THE EVOLVING PLAYBOOK OF ICS/SCADA CYBER ATTACKS

AUSTIN TAPIA

WHO AM I?

Austin Tapia (Perfect.exe or vmkerne1) - IT Professional and CIT OT Systems and Network Administrator for Manufacturing

• IT Professional: With experience across network administration, cloud security, and systems management, I have built a solid grounding in operational technology (OT) and a strong foundation in information technology (IT).
• ICS Researcher: For the past 7 years, I have specialized in researching the security of Industrial Control Systems (ICS), focusing on identifying vulnerabilities, developing defense mechanisms, and ensuring the safety and integrity of critical infrastructure.
• Incident Response & Security Operations: I led a corporate deskside support team in responding to security incidents, particularly in ICS and IT environments, conducting threat analysis, vulnerability management, and remediation to protect essential systems.
• Cloud & Network Security: Extensive experience securing cloud platforms (AWS, Azure, Google Cloud) and implementing secure network architectures, including firewalls, VPNs, and various systems across IT environments.
• Mentor & Educator: Dedicated to teaching and mentoring, guiding students and teams in IT, coding, and cybersecurity, with a particular focus on the intersection of IT and ICS security.
• Educational Background: AAS - CIS with an emphasis in Cybersecurity (CAE-2Y) and an AGS - Associate of General Studies, with hands-on experience in IT management, cybersecurity, and industrial control system research.

DEF CON Achievements:

• Red Team Offense Village MAY'HEM CTF 2020: 4th place out of 258 teams (Total players: 417)
• Cyber June'Gle Virtual Summit 2020: 2nd place out of 221 teams (Total players: 753)
• CTF Qualifiers 2020: 8th place out of 690 teams (Total players: 1,428)
• CTF Finals 2020: 9th place out of 20 finalist teams (Total players: 175)

INTRODUCTION TO ICS/SCADA SYSTEMS AND OT NETWORKS

Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems manage the operation of critical infrastructure, such as energy, water, and manufacturing. They play an essential role in Operational Technology (OT) environments, where the focus is on real-time process control, system reliability, and safety.

Key ICS Components:

• Programmable Logic Controllers (PLCs): PLCs control machinery and mechanical processes based on sensor data, such as opening valves or adjusting temperature ​(NIST Computer Security Resource Center).
• Remote Terminal Units (RTUs): RTUs collect data from remote sensors and transmit it back to the central SCADA system​ (Fortinet).
• Human-Machine Interface (HMI): Operators use HMIs to interact with systems in real-time, issuing commands and receiving status updates from connected devices​ (NIST Computer Security Resource Center).

​

EXTENDED OVERVIEW OF ICS/SCADA

PLCS

PROGRAMMABLE LOGIC CONTROLLERS

PROGRAMMING LADDER LOGIC

Definition:

A graphical programming language for Programmable Logic Controllers (PLCs), mimicking relay logic diagrams. Common in automating industrial processes.

Structure:

Read left to right, with horizontal rungs representing logical instructions.

Key Boolean Logic Operations

AND: All conditions must be true for the output to be true.

Example: Both sensors must be active for the machine to start.

OR: Any one condition being true results in the output being true.

Example: Either button press starts the conveyor.

NOT: Inverts the input signal.

Example: A light turns off when a switch is pressed.

Ladder Logic Overview

Example of a basic program

PROGRAMMING LADDER LOGIC CONTINUED

​

• XIC (Examine if Closed)
• True when the contact is closed.
• XIO (Examine if Open)
• True when the contact is open.

Ladder Logic Overview

PROGRAMMING EXAMPLES FOR REFERENCE

LADDER LOGIC VS. LOGIC GATES: A SHARED FOUNDATION IN BOOLEAN LOGIC

Ladder logic is a programming language used to create software for programmable logic controllers (PLCs), while logic gates are electronic components that perform basic logical operations in digital circuits.

Both systems use Boolean logic to process inputs and produce outputs based on operations like AND, OR, and NOT. Ladder logic is primarily used in industrial automation to control systems, whereas logic gates are fundamental to the design of digital circuits in electronics. While they share foundational principles, their applications and implementation methods are distinct.

​

Thus, they are similar but not identical.

OVERVIEW OF THE HARDWARE OF AN PLC

PLC Hardware

PLC Pinouts (Example)

RTUS

Remote terminal units

REMOTE TERMINAL UNITS (RTUS)

Remote Terminal Units (RTUs) are integral components of Supervisory Control and Data Acquisition (SCADA) systems, designed for remote monitoring and control of industrial processes spread across vast geographical areas. RTUs act as a bridge between field devices such as sensors, actuators, and other equipment and the central control system, enabling real-time data collection and control. They are widely used in industries like energy, oil and gas, and water treatment, where equipment and infrastructure are often distributed over large distances.

The main functions of an RTU include data acquisition, remote control, and alarm management. RTUs collect information from various sensors, such as temperature, pressure, and flow rate, and transmit this data back to the central SCADA system. Additionally, RTUs can execute commands from the control system, such as opening or closing valves or starting and stopping pumps. RTUs also manage alarms, notifying operators when certain thresholds are exceeded or when equipment malfunctions, allowing for proactive response.

Although similar to Programmable Logic Controllers (PLCs), RTUs are specifically designed for remote locations and are optimized for long-distance communication and lower power consumption. While PLCs are better suited for local, real-time control, RTUs excel in environments where devices need to be monitored and controlled over long distances with minimal human intervention. This makes RTUs essential for managing distributed infrastructure like pipelines, power grids, and water treatment facilities.

REMOTE TERMINAL UNITS (RTUS)

HMI

Human machine interface

HUMAN MACHINE INTERFACE

A Human-Machine Interface (HMI) is a critical component in industrial automation systems, serving as the interface between humans and machines. HMIs provide operators with a visual representation of the machinery and processes controlled by Programmable Logic Controllers (PLCs) or other control systems. They allow users to monitor real-time data, input commands, and visualize alarms or system statuses through graphical displays like touch screens or computer panels. Operators can control processes, change settings, and view trends directly through the HMI, improving operational efficiency and providing insights into system performance.

HMIs also enhance troubleshooting by showing system alerts and diagnostics, helping operators quickly identify and resolve issues without the need for specialized programming knowledge. These interfaces are used across various industries, including manufacturing, energy, and utilities, where they play a vital role in ensuring smooth and safe operation of automated systems. By providing a bridge between technology and human control, HMIs help to improve productivity and reduce the complexity of managing industrial processes.

HUMAN MACHINE INTERFACES

SEGREGATION OF OT AND IT NETWORKS

The biggest challenge

LEGACY PLCS: BALANCING RELIABILITY AND SECURITY IN THE AGE OF INDUSTRY 4.0

Legacy systems like older PLCs and SCADA components were designed with simplicity and reliability in mind, focusing on ease of programming, not cybersecurity. Ladder logic was developed to be intuitive, allowing technicians to program industrial systems without needing deep programming expertise.

However, these systems lack modern security features like encryption and authentication. Initially built for isolated environments, they weren’t meant to face today’s cyber threats. In Industry 4.0, where systems are increasingly connected, this simplicity becomes a vulnerability. Attackers can exploit the absence of basic security protocols, gaining unauthorized access to critical systems with relative ease.

Despite these risks, older PLCs remain essential due to their proven reliability and cost-effectiveness. Replacing them entirely would not only be expensive but also disruptive, especially when many run custom ladder logic designed for specific processes.

Instead of complete replacements, plants are adopting incremental security upgrades such as network isolation, firewalls, and VPNs to protect these systems while maintaining their core functionality. With proper safeguards in place, these reliable legacy systems can continue to serve effectively in today’s interconnected industrial landscape.

When discussing the separation of IT and OT systems, industry leading researcher Dragos emphasizes that while collaboration between IT and OT teams is crucial, maintaining segregation between the two environments is equally important to minimize risk. (Bridging the IT and OT Cybersecurity Divide | Dragos)

OT (Operational Technology) systems were traditionally isolated for safety and reliability, while IT (Information Technology) systems manage data and information flow, often prioritizing security differently.

WHY DO PLANTS STILL USE OLDER PLCS?

• Critical Operations: Many plants rely on legacy PLCs that control essential processes in industries like power, oil, and manufacturing. These systems have been in place for decades and are known for their reliability and longevity.
• Downtime Risks: Stopping operations to replace or upgrade PLCs can result in costly downtime (millions of dollars per day) or even safety risks, especially in industries like nuclear power or chemical processing. These systems handle continuous operations, where downtime isn’t an option.
• Customized Systems: Legacy PLCs often run custom ladder logic programs, specifically designed for the plant's processes. Replacing them requires not just new hardware, but re-engineering complex software, which is time-consuming and risky.

Key Takeaway: Despite their age, legacy PLCs remain indispensable due to their reliability, the high cost of replacement, and the complexity of re-engineering existing custom control logic.

​

​

​

SHOULD WE CONTINUE TO USE THE PURDUE MODEL? NO AND YES.

WHAT SHOULD WE DO?

As the creator of the Purdue Model for industrial control systems (ICS) recognized its limitations in addressing modern cybersecurity challenges, many in the industry have begun looking for alternative or enhanced approaches. The Purdue Model, which organizes ICS environments into distinct layers, from field devices to enterprise IT, was never designed to handle the IT/OT convergence, cloud computing, or the Industrial Internet of Things (IIoT). Modern threats, such as lateral movement and advanced cyberattacks, demand more sophisticated security measures than what the original model provides.

A recommended enhancement to the Purdue Model includes implementing a Level 3.5 Industrial Demilitarized Zone (iDMZ). This layer helps mitigate the risk by creating a secure buffer between IT and OT systems, allowing data to be transferred securely without direct connections between the two networks. Additionally, many experts suggest integrating Zero Trust architecture principles, where every interaction within the network must be verified and monitored. This approach provides stronger network boundaries and real-time defense against unauthorized access.

In conclusion, while the Purdue Model still serves as a foundational framework, incorporating modern strategies like iDMZ and Zero Trust ensures a more secure ICS environment in the age of Industry 4.0 and increasing connectivity.

ROBUST SECURITY: DEFENSE IN DEPTH (DID)

Defense in Depth is a critical cybersecurity strategy in industrial control systems (ICS) and SCADA networks, designed to provide multiple layers of protection against cyber threats. In the context of industrial automation, defense in depth involves implementing overlapping security measures across different layers of the network from field devices to control systems and enterprise IT. This layered approach includes perimeter security, such as firewalls and network segmentation, to control traffic between IT and OT systems. It also incorporates endpoint protection for devices like PLCs and RTUs, ensuring they are equipped with secure firmware, strong authentication, and restricted access. Additionally, Intrusion Detection Systems (IDS) are deployed to monitor network traffic and identify potential threats in real-time.

The goal of defense in depth is to create redundancy in security. Even if one layer is breached, other layers continue to safeguard the system, delaying and complicating the attacker's progress. This approach provides critical time to detect, respond, and mitigate attacks, ensuring that the availability, integrity, and security of industrial systems are maintained. As Industry 4.0 increases the convergence of IT and OT systems, this strategy becomes essential for protecting modern industrial infrastructures.

REAL-WORLD CYBER THREATS TO ICS/SCADA: CASE STUDIES

Analyzing High-Profile Attacks and Their Impact on Critical Infrastructure

INDUSTROYER (CRASHOVERRIDE)

Industroyer (CrashOverride): Used in the 2016 Ukraine power grid attack, this malware exploited industrial communication protocols like IEC 104 to remotely control circuit breakers, causing widespread blackouts​(MITRE ATT&CK).

• MITRE ATT&CK Techniques:
• T0802 (Automated Collection): Industroyer gathers protocol data to understand the target environment.
• T0816 (Device Restart/Shut Down): It can restart or shut down devices, leading to blackouts.
• T0809 (Data Destruction): Overwrites ICS configuration files to prevent system recovery​ (MITRE ATT&CK).

​

(TRISIS)

Triton (TRISIS): Targeted Safety Instrumented Systems (SIS) in a petrochemical plant, attempting to disable safety protocols and create hazardous operating conditions​ (MITRE ATT&CK and MITRE ATT&CK).

• MITRE ATT&CK Techniques:
• T0890 (Privilege Escalation): Triton exploits Triconex SIS controllers to gain system-level access.
• T0843 (Program Download): It downloads malicious logic into SIS controllers, compromising safety processes​(MITRE ATT&CK).

INCONTROLLER (PIPEDREAM)

INCONTROLLER (PIPEDREAM): A scalable and cross-industry ICS malware discovered in 2022, capable of targeting Schneider Electric and Omron PLCs​(MITRE ATT&CK).

• MITRE ATT&CK Techniques:
• T0845 (Program Upload/Download): INCONTROLLER can upload and download control logic to/from PLCs using the CODESYS protocol.
• T0890 (Exploitation for Privilege Escalation): It exploits known vulnerabilities in Omron PLCs to install malicious drivers​(MITRE ATT&CK).

LESSONS LEARNED: DEFENSIVE STRATEGIES USING MITRE ATT&CK INSIGHTS

CrashOverride (Industroyer)

• Remediation:
• Network Segmentation (T0869): Isolate networks that manage critical infrastructure such as power grids. Implement strong boundary defenses between IT and OT networks, ensuring proper segmentation between corporate and industrial control system environments​.
• Incident Response Plan (T0847): Develop detailed incident response procedures that specifically address ICS attack scenarios such as the one used in Ukraine's blackout. Include predefined recovery actions for devices like circuit breakers and switches that could be remotely manipulated by attackers​.
• Lesson Learned: CrashOverride was able to exploit ICS protocols to directly control breakers, causing blackouts. Stronger network segmentation and incident planning would reduce such risks.

Triton/Trisis

• Remediation:
• Strong Authentication (T0889): Use multi-factor authentication for all remote access to Safety Instrumented Systems (SIS) like the Triconex controllers, which Triton exploited. Replace default credentials with strong, unique passwords across all critical devices​(XONA Systems)​(Industrial Cyber).
• Device Integrity Monitoring (T0870): Continuously monitor the configuration and behavior of safety systems to detect any unauthorized changes that might signal an attacker attempting to manipulate safety functions. This can include regular integrity checks and anomaly detection mechanisms​(Industrial Cyber).
• Lesson Learned: Triton specifically targeted SIS, a system critical for safety. Strong authentication and real-time monitoring could prevent or detect manipulation of these systems earlier.

Pipedream (Incontroller)

• Remediation:
• Application Whitelisting (T0879): Implement strict whitelisting on PLCs and other industrial devices targeted by Pipedream to only allow approved software to run, reducing the likelihood of malicious code execution​ (XONA Systems)​ (Industrial Cyber).
• Firmware Updates and Audits (T0807): Regularly audit and update PLCs, especially those using protocols such as Omron’s FINS, Modbus, and CODESYS, which Pipedream exploits. Ensure all firmware is up-to-date and includes the latest security patches to prevent known exploits​(Industrial Cyber).
• Lesson Learned: Pipedream’s ability to manipulate various PLC protocols and firmware highlights the importance of maintaining strict control over device configurations and ensuring that only authorized software is executed.

ATTACK VECTORS IN ICS/SCADA SYSTEMS

Key attack vectors for ICS/SCADA systems include:

• Remote Access Exploits: Exploits insecure VPNs, weak authentication protocols, or misconfigured remote access points to gain unauthorized entry into the system.
• Supply Chain Attacks: Attackers inject malware, such as NotPetya, through compromised third-party software or hardware suppliers, impacting the ICS environment.
• Default Credentials: Many ICS devices still operate with default usernames and passwords, making them vulnerable to brute-force attacks.
• Insider Threats: Malicious insiders or compromised personnel can misuse their legitimate access to disrupt operations or steal sensitive data.
• Vulnerable Legacy Systems: Older systems often run on outdated software or hardware with little to no security, exposing them to known vulnerabilities.
• Weak Network Segmentation: Poorly segmented networks allow attackers to move laterally from less secure IT environments into critical OT systems.
• Phishing and Social Engineering: Attackers target employees with deceptive emails or impersonations, tricking them into providing access credentials.
• Insecure Protocols: ICS systems often use outdated communication protocols, such as Modbus or DNP3, that lack encryption or authentication.
• Denial-of-Service (DoS) Attacks: Attackers can overwhelm systems or networks with traffic, causing disruptions or downtime in critical operations.
• Third-Party Vendor Risks: Unauthorized access via vendor-supplied systems or services that are not adequately secured.
• Ransomware: Ransomware attacks can lock operators out of control systems, disrupt industrial processes, and demand payment to restore functionality.

UKRAINIAN POWER STATION (BLACKENERGY 3 MALWARE) APT44

MODBUS TCP PACKET INJECTION WITH SCAPY (RODRIGO CANTERA)

SHODAN - PUBLICLY ACCESSIBLE DEVICES BROADCASTING TO THE WORLD

QUESTIONS?