Comment on page
OT
OT (Operational Technology) security structure is a set of security measures and best practices designed to protect critical infrastructure and industrial control systems (ICS) that manage and monitor physical processes such as manufacturing, transportation, and energy distribution. The security structure includes several layers of security controls and policies that work together to protect OT systems from cyber threats.
Here are some key elements of an effective OT security structure:
- 1.Network Segmentation: The OT network should be segmented into different zones with varying levels of security controls. Each zone should have its own security policies and access controls.
- 2.Access Controls: Access to OT systems and devices should be limited to authorized personnel only. Strong authentication methods such as two-factor authentication should be used.
- 3.Endpoint Protection: All endpoints such as industrial controllers, sensors, and other devices should be secured with endpoint protection software, which can detect and prevent malware and unauthorized access.
- 4.Vulnerability Management: Regular vulnerability assessments and patching should be done to identify and fix vulnerabilities in OT systems and devices.
- 5.Incident Response: A well-defined incident response plan should be in place to respond to security incidents and minimize the impact of a breach.
- 6.Training and Awareness: Regular training and awareness programs should be conducted for employees and contractors to raise awareness of security risks and best practices.
- 7.Compliance: Compliance with industry-specific regulations and standards such as NIST SP 800-82 and IEC 62443 should be maintained to ensure the security of OT systems.
Critical infrastructure in OT (Operational Technology) refers to systems and assets that are essential for the functioning of a society, such as power grids, transportation systems, water treatment plants, and industrial control systems (ICS) used in manufacturing and energy production. These include:
- 1.Power Grids: Electric power generation and distribution systems, including power plants, transmission lines, and transformers.
- 2.Water Treatment Facilities: Water purification and distribution systems, including water treatment plants, reservoirs, and pumping stations.
- 3.Oil and Gas Pipelines: Oil and gas pipelines that transport crude oil, natural gas, and refined petroleum products from production sites to refineries and distribution centers.
- 4.Transportation Systems: Transportation systems, including airports, seaports, and rail systems that transport people and goods.
- 5.Industrial Control Systems: Industrial control systems that control the operations of manufacturing plants and energy production facilities, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC).
- 6.Communication Networks: Communication networks, including telephone networks, cellular networks, and internet service providers (ISP), which are essential for communication and data transmission.
- 7.Financial Systems: Financial systems, including banks, stock exchanges, and payment processing systems, which are essential for financial transactions and economic stability.
- 8.Emergency Services: Emergency services, including fire departments, police departments, and hospitals, which are essential for public safety and well-being.
- 9.Government Services: Government services, including government buildings, military installations, and intelligence agencies, which are essential for national security and government operations.
OT attacks on critical infrastructure can have severe consequences, including disruption of essential services, property damage, loss of life, and financial loss. Here are some examples of OT attacks on critical infrastructure:
- 1.Stuxnet: Stuxnet is a worm that was discovered in 2010 and is believed to be the first example of malware specifically designed to target industrial control systems. It targeted the nuclear program of Iran and was able to cause physical damage to centrifuges by exploiting vulnerabilities in the Siemens PLCs.
- 2.Ukraine power outage: In 2015 and 2016, Ukrainian power grids were targeted in a series of cyberattacks that resulted in a widespread power outage. The attackers were able to gain access to the ICS and cause physical damage to the equipment, resulting in the loss of power for hundreds of thousands of people.
- 3.Triton: Triton is a malware that was discovered in 2017 and is designed to target safety systems in industrial control systems. It was used in an attack on a Saudi Arabian petrochemical plant, and its purpose was to cause physical damage to the plant by disabling its safety systems.
- 4.Colonial Pipeline: In May 2021, a ransomware attack on the Colonial Pipeline, which supplies fuel to the eastern United States, resulted in a temporary shutdown of the pipeline. This caused a disruption in fuel supply and resulted in panic buying and long lines at gas stations.
Based On Shamikkumar Dave Source
Sr no. | Protocol | Description | Port | Number Encryption | Security Vulnerabilities | Typical Use Cases | Vendors Using It | Text |
|---|---|---|---|---|---|---|---|---|
1 | Modbus | A serial communication protocol widely used in industrial automation. | TCP: 502 | UDP: N/A | Not Available (Plain Text) | Lack of authentication, susceptible to eavesdropping | SCADA systems, industrial control and monitoring | Schneider Electric, Siemens, ABB |
2 | DNP3 | A robust and secure protocol for communication in electric power systems. | TCP: 20000-20005 | UDP: N/A | Secure Authentication | Vulnerable to man-in-the-middle attacks, lack of key management | Electric power systems, water/wastewater management | General Electric, Siemens, ABB |
3 | OPC | A standard for interoperability between industrial automation systems. | TCP: 135 | UDP: N/A | TLS encryption | Vulnerable to unauthorized access, lack of data integrity | Industrial automation, device and software integration | Rockwell Automation, Honeywell, Yokogawa |
4 | EtherNet/IP | An industrial Ethernet protocol for real-time control and data exchange. | TCP: 44818 | UDP: 2222 | IPsec encryption (Achieved through IPsec implementation) | Potential vulnerabilities in authentication and encryption | Integration of control systems, safety devices, data exchange | Rockwell Automation, Schneider Electric |
5 | Profinet | A communication protocol for real-time data exchange in industrial automation. | TCP: 34962 | UDP: 161 | IPsec encryption (Achieved through IPsec implementation) | Vulnerabilities in access control, authentication mechanisms | Manufacturing, process control applications | Siemens, Phoenix Contact, B&R Automation |
6 | IEC 60870-5 | A protocol for communication in electrical utility automation systems. | TCP: 2404 | UDP: N/A | Not Available (Plain Text) | Lack of authentication, vulnerable to DoS attacks | Monitoring and control of electrical power systems | Siemens, ABB, Schneider Electric |
7 | PROFIBUS | A fieldbus protocol for communication in automation systems. | TCP: 3668 | UDP: N/A | Not Available (Plain Text) | Vulnerable to eavesdropping, unauthorized access | Sensors, actuators, controllers in manufacturing | Siemens, Phoenix Contact, ABB |
8 | HART | A protocol for communication with intelligent field devices. | TCP: 5094 | UDP: N/A | Not Available (Plain Text) | Vulnerable to spoofing, tampering | Industrial process monitoring and control | Emerson, Honeywell, Yokogawa |
9 | BACnet | A protocol for building automation and control networks. | TCP: 47808 | UDP: N/A | Secure Authentication and TLS encryption | Vulnerable to unauthorized access, DoS attacks | HVAC systems, lighting control, energy management | Honeywell, Johnson Controls, Siemens |
10 | MQTT | A lightweight messaging protocol for IoT and M2M communication. | TCP: 1883 | UDP: N/A | Not Available (Plain Text) to Vulnerable to spoofing, tampering | Industrial process monitoring and control | Emerson, Honeywell, Yokogawa | |
11 | CANbus | A bus standard for communication in vehicle systems. | N/A | Not Available (Plain Text) | Vulnerable to spoofing, replay attacks | Automotive systems, control units | Bosch, Continental, Delphi | |
12 | WirelessHART | A wireless communication protocol based on HART for industrial | UDP: 5093 | AES-128 encryption (Inherent encryption) | Vulnerable to jamming, unauthorized access | Wireless monitoring and control of industrial processes | Emerson, Honeywell, Siemens | |
13 | IEC 61850 | A protocol for communication in substation automation systems. | TCP: 102 | UDP: 102 | TLS encryption | Vulnerabilities in authentication, data integrity | Electric power substation automation, smart grid applications | |
14 | Vnet/IP | Yokogawa Proprietery protocol for Centum VP Controllers | TCP: 44818 | Can use SSL/TSL encryption | Weak authentication, Data integrity, Dos | All sectors in Industrial Automation | Yokogawa | |
15 | SNMP | A protocol for network management and monitoring of devices. | UDP: 161 | UDP: 162 | v3 encryption | Vulnerabilities in authentication, data privacy | Network management, device monitoring and control | |
16 | ICCP/TASE.2 | A protocol for real-time information exchange between control centers | TCP: 102 | UDP: 102 | TLS encryption | Vulnerable to unauthorized access, data integrity issues | Inter-control center communication, energy management systems | |
17 | CIP | A protocol for communication in industrial automation networks. | TCP: 44818 | UDP: 2222 | TLS encryption | Potential vulnerabilities in authentication and encryption | Integration of control systems, data exchange, safety devices | |
18 | EtherCAT | A real-time Ethernet protocol for communication in motion control systems. | UDP: 8899 | IPsec encryption (Achieved through IPsec implementation) | Vulnerabilities in authentication, data integrity | Motion control, automation systems | Beckhoff Automation, Omron, Bosch | |
19 | WISA | A wireless protocol for industrial automation and control. | UDP: 49200 | Not Available (Plain Text) | Vulnerable to unauthorized access, data integrity issues | Wireless industrial control and monitoring, asset management | Endress+Hauser, Pepperl+Fuchs, ABB | |
20 | BACnet/IP | A variant of BACnet protocol using IP networks for building automation. | UDP: 47808 | Secure Authentication and TLS encryption | Vulnerable to unauthorized access, DoS attacks | Building automation, control and monitoring | Honeywell, Johnson Controls, Siemens | |
21 | Zigbee | A wireless communication protocol for low-power, low-data-rate IoT devices. | Various | AES encryption (Inherent encryption) | Vulnerabilities in authentication, data privacy | Home automation,. | Philips, Texas Instruments, Silicon Labs | |
22 | PROFINET IO | A real-time industrial Ethernet protocol for automation systems. | TCP: 34962 | UDP: 161 | IPsec encryption (Achieved through IPsec implementation) | Vulnerabilities in access control, authentication mechanisms | Industrial automation, process control applications | |
23 | ISA-95 | A standard for integration of enterprise and control systems. | TCP: 44818 | UDP: 2222 | TLS encryption | Potential vulnerabilities in authentication and encryption | Integration of business and control systems, MES | |
24 | LonWorks | A protocol for control networks used in building automation. | TCP: 1626 | Not Available (Plain Text) | Vulnerabilities in authentication, data privacy | Building automation, lighting control, energy management | Echelon, Siemens, Schneider Electric | |
25 | M-Bus | A protocol for remote reading of utility meters. | TCP: 50000 | Not Available (Plain Text) | Vulnerable to unauthorized access, data integrity issues | Utility metering, remote meter reading | Kamstrup, Itron, Siemens | |
26 | Modbus TCP/IP | A variant of Modbus protocol using TCP/IP for communication. | TCP: 502 | UDP: N/A | Secure Authentication and TLS encryption | Lack of authentication, susceptible to eavesdropping | SCADA systems, industrial control and monitoring | |
27 | CANopen | A higher-layer protocol based on CANbus for industrial automation. | N/A | Not Available (Plain Text) | Vulnerable to unauthorized access, message injection | Industrial automation, motion control systems | Beckhoff Automation, Bosch, Omron | |
28 | KNX | A protocol for building automation and control networks. | TCP: 3671 | UDP: 3672 | Secure Authentication and TLS encryption | Potential vulnerabilities in authentication and encryption | Building automation, lighting control, HVAC systems | |
29 | IEC 62351 | A suite of protocols for secure communication in power systems. | TCP: 102 | UDP: 102 | TLS encryption | Vulnerabilities in authentication, key management | Secure communication in electric power systems | |
30 | S7Comm | A proprietary protocol used in Siemens S7-300 and S7-400 PLCs. | TCP: 102 | Secure Authentication and TLS encryption | Vulnerabilities in authentication, data integrity | Industrial automation, control systems | Siemens, Schneider Electric, ABB | |
31 | H1 Fieldbus | A fieldbus protocol used in process automation and control systems. | TCP: 102 | UDP: 102 | Not Available (Plain Text) | Vulnerable to unauthorized access, data integrity issues | Process automation, control and monitoring | |
32 | Zigbee RF4CE | A variant of Zigbee protocol for remote control applications. | Various | AES encryption (Inherent encryption) | Vulnerabilities in authentication, data privacy | Remote controls, consumer electronics | Philips, Texas Instruments, Silicon Labs | |
33 | Foundation Fieldbus | A digital communication protocol for process control systems. | TCP: 2222 | UDP: N/A | Not Available (Plain Text) | Vulnerabilities in authentication, data integrity | Process control, monitoring and diagnostics | |
34 | MMS | A protocol for real-time data communication in industrial systems. | TCP: 102 | UDP: 102 | TLS encryption | Vulnerabilities in authentication, data integrity | Industrial control systems, real-time data exchange | |
35 | EtherNet/IPTap | A protocol for network traffic monitoring in EtherNet/IP networks. | TCP: 2222 | UDP: 2222 | IPsec encryption (Achieved through IPsec implementation) | Vulnerable to unauthorized access, data integrity issues | Network traffic monitoring, diagnostics in EtherNet/IP networks | |
36 | MelsecNet | A protocol for communication in Mitsubishi Electric PLC systems. | TCP: 5007 | UDP: 5007 | Not Available (Plain Text) | Vulnerabilities in authentication, data integrity | Industrial automation, process control systems | |
37 | FOUNDATION HSE | A high-speed Ethernet protocol for process control systems. | TCP: 2222 | UDP: N/A | Not Available (Plain Text) | Vulnerabilities in authentication, data integrity | Process control, high-speed data exchange | |
38 | PROFIsafe | A safety communication protocol for fail-safe automation systems. | TCP: 34962 | UDP: 161 | IPsec encryption (Achieved through IPsec implementation) | Vulnerabilities in access control, authentication mechanisms | Safety-critical applications, industrial automation | |
39 | DeviceNet | A network protocol for communication with industrial devices. | TCP: 44818 | UDP: 2222 | IPsec encryption (Achieved through IPsec implementation) | Potential vulnerabilities in authentication and encryption | Industrial device communication, sensor integration | |
40 | HART-IP | A variant of HART protocol using IP networks for industrial applications. | UDP: 5094 | IPsec encryption (Achieved through IPsec implementation) | Vulnerable to spoofing, tampering | Industrial process monitoring and control over IP networks | Emerson, Honeywell, Yokogawa | |
41 | CIP Safety | A safety protocol for communication in industrial control systems. | TCP: 44818 | UDP: 2222 | TLS encryption | Potential vulnerabilities in authentication and encryption | Safety-critical applications, control system integration | |
42 | EtherCAT P | A power-over-EtherCAT protocol for communication and power delivery. | UDP: 8899 | IPsec encryption (Achieved through IPsec implementation) | Vulnerabilities in authentication, data integrity | Motion control, automation systems with power delivery | Beckhoff Automation, Omron, Bosch | |
43 | WISA Wireless | A wireless protocol for communication in industrial automation. | UDP: 49200 | Not Available (Plain Text) | Vulnerable to unauthorized access, data integrity issues | Wireless industrial control and monitoring, asset management | Endress+Hauser, Pepperl+Fuchs, ABB | |
44 | BACnet/IPv6 | A variant of BACnet protocol using IPv6 for building automation. | UDP: 47808 | Secure Authentication and TLS encryption | Vulnerable to unauthorized access, DoS attacks | Building automation, control and monitoring with IPv6 | Honeywell, Johnson Controls, Siemens | |
45 | Zigbee IP | A variant of Zigbee protocol using IP networks for IoT applications. | Various | AES encryption (Inherent encryption) | Vulnerabilities in authentication, data privacy | IoT applications, wireless sensor networks with IP connectivity | Philips, Texas Instruments, Silicon Labs | |
46 | CC-Link | A fieldbus protocol for industrial automation in Asia. | TCP: 5000 | UDP: 5000 | AES encryption (Inherent encryption) | Lack of authentication, susceptible to eavesdropping | Industrial automation, motion control systems in Asia | |
47 | KNXnet/IP | A variant of KNX protocol using IP networks for building automation. | TCP: 3671 | UDP: 3672 | Secure Authentication and TLS encryption | Potential vulnerabilities in authentication and encryption | Building automation, lighting control, HVAC systems with IP connectivity | |
48 | IEC 61883 | A protocol for audio and video transmission in professional applications. | UDP: 61883 | Not Available (Plain Text) | Vulnerabilities in authentication, data privacy | Audio/video transmission, professional multimedia applications | Sony, Panasonic, Canon | |
49 | CIP Motion | A protocol for motion control in industrial automation systems. | TCP: 44818 | UDP: 2222 | TLS encryption | Potential vulnerabilities in authentication and encryption | Industrial motion control systems | |
50 | WirelessMBus | A wireless communication protocol for utility metering applications. | TCP: 50000 | AES-128 encryption (Inherent encryption) | Vulnerable to unauthorized access, data integrity issues | Wireless utility metering, remote meter reading | Kamstrup, Itron, Siemens | |
51 | Fieldbus HSE | A high-speed Ethernet protocol for fieldbus communication. | TCP: 2222 | UDP: N/A | Not Available (Plain Text) | Vulnerabilities in authentication, data integrity | Fieldbus communication, high-speed data exchange | |
52 | Modbus/TCP | A variant of Modbus protocol using TCP/IP for communication. | TCP: 502 | UDP: N/A | Secure Authentication and TLS encryption | Lack of authentication, susceptible to eavesdropping | SCADA systems, industrial control and monitoring | |
53 | CC-Link IE | An industrial Ethernet protocol for automation systems in Asia. | TCP: 44818 | UDP: 2222 | IPsec encryption (Achieved through IPsec implementation) | Potential vulnerabilities in authentication and encryption | Industrial automation, motion control systems in Asia | |
54 | Modbus/UDP | A variant of Modbus protocol using UDP/IP for communication. | UDP: 502 | Not Available (Plain Text) | Lack of authentication, susceptible to eavesdropping | SCADA systems, industrial control and monitoring | Schneider Electric, Siemens, ABB | |
55 | OPC UA | A machine-to-machine communication protocol for industrial automation. | TCP: 4840 | UDP: 4840 | Secure Authentication and TLS encryption | Potential vulnerabilities in authentication and encryption | Industrial automation, data exchange and interoperability |
Attack Methods | Hacking Tools | Commands | Description | Text |
|---|---|---|---|---|
Modbus | Eavesdropping, Man-in-the-Middle (MitM) Attacks | Network Sniffers (e.g., Wireshark) | Read Holding Registers | Modbus is a widely used serial communication protocol in industrial automation. It is commonly used in SCADA systems, industrial control, and monitoring. It operates over TCP port 502 and lacks authentication, making it susceptible to eavesdropping. |
Write Single Register | ||||
Read/Write Multiple Registers |
ID | Attack Methods | Hacking Tools | Commands | Description |
|---|---|---|---|---|
DNP3 | Man-in-the-Middle Attacks | Network Sniffers | Read Data | DNP3 is a robust and secure protocol used for communication in electric power systems, as well as water and wastewater management. It operates over TCP ports 20000-20005 and does not use UDP. |
Write Data | ||||
Control Operations | ||||
Device Configuration |
ID | Attack Methods | Hacking Tools | Commands | Description |
|---|---|---|---|---|
OPC | Unauthorized Access | Network Scanners | Read Tag Data | OPC (OLE for Process Control) is a standard for interoperability between industrial automation systems. It uses TCP port 135 and supports TLS encryption for secure communication. |
Write Tag Data | ||||
Invoke Methods | ||||
Data Access Read/Write |
ID | Attack Methods | Hacking Tools | Commands | Description |
|---|---|---|---|---|
EtherNet/IP | Authentication Bypass, Packet Sniffing | Packet Sniffers (e.g., Wireshark) | Read Tag Data | EtherNet/IP is an industrial Ethernet protocol used for real-time control and data exchange. It operates over TCP port 44818 and UDP port 2222. |
Write Tag Data | ||||
Device Configuration | ||||
ID | Attack Methods | Specific Tools | Specific Commands | Description |
|---|---|---|---|---|
Profinet | Access Control Bypass, Man-in-the-Middle Attacks | Packet Sniffers (e.g., Wireshark) | Read Process Data | Profinet is a communication protocol used for real-time data exchange in industrial automation. It operates over TCP port 34962 and UDP port 161. |
Write Process Data | ||||
Diagnostic Information |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Denial-of-Service (DoS) Attacks | DoS Tools (e.g., LOIC) | C_SC_NA (45h) | Control command used for Single-Command (SC) normalized value for Network Areas (NA) |
Lack of Authentication | Network Sniffers (e.g., Wireshark) | C_IC_NA (64h) | Control command used for Interrogation of Counter (IC) normalized value for Network Areas (NA) |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Eavesdropping | Packet Sniffers (e.g., Wireshark) | N/A | Passive monitoring and capturing of network traffic to intercept and analyze PROFIBUS communication |
Unauthorized Access | PROFIBUS Configuration Tools | N/A | Use of unauthorized configuration tools to gain access to PROFIBUS network and devices |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Spoofing | HART Modem, Software | Universal Command (UCOM) | Unauthorized transmission of spoofed messages to impersonate a legitimate field device |
Tampering | HART Configurator | Read/Write Commands | Unauthorized modification of device configuration parameters and process variable settings |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Unauthorized Access | BACnet Discovery Tools | N/A | Exploiting vulnerabilities to gain unauthorized access to BACnet networks and devices |
DoS Attacks | Network Stress Testing Tools | N/A | Overloading BACnet devices or networks with excessive traffic, causing disruption of services |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Unauthorized Access | MQTT Packet Sniffing Tools | CONNECT, PUBLISH, SUBSCRIBE | Intercepting MQTT packets to gain unauthorized access to the broker or IoT devices’ communication, compromising data integrity |
Data Privacy | MQTT Message Analyzer | N/A | Analyzing MQTT messages to extract sensitive information, compromising the privacy and confidentiality of IoT data |
Attack Methods | Specific Tools | Specific Commands and Codes | Commands Description |
|---|---|---|---|
Spoofing | CANbus Spoofing Tools | N/A | Sending forged CAN messages with altered identifiers or data, impersonating legitimate devices or commands |
Replay Attacks | CANbus Replay Tools | N/A | Capturing and replaying previously sent CAN messages to deceive the system or retrigger specific commands |