OT attacks cause physical damage
Stuxnet destroyed centrifuges. Industroyer caused power outages. TRITON attempted to disable safety systems. OT security is safety.
14.1 Threats in OT Environments
The previous chapter covered general network attacks: SYN floods, ARP poisoning, MAC flooding. OT networks face those same attacks plus a category of threats that target physical processes. Unlike IT attacks that steal data, OT attacks cause equipment damage, safety incidents, and production outages.
Why OT is Targeted
Section titled “Why OT is Targeted”OT systems offer high impact (disrupting a power grid has immediate consequences), poor security posture (many systems have no authentication), long lifecycles (vulnerabilities persist for years), and increasing connectivity (IT/OT convergence exposes previously isolated systems).
Stuxnet — Anatomy of a Cyber-Physical Attack
Section titled “Stuxnet — Anatomy of a Cyber-Physical Attack”Stuxnet (discovered 2010) was the first known malware designed to damage physical equipment. Understanding its technical details reveals how sophisticated OT attacks operate.
Propagation
Section titled “Propagation”Stuxnet spread via USB drives, exploiting a Windows zero-day vulnerability in the .lnk file handler. When a user inserted an infected USB drive, Windows Explorer rendered the malicious .lnk file, which executed the Stuxnet dropper without any user interaction. It also spread via network shares and the Windows Print Spooler service. Stuxnet used four separate zero-day exploits, an unprecedented number for a single piece of malware.
Target Identification
Section titled “Target Identification”Stuxnet did not attack every system it infected. It searched for a specific configuration: Siemens STEP 7 software communicating with S7-315 and S7-417 PLCs controlling Siemens frequency converters (manufactured by Fararo Paya and Vacon) operating between 807 Hz and 1210 Hz. This frequency range matched the uranium enrichment centrifuges at the Natanz facility in Iran.
Attack Payload
Section titled “Attack Payload”Once Stuxnet identified the target configuration, it performed two actions simultaneously:
- Modified centrifuge speeds: it periodically changed the frequency converter output from the normal 1064 Hz to either 1410 Hz (overspeed) or 2 Hz (near-stop), causing mechanical stress that destroyed centrifuge bearings over weeks
- Replayed normal data to SCADA: it recorded 21 seconds of normal sensor readings and replayed them to the SCADA system while the attack was active, so operators saw normal centrifuge speeds on their screens
Stuxnet destroyed approximately 1,000 centrifuges while operators believed the process was running normally.
Industroyer / CrashOverride — Attacking the Power Grid
Section titled “Industroyer / CrashOverride — Attacking the Power Grid”Industroyer (2016) targeted the Ukrainian power grid. Unlike Stuxnet, which modified PLC code, Industroyer spoke the native protocols of power grid equipment and sent legitimate commands to open circuit breakers.
Targeted Protocols
Section titled “Targeted Protocols”Industroyer included modules for four industrial protocols:
| Protocol | Standard | Industroyer Module |
|---|---|---|
| IEC 60870-5-101 | Serial telecontrol | Sent control commands over serial links |
| IEC 60870-5-104 | TCP/IP telecontrol | Sent control commands over TCP/IP |
| IEC 61850 | Substation automation | Sent GOOSE messages to trip breakers |
| OPC DA | Data access | Enumerated OPC servers for reconnaissance |
The IEC 61850 module was particularly dangerous. It crafted GOOSE (Generic Object Oriented Substation Event) messages, which are Layer 2 multicast frames that protection relays trust implicitly. A single forged GOOSE message opens a circuit breaker, disconnecting a section of the power grid.
Attack Sequence
Section titled “Attack Sequence”- Initial compromise via spear-phishing email to IT network
- Lateral movement from IT to OT through a poorly segmented boundary
- Reconnaissance: enumerated OPC servers to map the substation topology
- Payload delivery: deployed protocol-specific modules to each target
- Execution: sent open-breaker commands via IEC 104 and GOOSE simultaneously
- Persistence: deployed a wiper to destroy evidence and prevent remote recovery
The attack caused a power outage affecting 230,000 customers for approximately one hour.
TRITON / TRISIS — Targeting Safety Systems
Section titled “TRITON / TRISIS — Targeting Safety Systems”TRITON (2017) targeted SIS (Safety Instrumented Systems), specifically the Schneider Electric Triconex controller at a petrochemical facility in Saudi Arabia.
What a Safety Instrumented System Does
Section titled “What a Safety Instrumented System Does”A SIS monitors process conditions (temperature, pressure, flow) and triggers emergency shutdowns when conditions exceed safe limits. It operates independently from the process control system. If the process controller fails or is compromised, the SIS is the last line of defense against a catastrophic event (explosion, toxic release, equipment destruction).
Why Targeting SIS is Uniquely Dangerous
Section titled “Why Targeting SIS is Uniquely Dangerous”Disabling a SIS does not cause immediate harm. It removes the safety net. The attacker then manipulates the process (via the compromised control system) beyond safe limits, and the SIS does not intervene. The result is a physical event: an explosion, a chemical release, or equipment destruction.
TRITON Attack Details
Section titled “TRITON Attack Details”TRITON injected malicious code into the Triconex controller’s firmware. The code was designed to disable the safety logic while keeping the SIS in a “running” state so operators would not notice. A bug in the malicious code caused the Triconex controller to enter a safe state (emergency shutdown), which alerted operators and led to the discovery of the attack.
OT Attack Vectors
Section titled “OT Attack Vectors”Attackers reach OT networks through specific entry points. Understanding these vectors guides defensive priorities.
Engineering Workstation Compromise
Section titled “Engineering Workstation Compromise”Engineering workstations run Windows, connect to both IT and OT networks, and have programming access to PLCs. Compromising one workstation gives the attacker the ability to read and modify PLC programs, upload malicious firmware, and access every device the engineer can reach.
USB Drops
Section titled “USB Drops”Stuxnet demonstrated this vector. An attacker leaves infected USB drives in parking lots, break rooms, or vendor areas. A single curious employee who plugs in the drive compromises the engineering workstation.
Supply Chain Attacks
Section titled “Supply Chain Attacks”The attacker compromises a vendor’s software update mechanism. When the plant downloads and installs the update, the malicious code enters the OT network through a trusted channel. The SolarWinds attack (2020) demonstrated this vector at scale.
Remote Access Abuse
Section titled “Remote Access Abuse”VPN credentials stolen via phishing or credential stuffing give the attacker direct access to the OT network. Many OT environments have vendor remote access connections that remain active 24/7 with shared credentials.
Why Modbus Has No Authentication
Section titled “Why Modbus Has No Authentication”Modbus was designed in 1979 for serial communication between a single master and its slaves in a physically isolated environment. It has no concept of authentication, encryption, or authorization. Any device that can send a TCP packet to port 502 can read any register and write any value.
The following script demonstrates this by reading holding registers from a Modbus TCP server. In a real OT environment, this reads live process data (temperatures, pressures, setpoints) without any credentials.
from pymodbus.client import ModbusTcpClient
client = ModbusTcpClient("192.168.10.100", port=502)client.connect()
# Read 10 holding registers starting at address 0 (no credentials needed)result = client.read_holding_registers(address=0, count=10, slave=1)if not result.isError(): for i, val in enumerate(result.registers): print(f"Register {i}: {val}")
# Write a value to register 0 (no credentials needed)# WARNING: This changes a live process value. Lab use only.# client.write_register(address=0, value=100, slave=1)
client.close()The read operation succeeds without any authentication. The commented write operation would change a live process value. In a real plant, register 0 might control a valve position, a motor speed, or a temperature setpoint. An attacker who reaches port 502 controls the process.
This is why network segmentation (Chapter 14.2) is the primary defense for OT networks. If the attacker cannot reach port 502, the lack of authentication does not matter.
Key Takeaways
Section titled “Key Takeaways”Modbus has zero authentication
Any device that reaches port 502 reads and writes PLC registers. Segmentation is the only defense.
SIS is the last line of defense
A compromised SIS removes the safety net. Isolate safety systems on dedicated VLANs with no routing to other zones.
What Comes Next
Section titled “What Comes Next”Understanding the threats is the first step. Defending against them requires network segmentation: isolating zones so that a compromise in one area does not spread. The next chapter covers DMZ architecture, firewall rules, data diodes, and VLAN segmentation for OT networks.
References
Section titled “References”- Langner, R. (2011). Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security & Privacy.
- Dragos Inc. (2017). CrashOverride: Analysis of the Threat to Electric Grid Operations. Dragos.
- Dragos Inc. (2017). TRISIS Malware: Analysis of Safety System Targeted Malware. Dragos.
- CISA. (2022). Alert AA22-103A: APT Cyber Tools Targeting ICS/SCADA Devices. CISA.
- Modbus Organization. (2012). Modbus Application Protocol Specification V1.1b3.