Information Security in Industrial Control Systems

Quoted from: “Intelligent Manufacturing Information Security Technology” (Authors: Qin Zhiguang, Nie Xuyun, Qin Zhen)

The book has been published, for details please see the end of this article~

「 1. Overview of Industrial Control Systems」

Industrial Control Systems (ICS) refer to a collective term for various types of control systems including monitoring and data acquisition systems and distributed control systems. With the continuous development of the Internet, the high degree of integration between information technology and industrialization has become an inevitable trend, leading to an increase in threats faced by industrial control systems.^[1] Unlike traditional information systems, ICS not only faces traditional network attacks but also has specific attack methods at the physical layer due to its unique structural characteristics.

As a necessary infrastructure for the normal operation of society, industrial control systems are core facilities widely used in various social industries such as electricity, petroleum, natural gas, aviation, railways, transportation, and urban management. The consideration of their security is gradually receiving attention. From the consequences of attacks, their destructive power is no less than that of any traditional information system. Therefore, we need to establish a multi-faceted and deep protective system from various angles to ensure the long-term safe operation of control systems. The network diagram of industrial control systems is shown in Figure 1.^[2].

Figure 1 Network Diagram of Industrial Control Systems

「 2. Common Attack Methods on Industrial Control Systems」

From the causes of asset loss in ICS, they can be mainly divided into five categories: First, environmental impacts such as power supply, adverse weather, fire, earthquakes, and typhoons; Second, internal errors such as personnel operational mistakes, software failures, and hardware aging; Third, intentional internal damage such as unauthorized access, malicious destruction, and eavesdropping; Fourth, external attacks such as conventional network attack methods and information warfare; Fifth, third-party personnel such as system vulnerabilities and backdoors. The distribution of threats is shown in Figure 2.

Figure 2 Threat Source Distribution Diagram

From the sources of threats, the first, second, third, and fifth points are uncontrollable and require comprehensive consideration of various factors such as personnel management in industrial control systems, the choice of operating systems, and the selection of locations for industrial control systems. External personnel targeting ICS mainly achieve this through network attacks. Unlike the CIA (Confidentiality, Integrity, and Availability) principle of traditional information systems, the security importance of industrial control systems is AIC (Availability > Integrity > Confidentiality). Additionally, specific attack methods exist for particular industrial systems due to their internal structures and network topologies, integrating multiple steps and techniques.^[3] Below are some representative attack methods.

1) Replay Attacks

Replay attacks refer to attackers obtaining authentication credentials through network eavesdropping or other means and then sending these credentials to the target host to deceive the system. This process is mainly used in the identity authentication process and is relatively simple. However, due to the diversity of methods to obtain authentication credentials, replay attacks are still relatively difficult to prevent. Replay attacks are shown in Figure 3.

Figure 3 Replay Attack

As shown in Figure 3, the attacker eavesdrops on the network to obtain the authentication information “Hello, Alice,” and then sends it repeatedly to the target server Alice, thus achieving the purpose of deceiving the target host.

2) Man-in-the-Middle Attack

Unlike the previous replay attack, the Man-in-the-Middle attack is an indirect intrusion method. The attacker needs to intercept the communication information between both communicators in advance, modify the message, and finally send the modified message structure to the recipient. The attacker knows how to decrypt the communication message, and for both parties, the attacker is completely transparent; they are unaware that their communication message has been modified. Therefore, this attack method is highly destructive. Man-in-the-Middle attack is shown in Figure 4.

Figure 4 Man-in-the-Middle Attack

Common Man-in-the-Middle attacks include but are not limited to DNS spoofing, which modifies the target domain name to the IP of another host to impersonate access; session hijacking, for example, using TCP/IP protocol vulnerabilities for Man-in-the-Middle attacks; proxy server attacks, which send the target host’s response message back to the source host to steal the message, etc. Currently, a common solution is to use encrypted communication to prevent Man-in-the-Middle attacks, such as changing HTTP to HTTPS and FTP to FTPS.

3) Remote Modification of RTU Logic

The Remote Terminal Unit (RTU) is a remote operation unit used to control PLCs. This attack method primarily targets the availability of control systems. However, typically, the RTU is located in the local area network within the network topology. Thus, to modify the RTU logic, it is necessary to disguise as legitimate traffic and bypass firewalls before successfully modifying the RTU logic (Figure 5).

Figure 5 Remote Modification of RTU Logic

4) DoS Attacks

Denial of Service (DoS) attacks are a widely used attack method against device availability across various network servers. The primary focus is on the limited resources of server devices, generating a large number of connection service requests that prevent the server from providing normal services. Most of these requests are illegal, simply consuming server resources without seeking normal services. Therefore, servers can set specific firewalls to intercept illegal traffic based on the characteristics of such traffic to achieve “traffic limiting,” thus avoiding attacks. Common DoS attacks include but are not limited to SYN Flood (Figure 6), Ping Death, Tear Drop, UDP flood, Land Attack, etc. Typically, servers can use firewall technology and intrusion detection technology to prevent DoS attacks by scrutinizing user traffic characteristics, allowing only users who pass the “scrutiny” to access, while others cannot.

Figure 6 SYN Flood

5) Zero-Day Vulnerability Attacks

Zero-day vulnerability attacks refer to vulnerabilities that have already been discovered (possibly not disclosed), but the official has not timely patched these vulnerabilities, allowing hackers to exploit them for attacks. As early as 2011, a Trojan named “Duqu” utilized a vulnerability in Word software that had not yet been fixed to attack industrial control systems. Zero-day vulnerabilities are typically obtained by specialized hacker organizations through vulnerability scanning techniques or specific methods and sold at high prices in the black market. Currently, there are no systematic preventive measures against them. Additionally, due to the particular environment of vulnerabilities, certain vulnerabilities can only target specific operating systems or application software, requiring hackers to have a high understanding of the attacked system, often accompanied by other types of attacks, such as port scanning.

6) APT (Advanced Persistent Threat)

Advanced Persistent Threat (APT) was formally proposed in 2006, referring to organized, targeted, covert, highly destructive, and long-lasting new types of attacks and security threats using advanced attack means against specific targets.^[4] The severity of the threat can be roughly divided into three types: the first type attacks using infective computer viruses, worms, etc.; the second type penetrates through exploiting software vulnerabilities, social emails, etc., to obtain direct benefits, with a clearer and more sustained target than the first type; the third type primarily targets infrastructure attacks and sensitive intelligence theft, with more significant strategic implications, and more comprehensive and covert network attack methods.

From the lifecycle of APT, APT attacks can be divided into several stages, including intelligence collection, early penetration, implanting malicious code, privilege escalation, command and control communication, lateral penetration, resource excavation, and disappearing without a trace. The APT lifecycle is shown in Figure 7.

Figure 7 APT Lifecycle

7) SQL Injection Attacks

SQL injection is defined as: attackers insert a series of SQL statements into the application through query operations to manipulate data. Its important feature is unauthorized access and direct retrieval from a database. Essentially, it exploits the syntax processing of SQL statements inputted in web applications, targeting the lack of strict checks and processing of parameters passed to SQL statements by web application developers.

SQL injection has the following characteristics: wide application range, low technical difficulty, and significant harm. A specific example of SQL injection is shown below.

Generally, web applications will have username and password parameters for user login. The program will look for the user table in the database to check whether the password matches the username. If the username is “admin” and the password is “123456”, then the SQL statement is as shown below: Select * from user where username=’admin’ and password=’smith’ If we do not strictly check the parameters, and use “admin’or 1=1 –” for username and “123456” for password, then the SQL statement will change to: Select * from user where username=’admin’ or 1=1– and password==’123456’ The “or” after “1=1” will always be true, and “–” will comment out the following statement, thus this statement will execute successfully even if the user does not know the password.

The specific implementation process of SQL injection is shown in Figure 8.

Figure 8 SQL Injection Process

To prevent SQL injection, we can typically use the method of pre-compiling SQL statements and binding variables, that is, using Prepared Statement, which allows the SQL engine to perform syntax analysis, generating a syntax tree, and the subsequent statements will be specifically appended, treating the passed parameters as string literal parameters. However, in other scenarios where string concatenation is necessary, we need to manually perform regex parsing on the string and refrain from executing in cases that may cause SQL injection.

8) Port Scanning

Port scanning is a technique to probe which services a server has open to the outside. Attackers typically use it as a necessary means of information gathering. The attacker sends probe packets to the target host’s service ports and records the target host’s response to determine whether the service ports are open or closed, thus identifying the specific services or information provided by the ports. Attackers can also capture the data flowing in and out of the server to monitor its operation and collect operational information for further network attacks.

The main techniques for port scanning include TCP connect scanning, TCP SYN scanning, TCP FIN scanning, TCP ACK scanning, IP range scanning, TCP reverse ident scanning, and window scanning, among others. Different scanning techniques should be employed for different servers, and the effectiveness of scanning will vary depending on the server.

Typically, servers can prevent port scanning attacks by closing idle and potentially dangerous ports and using firewalls to block ports exhibiting scanning symptoms. Specifically, this involves using firewalls to inspect each incoming data packet to the local computer, analyzing the traffic characteristics of the packets, and rejecting dangerous traffic from entering the local server to prevent port scanning.

References

[1] Xia Chunming, Liu Tao, Wang Huazhong, et al. Current Status and Development Trends of Information Security in Industrial Control Systems [J]. Information Security and Technology, 2013, 4(02): 13-18.

[2] Peng Yong, Jiang Changqing, Xie Feng, et al. Research Progress on Information Security in Industrial Control Systems [J]. Journal of Tsinghua University (Natural Science Edition), 2012, 52(10): 1396-1408.

[3] Liu Wei, Li Dong, Sun Bo. Security Analysis of Industrial Control Systems [J]. Information Network Security, 2012(08): 41-43.

[4] Chen Xingshu, Zeng Xuemei, Wang Wenxian, et al. Network Security and Intelligence Analysis Based on Big Data [J]. Engineering Science and Technology, 2017, 49(03): 1-12.

——————————————————————

▼ Purchase Link ▼

Click to Purchase

Scan to Follow Us

“Intelligent Manufacturing Garden”

Upholding the concept of “advanced manufacturing, strong manufacturing nation,”

Tsinghua Press provides the best knowledge services for everyone!