Links
Comment on page

OT

Introduction

OT (Operational Technology) security structure is a set of security measures and best practices designed to protect critical infrastructure and industrial control systems (ICS) that manage and monitor physical processes such as manufacturing, transportation, and energy distribution. The security structure includes several layers of security controls and policies that work together to protect OT systems from cyber threats.
Here are some key elements of an effective OT security structure:
  1. 1.
    Network Segmentation: The OT network should be segmented into different zones with varying levels of security controls. Each zone should have its own security policies and access controls.
  2. 2.
    Access Controls: Access to OT systems and devices should be limited to authorized personnel only. Strong authentication methods such as two-factor authentication should be used.
  3. 3.
    Endpoint Protection: All endpoints such as industrial controllers, sensors, and other devices should be secured with endpoint protection software, which can detect and prevent malware and unauthorized access.
  4. 4.
    Vulnerability Management: Regular vulnerability assessments and patching should be done to identify and fix vulnerabilities in OT systems and devices.
  5. 5.
    Incident Response: A well-defined incident response plan should be in place to respond to security incidents and minimize the impact of a breach.
  6. 6.
    Training and Awareness: Regular training and awareness programs should be conducted for employees and contractors to raise awareness of security risks and best practices.
  7. 7.
    Compliance: Compliance with industry-specific regulations and standards such as NIST SP 800-82 and IEC 62443 should be maintained to ensure the security of OT systems.

Critical infrastructure

Critical infrastructure in OT (Operational Technology) refers to systems and assets that are essential for the functioning of a society, such as power grids, transportation systems, water treatment plants, and industrial control systems (ICS) used in manufacturing and energy production. These include:
  1. 1.
    Power Grids: Electric power generation and distribution systems, including power plants, transmission lines, and transformers.
  2. 2.
    Water Treatment Facilities: Water purification and distribution systems, including water treatment plants, reservoirs, and pumping stations.
  3. 3.
    Oil and Gas Pipelines: Oil and gas pipelines that transport crude oil, natural gas, and refined petroleum products from production sites to refineries and distribution centers.
  4. 4.
    Transportation Systems: Transportation systems, including airports, seaports, and rail systems that transport people and goods.
  5. 5.
    Industrial Control Systems: Industrial control systems that control the operations of manufacturing plants and energy production facilities, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC).
  6. 6.
    Communication Networks: Communication networks, including telephone networks, cellular networks, and internet service providers (ISP), which are essential for communication and data transmission.
  7. 7.
    Financial Systems: Financial systems, including banks, stock exchanges, and payment processing systems, which are essential for financial transactions and economic stability.
  8. 8.
    Emergency Services: Emergency services, including fire departments, police departments, and hospitals, which are essential for public safety and well-being.
  9. 9.
    Government Services: Government services, including government buildings, military installations, and intelligence agencies, which are essential for national security and government operations.
OT attacks on critical infrastructure can have severe consequences, including disruption of essential services, property damage, loss of life, and financial loss. Here are some examples of OT attacks on critical infrastructure:
  1. 1.
    Stuxnet: Stuxnet is a worm that was discovered in 2010 and is believed to be the first example of malware specifically designed to target industrial control systems. It targeted the nuclear program of Iran and was able to cause physical damage to centrifuges by exploiting vulnerabilities in the Siemens PLCs.
  2. 2.
    Ukraine power outage: In 2015 and 2016, Ukrainian power grids were targeted in a series of cyberattacks that resulted in a widespread power outage. The attackers were able to gain access to the ICS and cause physical damage to the equipment, resulting in the loss of power for hundreds of thousands of people.
  3. 3.
    Triton: Triton is a malware that was discovered in 2017 and is designed to target safety systems in industrial control systems. It was used in an attack on a Saudi Arabian petrochemical plant, and its purpose was to cause physical damage to the plant by disabling its safety systems.
  4. 4.
    Colonial Pipeline: In May 2021, a ransomware attack on the Colonial Pipeline, which supplies fuel to the eastern United States, resulted in a temporary shutdown of the pipeline. This caused a disruption in fuel supply and resulted in panic buying and long lines at gas stations.

Protocol & Vendor

Based On Shamikkumar Dave Source
Sr no.
Protocol
Description
Port
Number Encryption
Security Vulnerabilities
Typical Use Cases
Vendors Using It
Text
1
Modbus
A serial communication protocol widely used in industrial automation.
TCP: 502
UDP: N/A
Not Available (Plain Text)
Lack of authentication, susceptible to eavesdropping
SCADA systems, industrial control and monitoring
Schneider Electric, Siemens, ABB
2
DNP3
A robust and secure protocol for communication in electric power systems.
TCP: 20000-20005
UDP: N/A
Secure Authentication
Vulnerable to man-in-the-middle attacks, lack of key management
Electric power systems, water/wastewater management
General Electric, Siemens, ABB
3
OPC
A standard for interoperability between industrial automation systems.
TCP: 135
UDP: N/A
TLS encryption
Vulnerable to unauthorized access, lack of data integrity
Industrial automation, device and software integration
Rockwell Automation, Honeywell, Yokogawa
4
EtherNet/IP
An industrial Ethernet protocol for real-time control and data exchange.
TCP: 44818
UDP: 2222
IPsec encryption (Achieved through IPsec implementation)
Potential vulnerabilities in authentication and encryption
Integration of control systems, safety devices, data exchange
Rockwell Automation, Schneider Electric
5
Profinet
A communication protocol for real-time data exchange in industrial automation.
TCP: 34962
UDP: 161
IPsec encryption (Achieved through IPsec implementation)
Vulnerabilities in access control, authentication mechanisms
Manufacturing, process control applications
Siemens, Phoenix Contact, B&R Automation
6
IEC 60870-5
A protocol for communication in electrical utility automation systems.
TCP: 2404
UDP: N/A
Not Available (Plain Text)
Lack of authentication, vulnerable to DoS attacks
Monitoring and control of electrical power systems
Siemens, ABB, Schneider Electric
7
PROFIBUS
A fieldbus protocol for communication in automation systems.
TCP: 3668
UDP: N/A
Not Available (Plain Text)
Vulnerable to eavesdropping, unauthorized access
Sensors, actuators, controllers in manufacturing
Siemens, Phoenix Contact, ABB
8
HART
A protocol for communication with intelligent field devices.
TCP: 5094
UDP: N/A
Not Available (Plain Text)
Vulnerable to spoofing, tampering
Industrial process monitoring and control
Emerson, Honeywell, Yokogawa
9
BACnet
A protocol for building automation and control networks.
TCP: 47808
UDP: N/A
Secure Authentication and TLS encryption
Vulnerable to unauthorized access, DoS attacks
HVAC systems, lighting control, energy management
Honeywell, Johnson Controls, Siemens
10
MQTT
A lightweight messaging protocol for IoT and M2M communication.
TCP: 1883
UDP: N/A
Not Available (Plain Text) to Vulnerable to spoofing, tampering
Industrial process monitoring and control
Emerson, Honeywell, Yokogawa
11
CANbus
A bus standard for communication in vehicle systems.
N/A
Not Available (Plain Text)
Vulnerable to spoofing, replay attacks
Automotive systems, control units
Bosch, Continental, Delphi
12
WirelessHART
A wireless communication protocol based on HART for industrial
UDP: 5093
AES-128 encryption (Inherent encryption)
Vulnerable to jamming, unauthorized access
Wireless monitoring and control of industrial processes
Emerson, Honeywell, Siemens
13
IEC 61850
A protocol for communication in substation automation systems.
TCP: 102
UDP: 102
TLS encryption
Vulnerabilities in authentication, data integrity
Electric power substation automation, smart grid applications
14
Vnet/IP
Yokogawa Proprietery protocol for Centum VP Controllers
TCP: 44818
Can use SSL/TSL encryption
Weak authentication, Data integrity, Dos
All sectors in Industrial Automation
Yokogawa
15
SNMP
A protocol for network management and monitoring of devices.
UDP: 161
UDP: 162
v3 encryption
Vulnerabilities in authentication, data privacy
Network management, device monitoring and control
16
ICCP/TASE.2
A protocol for real-time information exchange between control centers
TCP: 102
UDP: 102
TLS encryption
Vulnerable to unauthorized access, data integrity issues
Inter-control center communication, energy management systems
17
CIP
A protocol for communication in industrial automation networks.
TCP: 44818
UDP: 2222
TLS encryption
Potential vulnerabilities in authentication and encryption
Integration of control systems, data exchange, safety devices
18
EtherCAT
A real-time Ethernet protocol for communication in motion control systems.
UDP: 8899
IPsec encryption (Achieved through IPsec implementation)
Vulnerabilities in authentication, data integrity
Motion control, automation systems
Beckhoff Automation, Omron, Bosch
19
WISA
A wireless protocol for industrial automation and control.
UDP: 49200
Not Available (Plain Text)
Vulnerable to unauthorized access, data integrity issues
Wireless industrial control and monitoring, asset management
Endress+Hauser, Pepperl+Fuchs, ABB
20
BACnet/IP
A variant of BACnet protocol using IP networks for building automation.
UDP: 47808
Secure Authentication and TLS encryption
Vulnerable to unauthorized access, DoS attacks
Building automation, control and monitoring
Honeywell, Johnson Controls, Siemens
21
Zigbee
A wireless communication protocol for low-power, low-data-rate IoT devices.
Various
AES encryption (Inherent encryption)
Vulnerabilities in authentication, data privacy
Home automation,.
Philips, Texas Instruments, Silicon Labs
22
PROFINET IO
A real-time industrial Ethernet protocol for automation systems.
TCP: 34962
UDP: 161
IPsec encryption (Achieved through IPsec implementation)
Vulnerabilities in access control, authentication mechanisms
Industrial automation, process control applications
23
ISA-95
A standard for integration of enterprise and control systems.
TCP: 44818
UDP: 2222
TLS encryption
Potential vulnerabilities in authentication and encryption
Integration of business and control systems, MES
24
LonWorks
A protocol for control networks used in building automation.
TCP: 1626
Not Available (Plain Text)
Vulnerabilities in authentication, data privacy
Building automation, lighting control, energy management
Echelon, Siemens, Schneider Electric
25
M-Bus
A protocol for remote reading of utility meters.
TCP: 50000
Not Available (Plain Text)
Vulnerable to unauthorized access, data integrity issues
Utility metering, remote meter reading
Kamstrup, Itron, Siemens
26
Modbus TCP/IP
A variant of Modbus protocol using TCP/IP for communication.
TCP: 502
UDP: N/A
Secure Authentication and TLS encryption
Lack of authentication, susceptible to eavesdropping
SCADA systems, industrial control and monitoring
27
CANopen
A higher-layer protocol based on CANbus for industrial automation.
N/A
Not Available (Plain Text)
Vulnerable to unauthorized access, message injection
Industrial automation, motion control systems
Beckhoff Automation, Bosch, Omron
28
KNX
A protocol for building automation and control networks.
TCP: 3671
UDP: 3672
Secure Authentication and TLS encryption
Potential vulnerabilities in authentication and encryption
Building automation, lighting control, HVAC systems
29
IEC 62351
A suite of protocols for secure communication in power systems.
TCP: 102
UDP: 102
TLS encryption
Vulnerabilities in authentication, key management
Secure communication in electric power systems
30
S7Comm
A proprietary protocol used in Siemens S7-300 and S7-400 PLCs.
TCP: 102
Secure Authentication and TLS encryption
Vulnerabilities in authentication, data integrity
Industrial automation, control systems
Siemens, Schneider Electric, ABB
31
H1 Fieldbus
A fieldbus protocol used in process automation and control systems.
TCP: 102
UDP: 102
Not Available (Plain Text)
Vulnerable to unauthorized access, data integrity issues
Process automation, control and monitoring
32
Zigbee RF4CE
A variant of Zigbee protocol for remote control applications.
Various
AES encryption (Inherent encryption)
Vulnerabilities in authentication, data privacy
Remote controls, consumer electronics
Philips, Texas Instruments, Silicon Labs
33
Foundation Fieldbus
A digital communication protocol for process control systems.
TCP: 2222
UDP: N/A
Not Available (Plain Text)
Vulnerabilities in authentication, data integrity
Process control, monitoring and diagnostics
34
MMS
A protocol for real-time data communication in industrial systems.
TCP: 102
UDP: 102
TLS encryption
Vulnerabilities in authentication, data integrity
Industrial control systems, real-time data exchange
35
EtherNet/IPTap
A protocol for network traffic monitoring in EtherNet/IP networks.
TCP: 2222
UDP: 2222
IPsec encryption (Achieved through IPsec implementation)
Vulnerable to unauthorized access, data integrity issues
Network traffic monitoring, diagnostics in EtherNet/IP networks
36
MelsecNet
A protocol for communication in Mitsubishi Electric PLC systems.
TCP: 5007
UDP: 5007
Not Available (Plain Text)
Vulnerabilities in authentication, data integrity
Industrial automation, process control systems
37
FOUNDATION HSE
A high-speed Ethernet protocol for process control systems.
TCP: 2222
UDP: N/A
Not Available (Plain Text)
Vulnerabilities in authentication, data integrity
Process control, high-speed data exchange
38
PROFIsafe
A safety communication protocol for fail-safe automation systems.
TCP: 34962
UDP: 161
IPsec encryption (Achieved through IPsec implementation)
Vulnerabilities in access control, authentication mechanisms
Safety-critical applications, industrial automation
39
DeviceNet
A network protocol for communication with industrial devices.
TCP: 44818
UDP: 2222
IPsec encryption (Achieved through IPsec implementation)
Potential vulnerabilities in authentication and encryption
Industrial device communication, sensor integration
40
HART-IP
A variant of HART protocol using IP networks for industrial applications.
UDP: 5094
IPsec encryption (Achieved through IPsec implementation)
Vulnerable to spoofing, tampering
Industrial process monitoring and control over IP networks
Emerson, Honeywell, Yokogawa
41
CIP Safety
A safety protocol for communication in industrial control systems.
TCP: 44818
UDP: 2222
TLS encryption
Potential vulnerabilities in authentication and encryption
Safety-critical applications, control system integration
42
EtherCAT P
A power-over-EtherCAT protocol for communication and power delivery.
UDP: 8899
IPsec encryption (Achieved through IPsec implementation)
Vulnerabilities in authentication, data integrity
Motion control, automation systems with power delivery
Beckhoff Automation, Omron, Bosch
43
WISA Wireless
A wireless protocol for communication in industrial automation.
UDP: 49200
Not Available (Plain Text)
Vulnerable to unauthorized access, data integrity issues
Wireless industrial control and monitoring, asset management
Endress+Hauser, Pepperl+Fuchs, ABB
44
BACnet/IPv6
A variant of BACnet protocol using IPv6 for building automation.
UDP: 47808
Secure Authentication and TLS encryption
Vulnerable to unauthorized access, DoS attacks
Building automation, control and monitoring with IPv6
Honeywell, Johnson Controls, Siemens
45
Zigbee IP
A variant of Zigbee protocol using IP networks for IoT applications.
Various
AES encryption (Inherent encryption)
Vulnerabilities in authentication, data privacy
IoT applications, wireless sensor networks with IP connectivity
Philips, Texas Instruments, Silicon Labs
46
CC-Link
A fieldbus protocol for industrial automation in Asia.
TCP: 5000
UDP: 5000
AES encryption (Inherent encryption)
Lack of authentication, susceptible to eavesdropping
Industrial automation, motion control systems in Asia
47
KNXnet/IP
A variant of KNX protocol using IP networks for building automation.
TCP: 3671
UDP: 3672
Secure Authentication and TLS encryption
Potential vulnerabilities in authentication and encryption
Building automation, lighting control, HVAC systems with IP connectivity
48
IEC 61883
A protocol for audio and video transmission in professional applications.
UDP: 61883
Not Available (Plain Text)
Vulnerabilities in authentication, data privacy
Audio/video transmission, professional multimedia applications
Sony, Panasonic, Canon
49
CIP Motion
A protocol for motion control in industrial automation systems.
TCP: 44818
UDP: 2222
TLS encryption
Potential vulnerabilities in authentication and encryption
Industrial motion control systems
50
WirelessMBus
A wireless communication protocol for utility metering applications.
TCP: 50000
AES-128 encryption (Inherent encryption)
Vulnerable to unauthorized access, data integrity issues
Wireless utility metering, remote meter reading
Kamstrup, Itron, Siemens
51
Fieldbus HSE
A high-speed Ethernet protocol for fieldbus communication.
TCP: 2222
UDP: N/A
Not Available (Plain Text)
Vulnerabilities in authentication, data integrity
Fieldbus communication, high-speed data exchange
52
Modbus/TCP
A variant of Modbus protocol using TCP/IP for communication.
TCP: 502
UDP: N/A
Secure Authentication and TLS encryption
Lack of authentication, susceptible to eavesdropping
SCADA systems, industrial control and monitoring
53
CC-Link IE
An industrial Ethernet protocol for automation systems in Asia.
TCP: 44818
UDP: 2222
IPsec encryption (Achieved through IPsec implementation)
Potential vulnerabilities in authentication and encryption
Industrial automation, motion control systems in Asia
54
Modbus/UDP
A variant of Modbus protocol using UDP/IP for communication.
UDP: 502
Not Available (Plain Text)
Lack of authentication, susceptible to eavesdropping
SCADA systems, industrial control and monitoring
Schneider Electric, Siemens, ABB
55
OPC UA
A machine-to-machine communication protocol for industrial automation.
TCP: 4840
UDP: 4840
Secure Authentication and TLS encryption
Potential vulnerabilities in authentication and encryption
Industrial automation, data exchange and interoperability

Modbus

Attack Methods
Hacking Tools
Commands
Description
Text
Modbus
Eavesdropping, Man-in-the-Middle (MitM) Attacks
Network Sniffers (e.g., Wireshark)
Read Holding Registers
Modbus is a widely used serial communication protocol in industrial automation. It is commonly used in SCADA systems, industrial control, and monitoring. It operates over TCP port 502 and lacks authentication, making it susceptible to eavesdropping.
Write Single Register
Read/Write Multiple Registers

DNP3

ID
Attack Methods
Hacking Tools
Commands
Description
DNP3
Man-in-the-Middle Attacks
Network Sniffers
Read Data
DNP3 is a robust and secure protocol used for communication in electric power systems, as well as water and wastewater management. It operates over TCP ports 20000-20005 and does not use UDP.
Write Data
Control Operations
Device Configuration

OPC

ID
Attack Methods
Hacking Tools
Commands
Description
OPC
Unauthorized Access
Network Scanners
Read Tag Data
OPC (OLE for Process Control) is a standard for interoperability between industrial automation systems. It uses TCP port 135 and supports TLS encryption for secure communication.
Write Tag Data
Invoke Methods
Data Access Read/Write

EtherNet/IP

ID
Attack Methods
Hacking Tools
Commands
Description
EtherNet/IP
Authentication Bypass, Packet Sniffing
Packet Sniffers (e.g., Wireshark)
Read Tag Data
EtherNet/IP is an industrial Ethernet protocol used for real-time control and data exchange. It operates over TCP port 44818 and UDP port 2222.
Write Tag Data
Device Configuration

Profinet

ID
Attack Methods
Specific Tools
Specific Commands
Description
Profinet
Access Control Bypass, Man-in-the-Middle Attacks
Packet Sniffers (e.g., Wireshark)
Read Process Data
Profinet is a communication protocol used for real-time data exchange in industrial automation. It operates over TCP port 34962 and UDP port 161.
Write Process Data
Diagnostic Information

IEC 60870-5

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Denial-of-Service (DoS) Attacks
DoS Tools (e.g., LOIC)
C_SC_NA (45h)
Control command used for Single-Command (SC) normalized value for Network Areas (NA)
Lack of Authentication
Network Sniffers (e.g., Wireshark)
C_IC_NA (64h)
Control command used for Interrogation of Counter (IC) normalized value for Network Areas (NA)

PROFIBUS

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Eavesdropping
Packet Sniffers (e.g., Wireshark)
N/A
Passive monitoring and capturing of network traffic to intercept and analyze PROFIBUS communication
Unauthorized Access
PROFIBUS Configuration Tools
N/A
Use of unauthorized configuration tools to gain access to PROFIBUS network and devices

HART

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Spoofing
HART Modem, Software
Universal Command (UCOM)
Unauthorized transmission of spoofed messages to impersonate a legitimate field device
Tampering
HART Configurator
Read/Write Commands
Unauthorized modification of device configuration parameters and process variable settings

BACnet

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Unauthorized Access
BACnet Discovery Tools
N/A
Exploiting vulnerabilities to gain unauthorized access to BACnet networks and devices
DoS Attacks
Network Stress Testing Tools
N/A
Overloading BACnet devices or networks with excessive traffic, causing disruption of services

MOTT

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Unauthorized Access
MQTT Packet Sniffing Tools
CONNECT, PUBLISH, SUBSCRIBE
Intercepting MQTT packets to gain unauthorized access to the broker or IoT devices’ communication, compromising data integrity
Data Privacy
MQTT Message Analyzer
N/A
Analyzing MQTT messages to extract sensitive information, compromising the privacy and confidentiality of IoT data

CANbus

Attack Methods
Specific Tools
Specific Commands and Codes
Commands Description
Spoofing
CANbus Spoofing Tools
N/A
Sending forged CAN messages with altered identifiers or data, impersonating legitimate devices or commands
Replay Attacks
CANbus Replay Tools
N/A
Capturing and replaying previously sent CAN messages to deceive the system or retrigger specific commands

WirelessHART