In 2010, the Stuxnet virus incident in Iran exposed the “mystery” of Industrial Control Systems (ICS) and marked the beginning of attacks on ICS. Over the following decade, numerous security incidents related to ICS occurred, such as targeted attacks on critical infrastructure like power, water, energy, and transportation, causing significant impacts on social order; targeted attacks on manufacturing enterprises to steal trade secrets and disrupt normal production; and widespread attacks, particularly the WannaCry ransomware virus that swept the globe in 2017, which also affected ICS and continues to have repercussions in recent years.
Furthermore, world-renowned hacker conferences like BlackHat and DefCon have included ICS security in their agendas; in January 2020, the high-profile hacking competition Pwn2Own included ICS for the first time. It seems that the field of ICS is becoming a blue ocean for both “black hats” and “white hats,” as vulnerabilities and attack surfaces in ICS are increasingly exposed with the development of the Industrial Internet.
This article will analyze the methods and pathways of attacks from a hacker’s perspective, identifying vulnerabilities and weaknesses that can be exploited in the ICS environment.

Application Areas of Industrial Control Systems
01
Overall Attack Approaches to Industrial Control Systems
Attack Objectives
Highly targeted attacks aim to destroy ICS equipment, cause factory shutdowns, disrupt processes, increase defect rates, or even lead to severe consequences such as fires and explosions. In modern factories, most on-site production equipment is operated by control systems (e.g., PLC – Programmable Logic Controller, CNC lathes, DCS – Distributed Control Systems). Therefore, the attacker’s goal is to achieve their objectives by directly or indirectly attacking or affecting the control systems. The following will use factory PLCs as an example to illustrate the hacker’s attack strategies on ICS.

Examples of Hacker Attack Objectives
Attack Scenarios
Targeted Direct Attacks
Directly attacking a PLC refers to exploiting vulnerabilities present in the PLC or bypassing security authentication through methods like password cracking to successfully control the PLC and modify instructions to achieve attack objectives. Currently, many PLCs are located within internal networks and cannot be directly accessed via the internet. In this scenario, direct attacks are generally executed through physical contact with the PLC or by connecting to the PLC via internal office networks. As factories become smarter and devices achieve interconnectivity, many PLC systems connected to the internet will be more susceptible to direct attacks by hackers.
Targeted Indirect Attacks
Indirectly attacking a PLC involves gaining control over the monitoring system above the PLC (e.g., HMI, IPC, SCADA, etc.) and sending malicious instructions to the PLC through the monitoring system, or disrupting normal communication between the monitoring system and PLC to achieve attack objectives. Indirect attack scenarios typically occur when attackers cannot directly access the control system or have limited knowledge of the internal PLC system, thus shifting their focus to attacking IT components and monitoring layer systems that are more familiar to attackers. For example, an attacker first gains control of an IPC (Industrial Computer), analyzes the transmission patterns between the IPC and PLC, constructs malicious instructions, and transmits them to the PLC through the IPC, indirectly affecting the normal operation of the PLC or disrupting monitoring and alerting of production status.
Non-targeted Attacks
Non-targeted attacks, also known as widespread attacks, refer to malicious programs exploiting common vulnerabilities in systems or networks to indiscriminately infect systems and propagate within the internal network, affecting normal production order. Although these attacks do not specifically target ICS, the current security measures in ICS environments are relatively weak, making such widespread attacks frequently successful worldwide. Widespread attacks typically involve viruses or malicious programs; for example, attackers exploit employees’ weak security awareness by sending phishing emails, infecting recipients’ computers, and then leveraging vulnerabilities in the network environment to spread quickly through the office network and eventually into the production network, infecting systems with common vulnerabilities, such as IPCs, thereby affecting production or causing damage.
Attack Pathways
In general, the pathways for attacking ICS can be categorized into internal and external initiations. Internal initiation can be further divided into penetration from the office network to the factory network and attacks initiated on-site; external initiation includes targeted attacks (e.g., APT) and widespread attacks.

Attack Pathways in ICS Environments
Internal Initiation
Starting from the Office Network
-
Within the office network environment, use tools like nmap to scan and obtain network segment and asset information, especially the ports of conventional ICS and IT systems, such as Siemens 102, Modbus 502, EthernetIP 44818, 445, 3389, etc.;
-
Utilize vulnerabilities to attack identified systems, including sniffing, privilege bypass or escalation, replay attacks, password guessing, instruction injection, EternalBlue exploitation, and password guessing;
-
After successfully obtaining control of the system, attempt to use that host as a pivot, employing methods like Pass the Hash to infiltrate other systems, looking for ICS-related systems like PLCs, IPCs, and SCADA to achieve attack objectives;
-
If unsuccessful, shift to using social engineering to further obtain relevant information (such as high-privilege accounts);
-
Simultaneously, consider ways to enter the factory workshop for on-site attack methods;
-
Some integrated control systems’ central control platforms or web applications of SCADA-like configuration control systems in the internal network can be easily hijacked to elevate privileges for engineering stations.
Starting from the Workshop
Initiating an attack on ICS from within the workshop is the most direct method, with diverse tactics and choices:
-
Upon entering the workshop, carefully observe the situation and locate IPCs or control systems to prepare for subsequent attack attempts.
Attack Attempt 1:
-
The primary target is the control system (e.g., PLC), looking for devices that are unlocked or have exposed network interfaces;
-
Attempt to understand basic information about the control system, such as the brand and version used;
-
Try to connect to the control system on-site using a computer, exploiting weak passwords and other vulnerabilities to attempt malicious instruction injection, privilege bypass, replay attacks, etc.
Attack Attempt 2:
-
Attempt to attack the IPC or HMI running on-site, for example, inserting a malicious USB drive into the running IPC to implant malicious programs;
-
Directly operate IPCs or HMIs without permission, such as modifying control system instructions with malicious actions.
External Initiation
Targeted Attacks
APT attacks are typical targeted attacks initiated externally, and the attack process includes:
-
Collecting information about the target enterprise to gain an initial understanding of its basic situation;
-
Using search engines like Google and Baidu to find domains or servers exposed on the internet;
-
Utilizing crawling technology to obtain all links, subdomains, and C-segments of the website as much as possible;
-
Attempting to exploit high-risk vulnerabilities in web applications, such as malicious file uploads, command execution, SQL injection, cross-site scripting, and account privilege escalation;
-
Attempting to gain web shell access to the website and then escalate to server privileges;
-
Using that server as a pivot to penetrate the internal network, transitioning to an internal attack mode;
-
Searching for external email usernames on the internet and sending phishing emails targeted at users based on the characteristics of the enterprise, using compromised computers as a pivot to penetrate the internal environment;
-
Physically entering the enterprise by forging access cards, impersonating visitors or interviewees, or tailgating internal employees, thus transitioning to an internal attack mode.
Widespread Attacks
-
Using search engines like Google and Baidu to identify domains of enterprises exposed on the internet, if exploitable vulnerabilities are found, transitioning to targeted attacks;
-
Using social engineering to collect as many employee emails as possible and sending mass phishing emails;
-
Using the Shodan search engine to launch attacks against ICS exposed on the internet, and upon success, transitioning to internal attacks.
Cyber Kill Chain

Generally, attackers often begin their attack attempts with low-cost, widespread methods, such as sending phishing emails. When the victim clicks on the malicious link or program attached to the phishing email, the “Pandora’s Box” is opened, and the attacker attempts to compromise the victim’s device, using it as a pivot to penetrate the enterprise’s internal network. If the ICS network fails to effectively isolate from the office network, the attacker can scan and analyze related ICS assets after entering the office network. Currently, many factories have weak defenses against network attacks, with common vulnerabilities such as weak passwords, improper privilege settings, shared accounts and passwords, lack of patching and vulnerability management, and insufficient network isolation and protection, allowing attackers to exploit these vulnerabilities to conduct extensive, unimpeded attacks on ICS assets within the enterprise, ultimately leading to serious consequences such as industrial data leakage, equipment damage, process anomalies, increased defect rates, fires and explosions, and even threats to employee safety, forming a complete hacker attack chain.
02
Can Industrial Control Systems Effectively Resist Attacks?
The ability of ICS to effectively repel hacker attacks depends on the preparations and measures taken by both attackers and defenders. Currently, attackers are more actively researching vulnerabilities and attack methods related to ICS, while enterprises focus more on efficient production and digital transformation, with relatively lagging attention and investment in ICS security; coupled with the obsolescence and non-standardization of ICS, many vulnerabilities are exposed to attackers, as illustrated below:

Organization and Personnel
Unclear Security Responsibilities
Insufficient attention from management, unclear security responsibilities between departments, and no explicit security department or positions.
Weak Security Awareness
Employees have relatively weak security awareness regarding ICS, especially production or frontline employees. Traditional enterprises often rely on “security by obscurity,” believing that strict physical security and access management can ensure safety, assuming that the absence of security incidents indicates security, which often leads enterprises to neglect the construction of network security and fail to remedy hidden dangers in a timely manner.
Management and Supervision
“Experience-Based” Management
ICS often lack security design and considerations, which is a common phenomenon in many enterprises. While implementing appropriate security measures can effectively compensate for this, many enterprises do not establish effective security policies and measures, relying solely on personal experience and historical practices for management.
Lack of Emergency Response Mechanisms
Without an emergency response mechanism, it is impossible to quickly organize manpower and deploy measures to control the further spread of incidents when sudden events occur, and to resolve issues and restore production in the shortest time.
Lack of Appropriate Password Policies
Failure to establish appropriate password policies and management, such as weak passwords, shared passwords, multiple hosts or devices sharing one password, and sharing passwords with third-party suppliers, increases the risk of password leakage.
Lack of Security Audit Logs
After a security incident occurs, it is impossible to trace and analyze the source and cause of the incident to prevent similar situations from happening again.
Network and Architecture
“Gentleman-Style” Network Isolation
Insufficient effective isolation between internal office networks and factory networks, with no security domains designated for protection, causing attacks or viruses from the office network to spread to the factory network, affecting production.
Unsafe Communication Protocols
Industrial control protocols are non-standardized and mostly have security vulnerabilities, such as CAN, DNP3.0, Modbus, IEC60870-5-101.
Unsafe Remote Access
To facilitate remote debugging by maintenance engineers and suppliers, security measures and monitoring are not deployed for remote access, which may be one of the most exploited vulnerabilities by attackers.
Complex Structure
The structure of ICS is generally more complex compared to IT environments, presenting more attack surfaces. A typical ICS environment generally includes the following components: controllers (PLC, CNC lathes, DCS), SCADA systems, industrial computers, industrial software, HMI, networks, switches, routers, industrial databases, etc. Any issue or component failure could potentially lead to an attack on the entire ICS.
Hosts and Devices
Authentication and Authorization
For convenience in daily use, important control systems may not have passwords set, or may have weak passwords or shared passwords, with passwords posted on-site, making these “conveniences” significantly easier for attackers to exploit.
Antivirus Software
Failure to install antivirus software, timely update virus definitions, and use of unlicensed software, etc.
Obsolete Operating Systems
In today’s factory environments, the use of an increasing number of computer systems is evident; however, the update cycles for industrial control systems are much longer than for IT systems, resulting in many outdated computer systems in ICS, such as Windows XP, Windows 2003, which have numerous high-risk vulnerabilities that can be exploited.
Default Configurations
Many factories use default passwords, paths, and leave unnecessary and unsafe ports and services enabled during equipment installation.
Offline Device Management
For offline devices, they are often considered safe, neglecting network security protection measures. However, with the advancement of enterprise digitalization or when network connections are needed for business purposes, such devices may become weak points and gaps in the security system.
Physical Protection
Hardware Debugging Interfaces
The racks of important control systems are not locked, or exposed debugging interfaces are not effectively protected.
Physical Ports
Insufficient management or disabling of common interfaces such as IPCs, USBs, PS/2, etc., may pose risks of unauthorized device access, leading to virus infections or unauthorized program modifications.
Access by External Personnel
Control over personnel entering and exiting the workshop is lax, particularly for external personnel such as suppliers.
The vulnerabilities summarized above that can be exploited by attackers should be monitored by enterprises according to their business characteristics, taking short-term compensatory measures for high-risk vulnerabilities and gradually establishing a security management system for ICS that develops in tandem with business and production according to long-term business and digital development plans.
Source: PwC, references omitted for article formatting.
• end •
Statement: This article is reposted by the Industrial Security Industry Alliance WeChat public platform (WeChat ID: ICSISIA). If there are copyright issues, please contact for removal.

If you need cooperation or consultation, please contact the secretary of the Industrial Security Industry Alliance WeChat ID:ICSISIA20140417
Recommended Reads
Attention | 17 security standards listed! The Ministry of Public Security released public safety industry standards (2019)Delivery | Promoting enterprises to enhance intrinsic safety levels through technological transformation; the State Grid released ten key tasks for “Digital New Infrastructure”; the first industrial internet industry talent evaluation standard releasedMember Dynamics | Hengli: The microkernel industrial operating system launched has passed expert reviewReview | Top ten cybersecurity incidents in the first half of 2020Notice | Notice on selecting supporting institutions for the national industrial information security monitoring and early warning network construction (2020-2021)Information Security Standard Committee: Public solicitation of opinions on the project establishment suggestions for two national standards including “Information Security Technology – Implementation Specifications for Information Security Protection of Industrial Control Systems”Attention | Building trusted and secure infrastructure! Beijing released the 2020-2022 New Infrastructure Action PlanControl Topic | Jointly build an industrial security ecosystem to fully safeguard the construction of a strong countryImportant | Introduction of new member units of the Industrial Control System Information Security Industry Alliance (ICSISIA)Public Welfare Lecture | The “Smart City” series of live courses are coming soon~Security Micro Interview | He Youming: The development of the industrial information security market will present six major trendsSubstantial Content | Analysis and application of network security protection technology for online monitoring devices in power systemsPetrochemical | The application practice of domestic intelligent control systems in the chemical industryRecommended Read | Industrial internet security issues need to be addressed urgentlyOverview | Top 10 most concerned industrial security issues in MayExpert Recommendations: After the integration of oil and gas pipelines, more attention should be paid to network security of control systemsAutomotive Industry Season | Zhao Jian: Views on the safety of intelligent connected vehiclesRecommended Read | Understanding the national grid strategic system in one pictureExclusive | Han Mingchang: Integration, intelligence, focus – empowering industrial security (with full PPT)Important | The live page for the 2020 Industrial Security Conference (ICSISIA Youth Technology Forum) is now online!Information Security Standard Committee: Soliciting opinions on the national standard project for “Information Security Technology – Implementation Specifications for Information Security Protection of Industrial Control Systems”Two Sessions Delivery | The State Grid has received a significant increase in attack alerts, necessitating accelerated localization of equipment to ensure energy network securityWhite Paper | Security requirements and architecture white paper for smart cities with 5GExclusive | Yan Pei: Building a self-reliable protective system to safeguard the transformation and upgrading of industrial production (with full PPT)Academician Talks | Qian Feng: Empowering process manufacturing with artificial intelligenceTwo Sessions on Security | Summary of proposals on “Industrial Internet Security”, “Data Security”, “Vehicle Network Security”, and “Network Security”Attention | 15 security projects listed! The Ministry of Industry and Information Technology announced key technology and platform innovation projects for the Internet of Things in 2019Automotive Industry Season | Sun Yaping: Focusing on key business security, strengthening data protection, and building an information security protection system for automotive controlTwo Sessions on Security | Summary of proposals on “Network Security” and “Information Security”