Industrial Control System Information Security

Quoted from: “Intelligent Manufacturing Information Security Technology” (Authors: Qin Zhiguang, Nie Xuyun, Qin Zhen)

This book has been published, for details please see the end~

「 1. Overview of Industrial Control Systems」

Industrial control systems (ICS) refer to a general term for various types of control systems, including monitoring and data acquisition systems and distributed control systems. With the continuous development of the Internet, the high integration of information and industrialization has led to the inevitable trend of interconnection between various systems, and thus the threats faced by industrial control systems are also increasing day by day^[1]. Unlike traditional information systems, ICS not only faces traditional network attacks, but due to its structural peculiarities, there are also some targeted attack methods at the physical level.

As a necessary infrastructure for the normal operation of society, industrial control systems, widely used in various sectors such as power, oil, natural gas, aviation, railways, transportation, and urban management, are now gradually receiving more attention regarding their security. From the consequences of attacks, their destructive power is comparable to that of any traditional information system. Therefore, we need to establish a deep-level protection system from multiple angles to ensure the long-term safe operation of control systems. The network diagram of industrial control systems is shown in Figure 1.^[2].

Figure 1 Network Diagram of Industrial Control Systems

「 2. Common Attack Methods on Industrial Control Systems」

From the causes of asset loss in ICS, they can be broadly categorized into five types: First, environmental impacts, such as power supply, severe weather, fire, earthquakes, typhoons, and other uncontrollable factors; Second, internal errors, such as human operational errors, software failures, hardware aging, etc.; Third, internal malicious damage, such as unauthorized access, intentional sabotage, eavesdropping, etc.; Fourth, external attacks, such as conventional network attack methods, information warfare, etc.; Fifth, third-party personnel, such as system vulnerabilities, backdoors, etc. The distribution of threats is shown in Figure 2.

Figure 2 Threat Source Distribution Map

From the perspective of threat sources, the first, second, third, and fifth points are uncontrollable and require comprehensive consideration of various factors, such as personnel management in industrial control systems, operating system selection, and the location of industrial control systems. External personnel attacks on ICS are mainly realized through network attacks. Unlike the CIA (Confidentiality, Integrity, and Availability) principle of traditional information systems, the security importance of industrial control systems is AIC, meaning availability is greater than integrity, which is greater than confidentiality. Additionally, for a specific industrial system, due to its internal structure and network topology differences, there are also targeted attack methods, which are a fusion of multiple-step and multi-technical approaches^[3]. Below are some representative attack methods.

1）Replay Attacks

Replay attacks refer to the method where an attacker obtains authentication credentials through network eavesdropping or other means and then sends those credentials to the target host to deceive the system. This process is mainly used in the identity authentication process, which is relatively straightforward. However, due to the diversification of methods for obtaining authentication credentials, replay attacks are still relatively difficult to prevent, as shown in Figure 3.

Figure 3 Replay Attack

As shown in Figure 3, the attacker eavesdropped on the authentication information “Hello, Alice” and then repeatedly sent it to the target server Alice, successfully achieving the goal of deceiving the target host.

2）Man-in-the-Middle Attack

Unlike the previous replay attack, the Man-in-the-Middle Attack is an indirect intrusion method where the attacker intercepts communication information between two communicators beforehand, modifies the messages, and then sends the modified message structure to the recipient. The attacker knows how to decrypt the communication messages, making them completely transparent to both parties, who are unaware that their communication messages have been altered. Thus, this type of attack is extremely destructive. The Man-in-the-Middle Attack is illustrated in Figure 4.

Figure 4 Man-in-the-Middle Attack

Common types of Man-in-the-Middle attacks include, but are not limited to, DNS spoofing, where the target domain name is modified to the IP of another host to forge identity; session hijacking, where the attacker uses TCP/IP protocol vulnerabilities to conduct a Man-in-the-Middle attack; and proxy server attacks, where the response message from the target host is sent to the source host to steal the message. Currently, a common solution is to use encrypted communication to prevent Man-in-the-Middle attacks, such as changing HTTP protocols to HTTPS protocols, FTP to FTPS, etc.

3）Remote Modification of RTU Logic

A Remote Terminal Unit (RTU) is used for remote operations of PLCs. This type of attack mainly targets the availability of the control system. However, under normal circumstances, the RTU is positioned within a local area network in the network topology. Therefore, to modify the RTU logic, one must disguise it as legitimate traffic to bypass the firewall before successfully modifying the RTU logic (Figure 5).

Figure 5 Remote Modification of RTU Logic

4）DoS Attack

A Denial of Service (DoS) attack is a widely used attack method against the availability of devices across various network servers. It primarily targets the limited resources of server devices by sending a large number of connection service requests, resulting in the server being unable to provide normal services. Most of these requests are illegal and only serve to consume server resources without seeking regular service. Therefore, servers can set specific firewalls to automatically intercept illegal traffic based on the characteristics of this traffic to achieve the purpose of “rate limiting” and avoid attacks. Common DoS attacks include, but are not limited to, SYN Flood (Figure 6), PingDeath, TearDrop, UDP flood, and Land Attack. Servers can typically use firewall technology and intrusion detection technology to prevent DoS attacks by reviewing the traffic characteristics of accessing users, allowing only those who pass the “review” to access, while others are denied.

Figure 6 SYN Flood

5）Zero-Day Vulnerability Attack

A zero-day vulnerability attack refers to a vulnerability that has been discovered (possibly not yet disclosed) but has not been promptly patched by the official party, allowing hackers to exploit these vulnerabilities for attacks. As early as 2011, a Trojan called “Duqu” utilized an unpatched vulnerability in Word software to attack industrial control systems. Zero-day vulnerabilities are typically obtained through vulnerability scanning techniques or specific means by specialized hacker organizations and sold at high prices in the black market. Currently, there are no systematic targeted preventive measures. Due to the special environment of vulnerabilities, certain vulnerabilities can only attack specific operating systems or application software, requiring hackers to have a high level of understanding of the attacked system, usually accompanied by other types of attacks, such as port scanning.

6）APT (Advanced Persistent Threat)

The Advanced Persistent Threat (APT) was officially proposed in 2006 and refers to an organized, targeted, covert, highly destructive, and sustained new type of attack and security threat used by organizations or small groups employing advanced attack methods against specific targets^[4]. The level of threat can generally be divided into three types: the first involves retaliatory attacks using infective computer viruses, worms, etc.; the second utilizes software vulnerabilities or social engineering emails for infiltration attacks to directly obtain benefits, with more precise and sustained targets compared to the first type; the third mainly targets infrastructure attacks and sensitive information theft, with greater strategic significance and more comprehensive and covert methods of cyber attacks.

From the lifecycle of APT, APT attacks can be divided into several stages, including intelligence gathering, initial infiltration, implanting malicious code, privilege escalation, command and control communication, lateral movement, resource exploitation, and disappearing without a trace. The APT lifecycle is shown in Figure 7.

Figure 7 APT Lifecycle

7）SQL Injection Attack

SQL injection is defined as: an attacker inserts a series of SQL statements into an application through a query operation to manipulate data. Its key feature is unauthorized access and direct retrieval from a database. The essence of SQL injection is taking advantage of the syntax processing of SQL statements input in web applications, targeting web application developers who fail to strictly check and process the parameters passed to SQL statements. Programs or websites with SQL injection points are habitually referred to as SQL injection vulnerabilities.

SQL injection has the following characteristics: wide application range, low technical difficulty, and high destructiveness. A specific example of SQL injection is as follows.

Generally, web applications will have two parameters for user login: username and password. The program will look up the user table in the database to check if the password matches the username. If the username is “admin” and the password is “123456”, the SQL statement would be as follows: Select * from user where username=’admin’ and password=’smith’ If we do not strictly check the parameters and input the username and password as “admin’or 1=1 –“ and “123456”, the SQL statement would change to: Select * from user where username=’admin’ or 1=1– and password=’123456′ The “or” after “1=1” will always be true, and “–” will comment out the subsequent statements, so this statement will execute successfully even if the user does not know the password.

The specific implementation process of SQL injection is shown in Figure 8.

Figure 8 SQL Injection Process

To prevent SQL injection, we can usually use prepared statements and bind variables to prevent it, i.e., using Prepared Statement, which allows the SQL engine to perform syntax analysis, generate a syntax tree, and the subsequent statements will be specifically added, treating the passed parameters only as string literal parameters. However, in other scenarios where string concatenation is needed, we need to manually perform regular parsing on the strings and avoid executing those that may cause SQL injection.

8）Port Scanning

Port scanning is a technique for probing which services a server has open to the outside. Attackers usually use it as a necessary means of information collection. They send probe packets to the service ports of the target host and record the responses to determine whether the service ports are open or closed, thus discovering the specific services or information provided by the ports. Attackers can also capture the data flowing in and out of the server to monitor its operation and collect server operation information for further network attacks.

The main techniques for port scanning include TCP connect scanning, TCP SYN scanning, TCP FIN scanning, TCP ACK scanning, IP range scanning, TCP reverse ident scanning, and window scanning. Different scanning techniques should be adopted for different servers, and the effectiveness of scanning may vary depending on the server.

Typically, servers can prevent port scanning attacks by closing idle and potentially dangerous ports and using firewalls to block ports showing scanning symptoms. Specifically, firewalls check each incoming data packet to the local computer, analyzing the traffic characteristics of the packets and rejecting any dangerous traffic from entering the local server, thus achieving the purpose of preventing port scanning.

References

[1] Xia Chunming, Liu Tao, Wang Huazhong, et al. Current Status and Development Trends of Industrial Control System Information Security [J]. Information Security and Technology, 2013, 4(02): 13-18.

[2] Peng Yong, Jiang Changqing, Xie Feng, et al. Research Progress on Industrial Control System Information Security [J]. Journal of Tsinghua University (Natural Science Edition), 2012, 52(10): 1396-1408.

[3] Liu Wei, Li Dong, Sun Bo. Security Analysis of Industrial Control Systems [J]. Information Network Security, 2012(08): 41-43.

[4] Chen Xingshu, Zeng Xuemei, Wang Wenxian, et al. Network Security and Intelligence Analysis Based on Big Data [J]. Engineering Science and Technology, 2017, 49(03): 1-12.

——————————————————————

▼ Purchase Link ▼

Click to Purchase

Scan to Follow Us

“Smart Manufacturing Garden”

Adhering to the concept of “advanced manufacturing, strong manufacturing country,”

Tsinghua University Press provides professional knowledge services for everyone!