10 Most Common OT Attack Vectors

An attack vector is the method or path that an attacker uses to access the active target of the attack, that is, the steps that the attacker follows to materialise the threat, it is known that each attacker follows his own “strategy” to be able to consummate Its objective, however, can be recognizsd some activities of a general nature that they may be carrying out.

Usually, attack vectors are placed within intentional threats since they have a human origin and also require some planning actions.

The actors commonly intervening can be identified into 6 large groups, such as:

  • Disgruntled employees
  • Individuals / Small groups / Hacktivists
  • Competitors
  • Cyber-criminal Groups
  • Terrorists
  • Intelligence Services / Governments

Attack vectors are often materialised directly or indirectly through the use or creation of code or specific software like malware, scripts, shell sessions, etc. The main attack vectors for Critical Infrastructures, also including industrial control systems, can be mapped into:

1. Disgruntled Insider

The most critical threats often come from within an organisation. This is especially true in ICS environments where employees have access to plant controls and deep knowledge of operational processes. The Oldsmar water treatment plant attack is an example of what is widely considered to have been a breach conducted by an employee. This attack is considered to be an inside job because the hacker(s) used a legitimate company TeamViewer account, combined with apparent knowledge of the company’s human-machine interface.

2. Ransomware Groups

Ransomware is commonly introduced to an ICS network in one of three ways: a phishing attack that targets employees; compromising an industry website that users may frequently download from; or by targeting VPN portals or other externally exposed IT infrastructure.

The best way to protect against a ransomware attack is to employ security best practices, including vulnerability management. Attackers often scan the internet for targets rather than identifying a specific target and evaluating its network space. Therefore, network administrators need to be aware of vulnerabilities in externally exposed systems such as VPN portals and mail gateways.

3. Phishing

This is a well-known traditional vector attack. Phishing could be defined as the social engineering technique that aims to take over some relevant or sensitive information supplanting the identity of a person or organisation of trust for the individual to attack. The interest it pursues can be very diverse, from getting information on a project or prototype to credentials of system administrators or process engineers, including OT equipment details. Usually, Phishing is the entrance door of malware.

4. Malware

The malware, in any of its flavours (Trojans, worms, rootkits, etc.), can have a range of different purposes, from denial of service, pivoting, escalation of privileges, sabotage, to a very long etcetera. Obviously the results may be equally diverse; for example, the flooding of the network with broadcast traffic, the capture of traffic or activity of the equipment, the scan of host and services, change of parameters and configurations, etc. In turn, this information can be sent to a “Comand and Control, C & C” for its exploitation and to carry out different options. These communications are often encrypted under protocols and services normally open according to environments such as TCP 80, 8080, 443, 21 or UDP 53, 123, among other possible. The wide spread examples in CIs are the well-known malwares Stuxnet and Duqu, but we can also remark others like Havex , BlackEnergy 2, Conficker , Night Dragon among other related with CIs and Industrial Control Systems (ICS).

5. Unpatched Vulnerabilities

Exploiting some vulnerability, taking advantage of a “bug” or validation error of an application or operating system, an attacker could either carry out tasks is not authorised to do or inherit the permissions of another user.

6. Supply Chain Attack

A sophisticated attacker compromises the IT network of an enterprise with a heavily-defended industrial site. The attacker steals information about which vendors supply the industrial site with servers and workstations, as well as which vendors routinely ship that equipment to the site. The attacker then develops a relationship with the delivery drivers in the logistics organisation, routinely paying the driver modest sums of money to take 2-hour lunch breaks, instead of 1-hour breaks.

When IT intelligence indicates that a new shipment of computers is on its way to the industrial site, the agency uses the 2-hour window to break into the delivery van, open the packages destined to the industrial site, insert wirelessly-accessible single-board computers into the new equipment, and then re-package the new equipment so that the tampering is undetectable. Some time after IT records show that the equipment is in production, the attackers access their embedded computers wirelessly, to manipulate the physical process.

7. Code Injection

Code injection consists in taking advantage of those programming bugs present in the applications or operating systems to carry out different types of actions. Some of them can be the collection of information, the denial of service, introducing a file less malware, the opening of a session against a specific device. Nevertheless, depending on the injected code and the vulnerability, the results can be many others.

Example of code injection is SQL injection. SQL Injection is a method of infiltration of intruder code that uses system vulnerability present in an application at the level of validation of the inputs to perform unexpected operations on a database.

Another well-known attack based on code injection is Cross Site scripting (XSS). XSS is a malicious code injection attack for later execution that can be performed on websites, local applications and even the browser itself.

It happens when a malicious user sends malicious code to the web application and places it in the form of a hyperlink to take the user to another website, instant messaging or an email. Likewise, it can cause a denial of service (Dos).

8. DoS – Denial of service

Although it has been already mentioned before, a denial of service consists in preventing a system from offering a specific service for which it is intended to. As the main driver for a DoS to happen we may highlight both weaknesses that may affect applications that provide this service, and other related to communications. An example related to the first case, may refer to how an application can be “blocked” under certain conditions of processing. An example related to the second case may refer to a field device that cannot process several simultaneous communications since there are no hardware resources enough and therefore can be blocked. The latter can be very common when Security Analyst launch certain vulnerability scans on field devices. When the DoS is coordinated by an attacker and performed from several sources it is known as DDoS (Distributed Denial of Service).

9. Social Engineering

Basically it could be summarised as the technique aimed at obtaining information from an individual and also getting her/him to do what she/he would not do otherwise. As Kevin Mitnick says it is based on 4 basic principles:

  • We all want to help.
  • The first movement is always trusting towards the other.
  • We do not like to say “No”.
  • We all like to be praised.

Many times the techniques used by attacker starts with a fake technical problem asking for help or advice to some Technical Service, for example by phone. The staff, naively, and always trying to help customers very often reveals sensitive data or give clues about the organisation.

10. APT (Advance Persistent Threat)

The term APT, which stands for Advanced Persistent Treatments, refers to a computer threat that consists of a coordinated attack between several malicious programs controlled by hackers directed against a company or organisation They are called advanced by the existing coordination and the use of very sophisticated techniques to penetrate the computer systems of the victim using vulnerabilities and backdoors of the operating systems.