May 16, 2020

ICS SCADA Use cases

By venkat


Use Cases

  1. Infiltration of Malware via Removable Media and External Hardware
  2. Malware Infection via Internet and Intranet
  3. Human Error and Sabotage
  4. Compromising of Extranet and Cloud Components
  5. Social Engineering and Phishing
  6. (D)Dos Attacks
  7. Control Components Connected to the Internet
  8. Intrusion via Remote Access
  9. Technical Malfunctions and Force Majeure
  10. Compromising of Smartphones in the Production Environment
  11. Unusually heavy network traffic
  12. Significantly reduced free disk space
  13. Unusually high CPU usage
  14. Creation of new user accounts
  15. Attempted use of administrator accounts
  16. Locked-out accounts
  17. Cleared log files
  18. Full log files with an unusually large number of events
  19. Antivirus or IDS alerts
  20. Disabled antivirus and other security controls
  21. Unexpected patch changes
  22. Machines or intelligent field devices connecting to
  23. Requests for information about the system
  24. Unexpected changes in configuration settings
  25. Unexpected system shutdown
  26. Stoppage or displayed error messages on a web, database, or application server
  27. Unusually slow access to hosts on the network
  28. Filenames containing unusual characters or new or unexpected files and directories
  29. Auditing configuration
  30. A large number of bounced e-mails with suspicious content
  31. Unusual deviation from typical network traffic flows
  32. Erratic ICS equipment behavior
  33. Override of safety, backup, or failover systems
  34. Equipment, servers, or network traffic that has bursts of temporary high usage.
  35. Unknown or unusual traffic from corporate or other network external to control systems network
  36. Unknown or unexpected firmware pulls or pushes.

Typical Manufacturing use cases

  1. Use of Windows XP in Manufacturing
  2. Malicious Autorun.inf detections
  3. Prevalence of Downad in Manufacturing
  4. Data exchange via USB between IT and OT
  5. PlugX and Ransomware on Manufacturing Network
  6. Targeted ransomware
  7. mining campaigns
  8. Equation tools weaponized to distribute coin miner
  9. Equation tools
  10. Coin Miners
  11. APT tools For Coin mining and Ransom
  12. Unintentional leaks due to poor configuration
  13. Malicious CAD files
  14. Use of older version of Microsoft Office
  15. Distribution of Confidential information
  16. Distribution of leaked CAD files
  17. Counterfeit products issue
  18. Exposed ICSs
  19. SCADA 0days dealt on the Underground
  20. PLC password crackers sold online on the underground
  21. Industrial equipment purchase request
  22. Shodan Shop with Industrial Section


BSI Publications on Cyber-Security | Industrial Control System Security – Top 10 Threats and Countermeasures

Latest Threats / Use cases
https://www.securityweek.com/seven-ransomware-families-target-industrial-software – Important

Process Kill lists

CSA Alerts
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF – Dovorub

Basics – Joe Weiss – Purdue model

Basics – Approach



March 13, 2020: Initial Version