This chapter covers Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) security threats, a critical topic for the SY0-701 exam under Objective 2.3 (Given a scenario, analyze potential indicators associated with application attacks). ICS and SCADA systems control critical infrastructure like power grids, water treatment, and manufacturing. Understanding these threats is essential because attacks on these systems can cause physical damage, safety hazards, and widespread disruption. This chapter will explain the unique characteristics of ICS/SCADA, common vulnerabilities, attack vectors, and how to recognize indicators of compromise.
Jump to a section
Imagine a massive hydroelectric dam that supplies power to a region. The dam has a control room with a Human-Machine Interface (HMI) that operators use to monitor water levels, open spillways, and adjust turbine speeds. This HMI communicates with Programmable Logic Controllers (PLCs) that physically control valves and gates. Now imagine an attacker gains remote access to the control room network. They don't need to touch the physical valves—they can send a command through the HMI to the PLC that controls the main spillway, instructing it to open fully. The PLC, trusting the command because it came from the HMI (which it considers authoritative), obeys instantly. The result: catastrophic flooding downstream. This is exactly how ICS/SCADA attacks work. The HMI is the operator's window, but if compromised, it becomes the attacker's weapon. The PLC is a simple, deterministic device that does exactly what it's told—no authentication, no sanity checks. In IT security, we worry about data confidentiality; in ICS, the primary concern is safety and availability. A corrupted sensor reading (e.g., showing low water level when it's actually high) can cause operators to make deadly decisions. The analogy drives home that ICS security is about preventing unauthorized commands and ensuring sensor integrity, not just protecting data.
What are ICS and SCADA?
Industrial Control Systems (ICS) is a general term that encompasses various types of control systems used in industrial production and critical infrastructure. The most common are Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control Systems (DCS). SCADA systems are used to monitor and control geographically dispersed assets, such as pipelines, power grids, and water distribution networks. DCS are used for processes within a single facility, like a chemical plant or refinery. Both rely on a combination of hardware and software to provide real-time data and control.
How ICS/SCADA Works Mechanically
At the core of any ICS are field devices like sensors and actuators, which are controlled by Programmable Logic Controllers (PLCs) or Remote Terminal Units (RTUs). These devices communicate with a central control server via protocols such as Modbus, DNP3, or IEC 60870-5-104. Operators interact with the system through a Human-Machine Interface (HMI), which displays data and allows commands to be sent. The architecture typically includes:
Field Level: Sensors, actuators, PLCs, RTUs
Control Level: HMIs, engineering workstations, historians
Network Level: Routers, switches, firewalls, sometimes connecting to corporate IT networks
A typical command flow: Operator clicks 'Open Valve 5' on HMI → HMI sends Modbus write command to PLC → PLC changes its output to energize the valve actuator → valve opens. The PLC then sends back a confirmation that the valve is open. This is a simple, deterministic process with minimal security built in.
Key Components, Variants, and Standards
- PLCs and RTUs: Ruggedized computers designed for real-time control. They run firmware and logic programs (ladder logic). - HMI: Software that provides a graphical view of the process. - Historians: Databases that log process data over time. - Communication Protocols: - Modbus (TCP port 502): Simple, widely used, no authentication by default. - DNP3 (TCP port 20000): Used in electrical utilities, supports authentication but often not enabled. - IEC 61850: Substation automation standard. - PROFIBUS/PROFINET: Factory automation. - Standards: - ISA/IEC 62443: International standard for industrial cybersecurity. - NIST SP 800-82: Guide to ICS security. - NERC CIP: North American Electric Reliability Corporation Critical Infrastructure Protection (mandatory for bulk power systems).
How Attackers Exploit ICS/SCADA
Attackers target ICS for espionage, sabotage, or ransom. The attack path often begins in the IT network, then pivots to the OT (Operational Technology) network. Common techniques:
Initial Access: Phishing, exploiting internet-facing HMI/engineering workstations, or compromising VPN connections.
Lateral Movement: Using stolen credentials or exploiting trust relationships between IT and OT networks.
Discovery: Scanning for PLCs/RTUs using Shodan or custom scripts.
Command and Control: Using Modbus or DNP3 to send malicious commands.
Impact: Altering setpoints, opening/closing breakers, disabling safety alarms.
Well-known attacks: - Stuxnet (2010): Targeted Siemens S7-300 PLCs, altered centrifuge speeds while replaying normal sensor data. - Ukraine Power Grid (2015): Attackers used spear-phishing to gain access, then used HMI to open breakers, causing widespread blackouts. - Triton (2017): Targeted Schneider Electric Triconex safety instrumented system (SIS), attempting to disable safety systems.
Defence Mechanisms
Network Segmentation: Separate OT from IT using firewalls and one-way data diodes.
Application Whitelisting: Only allow known executables on HMI and engineering workstations.
Regular Patching: But careful with downtime; use risk-based patching.
Anomaly Detection: Monitor for unusual Modbus commands or unexpected traffic patterns.
Secure Remote Access: Use jump boxes with MFA and audit logging.
Physical Security: Lock PLC cabinets, disable unused ports.
Real Command/Tool Examples
Using nmap to discover Modbus devices:
nmap -p 502 --script modbus-discover 192.168.1.0/24Using modbus-cli to read a coil (digital output):
modbus read -t coil -r 1 -a 1 192.168.1.10 502This reads coil 1 from slave ID 1. An attacker could write to a coil to start a motor:
modbus write -t coil -r 1 -a 1 192.168.1.10 502 1Shodan search for exposed Modbus devices:
port:502 "Modbus"These tools show how trivial it is to interact with unprotected ICS devices.
Reconnaissance of ICS Environment
The attacker first identifies target ICS/SCADA systems. They may use Shodan to find internet-facing HMIs or PLCs with default credentials. They also gather information about the organization's vendors (e.g., Siemens, Rockwell) and protocols used (Modbus, DNP3). In a targeted attack, they might study publicly available manuals to understand command structures. Logs from network monitoring tools (e.g., Zeek) would show unusual scans on ports 502, 20000, or 44818. A defender might see a spike in connection attempts from unknown IPs to these ports.
Initial Compromise of IT Network
The attacker sends spear-phishing emails to employees with access to the OT network. The email contains a malicious attachment or link that installs a remote access Trojan (RAT). Once inside the IT network, they escalate privileges using tools like Mimikatz. They avoid OT systems initially to remain undetected. Security tools like EDR would detect the RAT if it behaves suspiciously, but attackers often use living-off-the-land binaries (LOLBins) to blend in. A common mistake is assuming the IT network is separate enough to ignore OT threats.
Pivoting to OT Network
The attacker uses compromised credentials or exploits a trust relationship (e.g., a jump box with weak authentication) to move from IT to OT. They may use RDP or SSH to a engineering workstation. Once on the OT network, they disable or bypass the firewall rules. In many cases, the OT network has flat architecture with no segmentation. The attacker then scans for PLCs and HMIs. Network logs would show connections from the IT subnet to OT devices on unusual ports. A proper response would involve immediately isolating the affected jump box and resetting credentials.
Gaining Control of HMI or Engineering Workstation
The attacker compromises an HMI by exploiting unpatched vulnerabilities or using default credentials (e.g., admin/admin). They may also install malware on the engineering workstation used to program PLCs. With HMI access, they can view and modify process parameters. They might change alarm thresholds or disable safety interlocks. The attacker may also modify the HMI display to show false data (e.g., showing normal pressure when it's critical). An operator might notice anomalies like unresponsive controls or unexpected pop-ups. Forensic analysis would reveal unauthorized software or registry changes.
Sending Malicious Commands to PLCs
Using the HMI, the attacker sends commands to PLCs to cause physical damage. For example, they might command a pump to run at maximum speed until it fails, or open a valve to release hazardous material. They may also modify the PLC's logic (ladder logic) to operate erratically. The PLC executes commands without authentication. The attacker might also perform a 'replay attack' by capturing normal commands and replaying them later. Detection is difficult because the commands appear legitimate. However, anomaly detection systems can flag commands that deviate from normal operational patterns (e.g., opening a valve at 3 AM when no maintenance is scheduled).
Covering Tracks and Maintaining Persistence
To avoid detection, the attacker clears logs on the HMI and engineering workstation. They may also install backdoors (e.g., a web shell on the HMI) for persistent access. They might modify the historian to delete or alter logged data. In sophisticated attacks like Stuxnet, the attacker replays normal sensor data to the HMI while actual conditions are abnormal. A defender would notice missing logs, unexpected system restarts, or unexplained network connections. The correct response is to preserve forensic evidence, isolate the affected systems, and initiate incident response procedures per NIST SP 800-82.
Scenario 1: Water Treatment Plant Breach
A water treatment plant uses SCADA to control chemical dosing. An analyst notices that the HMI is responding slowly and occasionally displays 'Connection Lost' messages. They check the firewall logs and see repeated connection attempts from an unknown IP to the HMI on port 502 (Modbus). The analyst uses Wireshark to capture traffic and sees Modbus write commands to a coil that controls chlorine injection. The commands are coming from a workstation in the corporate IT network. The correct response is to immediately block the IP, isolate the affected HMI, and investigate the corporate workstation for malware. The analyst should also review the HMI logs for unauthorized access. A common mistake is to ignore the slow performance as a network issue, allowing the attacker to continue injecting excessive chlorine, potentially causing a public health hazard.
Scenario 2: Power Utility Ransomware
A power utility's SCADA system is hit with ransomware that encrypts HMI databases. The engineer sees a ransom note on the HMI screen demanding Bitcoin. The attacker gained access through a VPN connection with weak password and no MFA. The SOC team should not pay the ransom. Instead, they should disconnect the affected systems from the network, restore from offline backups, and implement MFA for remote access. They should also scan for persistence mechanisms. A common mistake is to reboot the HMI without disconnecting, which may trigger the ransomware to spread to PLCs. The team should also report the incident to CISA and follow NERC CIP reporting requirements.
Scenario 3: Manufacturing Plant Sabotage
A manufacturing plant uses DCS to control assembly robots. The production line suddenly stops, and the HMI shows a critical error. The engineer finds that the PLC logic has been modified to include a conditional statement that halts production at a certain time. The attacker gained access via a USB drive left in the break room. The correct response is to remove the USB drive, analyze it in a sandbox, and revert the PLC logic to the last known good backup. The engineer should also implement USB device control and disable autorun. A common mistake is to assume the error is a software bug and re-upload the same compromised logic, causing repeated failures.
What SY0-701 Tests:
Objective 2.3 focuses on analyzing potential indicators of application attacks. For ICS/SCADA, the exam expects you to:
Recognize that ICS/SCADA systems often use legacy protocols with no security (e.g., Modbus, DNP3).
Understand that attacks can cause physical damage (e.g., Stuxnet, Ukraine power grid).
Know that network segmentation is a key defence (OT vs. IT).
Identify common attack vectors: phishing, default credentials, unpatched systems, and insecure remote access.
Recognize indicators: unexpected commands, unusual network traffic on ports 502/20000, HMI anomalies.
Common Wrong Answers and Why Candidates Choose Them:
'Encrypt all ICS traffic' – Candidates think encryption solves everything, but ICS protocols are real-time and encryption adds latency; also, many legacy devices can't handle encryption. The exam wants you to know that encryption is not always feasible.
'Use antivirus on PLCs' – PLCs run proprietary firmware, not Windows. Antivirus doesn't apply. Candidates confuse PLCs with regular computers.
'Patch all systems immediately' – Patching ICS requires scheduled downtime; emergency patches can cause instability. The correct answer is a risk-based patching strategy.
'Disconnect from the internet' – While air-gapping helps, many ICS need remote access for maintenance. The better answer is secure remote access with MFA and jump boxes.
Key Terms and Acronyms: - PLC (Programmable Logic Controller), RTU (Remote Terminal Unit), HMI (Human-Machine Interface), DCS (Distributed Control System), SCADA (Supervisory Control and Data Acquisition), Modbus (port 502), DNP3 (port 20000), IEC 62443, NIST SP 800-82, NERC CIP, Stuxnet, Triton.
Trick Questions: - 'Which protocol is commonly used in SCADA systems and lacks authentication?' – Answer: Modbus (not SNMP, which is used for network management). - 'What is the primary goal of an ICS attack?' – Answer: Disruption of availability or safety (not data theft). - 'What is the best defence against ICS attacks?' – Answer: Network segmentation (not encryption).
Decision Rule: On scenario questions, if the scenario involves a power plant, water treatment, or factory, look for keywords like 'Modbus', 'PLC', 'HMI', 'physical damage'. The correct answer will emphasize segmentation, anomaly detection, or secure remote access. Eliminate answers that suggest immediate patching or installing antivirus on industrial controllers.
ICS/SCADA systems control critical infrastructure and prioritize availability and safety over confidentiality.
Common protocols: Modbus (TCP 502), DNP3 (TCP 20000), both lack inherent security.
Key components: PLC, RTU, HMI, DCS, historian.
Notable attacks: Stuxnet (2010), Ukraine Power Grid (2015), Triton (2017).
Primary defence: network segmentation between IT and OT (e.g., using firewalls and data diodes).
Indicators of compromise: unexpected Modbus commands, traffic on unusual ports, HMI anomalies.
Standards: ISA/IEC 62443, NIST SP 800-82, NERC CIP for power utilities.
Remote access should use jump boxes with MFA and strict auditing.
Patching must be risk-based due to potential downtime; compensating controls are often used.
Phishing is a common initial vector; OT personnel should receive security awareness training.
These come up on the exam all the time. Here's how to tell them apart.
Modbus
Port 502
No authentication or encryption
Simple master/slave architecture
Common in water, oil, gas
Developed by Modicon in 1979
DNP3
Port 20000
Supports authentication (but often not used)
Supports peer-to-peer and multiple masters
Common in electrical utilities
Developed by GE Harris in 1993
Mistake
ICS systems are air-gapped and therefore secure.
Correct
Many ICS systems are not truly air-gapped; they often have connections to corporate networks for remote monitoring and maintenance. Attackers can pivot from IT to OT.
Mistake
Modbus is secure because it uses TCP.
Correct
Modbus TCP (port 502) has no authentication or encryption. Any device on the network can send commands. It is considered insecure by design.
Mistake
PLCs are like regular computers and can run antivirus.
Correct
PLCs run real-time operating systems or firmware that cannot support traditional antivirus. Security must be implemented at the network level.
Mistake
The main threat to ICS is data theft.
Correct
The primary threats are safety and availability. Attackers aim to cause physical damage or disrupt operations, not steal data.
Mistake
Patching ICS systems is always the best practice.
Correct
Patching can cause downtime and compatibility issues. A risk-based approach is needed, and often compensating controls (like segmentation) are preferred.
ICS is the broad category that includes SCADA and DCS. SCADA is used for geographically dispersed assets (e.g., pipelines, power grids), while DCS is used for local processes (e.g., chemical plants). For the exam, the terms are often used interchangeably, but know that SCADA is a subset of ICS.
Modbus was designed in 1979 for serial connections in factory environments with no security requirements. It has no authentication, encryption, or integrity checks. Anyone who can send a packet to port 502 can read or write to any register. This makes it trivial for attackers to manipulate industrial processes.
Triton (2017) targeted Schneider Electric's Triconex Safety Instrumented System (SIS). The attacker deployed malware that could reprogram the SIS, potentially disabling safety systems. It was discovered when the malware caused a controller to enter a fault state. This attack highlighted the risk to safety-critical systems.
Look for anomalies in network traffic: unexpected Modbus commands, changes in polling frequency, connections from unknown IPs. Use tools like Zeek (Bro) with custom scripts for Modbus/DNP3. Also monitor HMI logs for unauthorized access or configuration changes. Anomaly detection systems can baseline normal behavior and alert on deviations.
Network segmentation separates the OT network (control systems) from the IT network (corporate). This is done using firewalls, one-way data diodes, and DMZ zones. It prevents attackers from moving from IT to OT easily. The Purdue model (ISA-95) defines levels of segmentation. For the exam, remember that segmentation is a primary defence.
The Purdue Enterprise Reference Architecture (PERA) is a model for ICS network segmentation. It defines levels from Level 0 (physical process) to Level 5 (enterprise network). Security controls are applied between levels. The exam may reference the Purdue model as a best practice for ICS security.
A data diode is a hardware device that allows data to flow in only one direction. It is used to protect OT networks by ensuring that no commands can be sent from IT to OT, while still allowing OT data to be monitored. This is a strong security measure for critical infrastructure.
You've just covered ICS and SCADA Security Threats — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?