A company can have several security measures in place to mitigate and protect it from external attacks. But what about physical attacks? What would happen if someone from the company or external members of staff were to connect a malicious USB to a production machine? Do we have the means and security levels that are required to detect system changes? We will tell you in this article.

What are Industrial Control Systems?

Industrial Control Systems are the hardware and software connected to the network to manage and monitor a critical infrastructure. These technologies include supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control systems (IACS), programmable logic controllers (PLC), remote control units (RTU) and other services such as: control servers, intelligent electronic devices (IED), human-machine interfaces (HMI), sensors or the use of the internet of things (IoT), amongst others.

What are the main risks posed to industrial environments?

Transmission of unencrypted passwords.
Trivial or default passwords.
Known vulnerabilities in out-of-date software or firmware
Lack of segmentation between the IT and OT network.
Identification of unauthorised devices.
Compromised third-party hardware or software.
Unprotected remote connections or ones with trivial credentials.
Directed phishing.

Another risk that is not on the previous list and is important is physical intrusion.

Our employees, the weakest link

Today I’m bringing you an industrial forensic case, where there is a filtration of information from the R+D department of the company to the competition, and a 30% loss of productivity due to a lack of availability of the plant’s machinery.

Picture 1: An example of an industrial electrical panel

Execution and result report after daily monitoring

The machines at the plant are not connected to a network with an internet connection. After analysing the plant’s network traffic for several days, it has been proved that the attacker is using an Asus system with a MAC address ending in 84:5e:41 to modify configuration parameters on a Siemens PLC.

Picture 2: Evidence obtained with Wireshark

With the obtained information and comparing the list of the active IT devices provided by the IT department was enough to locate the compromised system at the plant.

Picture 3: Ficticious evidence from the compromised system

The system is built into a box that is protected with special screws. Disassembling it would take a long time and our attacker doesn’t have that time, so the only viable option is to use the USB port.

Compiling the event records of the USB connections, some very useful data can be found such as the product identifer, the manufacturer or the serial number.

Picture 4: Evidence from the syslog file with USB information

The record has 900,000 lines and so performing this analysis manually would be a very difficult and expensive task.

Picture 5: Total number of lines contained in the file

In order to perform this task, we have created a script with Python and it will automatically compare a list of serial numbers on the USB devices that the company uses with the “syslog” file.

Picture 6: Serial numbers of the USBs used by the company

In just a few seconds it was possible to list a serial number that was not on the list of USB devices authorised by the plant.

Picture 7: Evidence of a missing serial number

With this serial number, locating the dates and times of the USB device connections is made possible, as well as monitoring the operators and external workers that were on that production line on the stated dates and therefore identifying the supposed attacker.

Picture 8: Information from the USB device

Could it have been detected before?

Of course, with a self-managed service like the one provided by Sothis where we have network intrusion detection systems, log records and audits, incident management and real-time event monitoring from our SOC.

Thanks to this technology, we are able to detect:

Firmware changes or PLC, RTU or HMI replacement.
Lists of devices from non-validated IP addresses.
Delay in responses from the OT devices.
Failed authentications from HMI or PLC devices.
User account creations on the Operating System.
Internal or external attacks on the industrial network.
Surveillance on the exposure to the internet.
Controlled and manageable VPN access.
Firewall rule changes.