multiple attacks were possible, beginning with stealing sensitive data such as for example PLC project files. Further the configuration of the PLCs could be modified by an attacker. This example scenario ended here. The exercise shows how important fine-grained access controls and network segregation are for OT environments.

Case 2: Physical Breach

This case story reveals how social engineering can defeat even the most secure physical barriers in OT settings. In this scenario the initial attack was via a physical breach of the facility. The physical perimeter was properly protected and monitored, featuring cameras, thermal cameras, motion sensors, fences, and secured gates, making it initially seem insurmountable. However, physical security is only as strong as its weakest link, which, in this case, was the human element.

If physical measures cannot be bypassed, social engineering can be a very strong tool of attackers. As in the previous example everything starts with reconnaissance. Who enters the building? At what time? And for what reason? Facilities services as for example cleaning staff, maintenance workers and repeating delivery services are an interesting target.

This time, the cleaning staff seemed to be a good pick. We worked out at what times the staff would typically appear, so we could be first at the door. Knowing that the cleaning team was not on site yet, we could take the role of said team. Surely, you’d expect that albeit there might be some rotation, the local employees are familiar with the faces of the cleaning team. Thus, we had to come up with a story as to why there were two new faces. The story we dished up was simple: Due to a flu outbreak in the company, we were spontaneously sent to perform the job on that day, which also explained our early arrival. To make this story stick, we came prepared and bought some buckets, brooms and other cleaning equipment for few euros.

After ringing the door and telling our story, the doors were opened. No one was approaching us, no one cared who we were. This enabled us to look around the facility, search offices for keys and further information where to find access to the operation control network. We quickly recognized that our target, the control room, was still locked behind an ID card reader and we were not able to enter.

Remember that even if the physical perimeter cannot be bypassed, the social component might still serve as an attack vector. We took our cleaning equipment and asked the next person in one of the offices, “Hey, do you know who can open this building for us? We need to clean there.” This was more of a last resort attempt, allowing us to claim that we had tried everything. To our great surprise, the response was, “Yes, of course!” This employee unknowingly helped us bypass the last layer of defense and provided access to the control room and server cabinet. This would have enabled us to install a network implant, which provides us remote access to the OT network, even after leaving the building. Since this was a very critical environment, we took a picture to proof our success and reported this to the customer. Later we installed our network implant supported by the customer to ensure no critical systems might be affected and safely continued the test.

After that we still had to move laterally in the control network to finally reach our objective, the field devices. So, again reconnaissance. Since we were in OT now, we started to sniff passively on the network, to learn what devices were communicating and were reachable on the network. We quickly learned that this was not yet the target network, the field devices seemed to be separated in a specific network segment. During our passive analysis we identified a file share in the network, to which we were able to connect to even without credentials. Here we could find plenty of documentation of the environment and the credentials of a high privileged user. Equipped with this knowledge we were able to find our path to the objectives.

Lessons learned

So what can we learn now from these scenarios? There are a few takeaways that we can summarize from this scenarios:

• Enhance Email Security and User Training: Implement robust email security measures and conduct regular training to help employees recognize and avoid phishing attempts.
• Strengthen Privilege Management: Ensure strict privilege management and monitoring to prevent unauthorized privilege escalation within the IT network.
• Implement Network Segmentation: Ensure proper segmentation between IT and OT networks to limit potential attack paths and unauthorized access.
• Improve Physical Security Protocols: Reinforce physical security measures and train staff to verify the identity and purpose of individuals seeking access to secure areas.
• Secure Documentation and Shares: Protect sensitive documentation and network shares with appropriate access controls and encryption to prevent unauthorized access.
• Conduct Continuous Monitoring: Implement continuous network monitoring to detect unusual activities and potential breaches in real time.

Follow up actions

As cyber threats continue to evolve, Operational Technology (OT) environments are finding themselves in the crosshairs of adversaries. It’s crucial for organizations to step up their security game. In our upcoming blog post, we’re diving into the nitty-gritty of evaluating the security of a Programmable Logic Controller (PLC), even while it’s running in a live production setting. Get ready to explore cutting-edge strategies for safeguarding your critical infrastructure. Stay tuned for insights that could make all the difference!

About the Author