OT
Introduction
OT (Operational Technology) security structure is a set of security measures and best practices designed to protect critical infrastructure and industrial control systems (ICS) that manage and monitor physical processes such as manufacturing, transportation, and energy distribution. The security structure includes several layers of security controls and policies that work together to protect OT systems from cyber threats.
Here are some key elements of an effective OT security structure:
Network Segmentation: The OT network should be segmented into different zones with varying levels of security controls. Each zone should have its own security policies and access controls.
Access Controls: Access to OT systems and devices should be limited to authorized personnel only. Strong authentication methods such as two-factor authentication should be used.
Endpoint Protection: All endpoints such as industrial controllers, sensors, and other devices should be secured with endpoint protection software, which can detect and prevent malware and unauthorized access.
Vulnerability Management: Regular vulnerability assessments and patching should be done to identify and fix vulnerabilities in OT systems and devices.
Incident Response: A well-defined incident response plan should be in place to respond to security incidents and minimize the impact of a breach.
Training and Awareness: Regular training and awareness programs should be conducted for employees and contractors to raise awareness of security risks and best practices.
Compliance: Compliance with industry-specific regulations and standards such as NIST SP 800-82 and IEC 62443 should be maintained to ensure the security of OT systems.
Critical infrastructure
Critical infrastructure in OT (Operational Technology) refers to systems and assets that are essential for the functioning of a society, such as power grids, transportation systems, water treatment plants, and industrial control systems (ICS) used in manufacturing and energy production. These include:
Power Grids: Electric power generation and distribution systems, including power plants, transmission lines, and transformers.
Water Treatment Facilities: Water purification and distribution systems, including water treatment plants, reservoirs, and pumping stations.
Oil and Gas Pipelines: Oil and gas pipelines that transport crude oil, natural gas, and refined petroleum products from production sites to refineries and distribution centers.
Transportation Systems: Transportation systems, including airports, seaports, and rail systems that transport people and goods.
Industrial Control Systems: Industrial control systems that control the operations of manufacturing plants and energy production facilities, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC).
Communication Networks: Communication networks, including telephone networks, cellular networks, and internet service providers (ISP), which are essential for communication and data transmission.
Financial Systems: Financial systems, including banks, stock exchanges, and payment processing systems, which are essential for financial transactions and economic stability.
Emergency Services: Emergency services, including fire departments, police departments, and hospitals, which are essential for public safety and well-being.
Government Services: Government services, including government buildings, military installations, and intelligence agencies, which are essential for national security and government operations.
OT attacks on critical infrastructure can have severe consequences, including disruption of essential services, property damage, loss of life, and financial loss. Here are some examples of OT attacks on critical infrastructure:
Stuxnet: Stuxnet is a worm that was discovered in 2010 and is believed to be the first example of malware specifically designed to target industrial control systems. It targeted the nuclear program of Iran and was able to cause physical damage to centrifuges by exploiting vulnerabilities in the Siemens PLCs.
Ukraine power outage: In 2015 and 2016, Ukrainian power grids were targeted in a series of cyberattacks that resulted in a widespread power outage. The attackers were able to gain access to the ICS and cause physical damage to the equipment, resulting in the loss of power for hundreds of thousands of people.
Triton: Triton is a malware that was discovered in 2017 and is designed to target safety systems in industrial control systems. It was used in an attack on a Saudi Arabian petrochemical plant, and its purpose was to cause physical damage to the plant by disabling its safety systems.
Colonial Pipeline: In May 2021, a ransomware attack on the Colonial Pipeline, which supplies fuel to the eastern United States, resulted in a temporary shutdown of the pipeline. This caused a disruption in fuel supply and resulted in panic buying and long lines at gas stations.
Protocol & Vendor
Based On Shamikkumar Dave Source
Modbus
DNP3
OPC
EtherNet/IP
Profinet
IEC 60870-5
PROFIBUS
HART
BACnet
MOTT
CANbus
WirelessHART
IEC 61850
Vnet/IP
SNMP
ICCP/TASE.2
CIP
EtherCAT
WISA
BACnet/IP
Zigbee
PROFINET IO
ISA-95
Lon Works
M-Bus
Modbus TCP/IP
CANopen
KNX
IEC 62351
S7Comm
H1 Fieldbus
Zigbee RF4CE
Foundation Fieldbus
MMS
EtherNet/IPTap
MelsecNet
FOUNDATION HSE
PROFIsafe
CIP Safety
DeviceNet
HART-IP
EtherCAT P
WISA Wireless
BACnet/IPv6
Certainly! Here’s a cheatsheet for WISA Wireless, including known exploitation methods, specific offensive security tools in Kali Linux, real example commands, and more:
Zigbee IP
CC-Link
KNXnet/IP
IEC 61883
CIP Motion
WirelessMBus
Fieldbus HSE
Modbus/TCP
CC-Link IE
J1939
EnOcean
VNC
VNC (Virtual Network Computing) is a popular remote desktop sharing protocol that allows a user to control a computer over a network connection. In the context of red teaming for OT attacks, VNC can be used to gain remote access to an Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) system. This could be done by exploiting vulnerabilities in the system or by using phishing attacks to gain access to an employee’s computer with administrative access to the ICS or SCADA system
Find VNC Server:
Shodan:
or
or
To Connect:
to Crack:
or
or
RDP
To Find:
Shodan:
or
or
or
or
or
To Crack:
or
or
or
To Connect:
or
or
or
PRTG
Reconnaissance
Shodan
or
Censys
or
or
Enumerate PRTG servers:
Exploit the PRTG server:
SQL
Enumerate
Crack
industrial control systems(ics)
Reconnaissance
This shodan dork searches for Modbus servers, which are commonly used in ICS systems.
and
This dork searches for PLCs (Programmable Logic Controllers) that use the proprietary Rockwell Automation protocol.
This dork searches for the Foxboro I/A Series Distributed Control Systems (DCS), which are used in various industries such as oil and gas, chemical and power generation.
This dork searches for Siemens SIMATIC S7 PLCs, which are used in industrial automation and control.
This dork searches for the Schneider Electric Modicon Modbus Protocol, which is used in various industrial control applications.
TR-069
TR-069 is a protocol used by ISPs to remotely manage customer routers. Attackers can exploit vulnerabilities in this protocol to take control of the router.
Modbus
Modbus is a protocol used in industrial control systems. Attackers can exploit vulnerabilities in Modbus to take control of these systems.
or
This command targets the Modbus protocol and attempts to trigger a “write single coil” command to turn on a specific output on the target device.
This command uses the modpoll tool to query the Modbus register at address 1 of a device with the IP address 192.168.0.10. The -t 4 option specifies that the tool should use the Modbus function code 4, which is used for reading input registers. An attacker can use this command to extract data from an OT system or to test if it is vulnerable to Modbus protocol attacks.
DNP3
DNP3 is a protocol used in SCADA systems. Attackers can exploit vulnerabilities in DNP3 to take control of these systems.
EtherNet/IP
This command targets the EtherNet/IP protocol used in industrial control systems and attempts to send a command to turn on a specific output on the target device.
BACnet
This command targets the BACnet protocol and attempts to read a value from a specific object on the target device, which can provide information that could be used in further attacks.
S7comm
This command targets the S7comm protocol used in Siemens PLCs and sends a crafted payload to cause a buffer overflow and execute arbitrary code on the target device.
Exploitation
S7comm exploit
Modbus exploit
PCTRAN
RDS server content
resources
https://github.com/hslatman/awesome-industrial-control-system-security
https://www.b-sec.net/en/assessment/
https://github.com/rezaduty/awesome-ics-writeups
Last updated