There are a range of common exploits that could be used against your Industrial Control System (ICS) including the following;
- Internet accessible systems are being mapped by ERIPP or SHODAN, or are easily locatable through search engine queries.
- Malware can spread vertically through the network by trusted system to system connections or VPN.
- It is very easy to manoeuvre undetected throughout a control environment.
- There is potential to leverage non-routable trusted communication paths.
- ICS Ransomware has been developed capable of locking up CNI
- Request for Proposals often contain a wealth of information regarding ICS environment.
- Vendors frequently post information about a project they are working on for an ICS customer.
- Employee social media sites often contain technology architecture information and possibly images of ICS work environments.
- Engineer professional bios can provide a helpful map of your ICS.
- Publically available information regarding an ICS asset owners’ vendor relationships, conference attendance, committee participation and domain registrations can all be leveraged against the organisation.
- Attackers can take advantage of long delays in patching operating system upgrades.
- Attackers can take advantage of systems with no anti-virus, or out-of-date signatures.
- Attackers will leverage default usernames and passwords or weak authentication mechanisms.
- Attacks will be difficult to detect due to minimal asset security logging capability.
- Attackers will leverage file access techniques to move data in and out of the ICS environment through physical removable media or trusted communication paths utilised for system maintenance.
- ICS assets can be remotely accessible through traditional dial-up modems that have little access control protections.
- Numerous ICS assets at a location can be accessed through a single dial-up access point with a multiplex device that enables connections to many ICS assets.
- Old attack vectors can still be successful in ICS environments.
- ICS systems can be attacked by exploiting applications that communicate through network segmentation.
- Connections to other organisations, plants or systems.
- Many ICS environments are susceptible to network-based Man in the Middle Attacks.
- Third party vendors, contractors or integrators can be attacked in an attempt to ultimately attack an ICS asset owner or multiple asset owners.
- ICS hardware and software can be directly breached or impacted prior to arriving in the production ICS environment.
- Attackers can leverage the physical locations of numerous ICS assets that could be located in remote geographies or are unmonitored, even when little to no physical access controls ICS assets can be physically stolen or obtained.
- ICS assets can be physically stolen or obtained secondhand with access to sensitive information that could be used in planning an attack.
- Physical changes or alterations to ICS devices are often difficult to detect.
- Attackers can leverage the lack of corporate security policies, procurement language, asset inventory & standardisation that exist in many ICS environments.
- Attackers can have greater impacts on ICS environments, as ICS assets are often not considered in the preparation phase of security incident response planning and containment approaches.
- ICS risk and hazard assessment are not always evaluated with the loss of cyber integrity, which can lead to a loss of availability; impacts due to interdependencies and misuse of critical components or functions.
- In some sectors ICS assets are often architected or assessed from a compliance perspective and not always assessed from a security perspective.