Threats
T0800OT & ICS Threats
A comprehensive guide to operational technology (OT) and industrial control system (ICS) threats for SOC analysts — Stuxnet-style attacks, TRITON, Colonial Pipeline, PLC attacks, MODBUS protocol threats, and detection techniques for industrial environments.
View on Graph
What OT/ICS Threats Are and Why They Matter
- Operational Technology (OT) controls physical processes — manufacturing lines, power grids, pipelines, water treatment, building automation — through industrial control systems (ICS) like PLCs, RTUs, SCADA, and DCS.
- MITRE ATT&CK for ICS (
T800series) maps techniques specific to industrial environments, distinct from enterprise IT ATT&CK. Key categories includeT838(Modbus Function Code),T831(Device Restart/Shutdown), andT844(Program Download). - The stakes are higher than IT: OT attacks can cause physical damage, safety incidents (fires, explosions, toxic releases), environmental damage, and extended production outages.
- The traditional “air gap” between IT and OT networks is eroding — modern ICS uses IT connectivity for remote monitoring, firmware updates, and data analytics, creating attack paths that did not exist before.
Historic OT/ICS Attacks — Lessons for Analysts
Stuxnet (2010) — The Game Changer
| Aspect | Detail |
|---|---|
| Target | Iranian uranium enrichment centrifuges (Natanz) |
| Method | Worm propagated via USB, exploited 4 Windows zero-days, targeted Siemens S7-300 PLCs |
| Impact | Destroyed ~1,000 centrifuges by spinning them at destructive speeds |
| Key technique | PLC rootkit — Stuxnet hid the attack from monitoring software while physically destroying hardware |
| Analyst lesson | PLC compromise may be invisible to monitoring — always check PLC firmware integrity |
TRITON/TRISIS (2017) — Safety System Attack
| Aspect | Detail |
|---|---|
| Target | Petrochemical facility in Saudi Arabia |
| Method | Malware targeting Schneider Electric Triconex safety instrumented system (SIS) |
| Impact | Attacker modified safety controller firmware to cause a potential plant shutdown or hazardous release |
| Key technique | Safety system compromise — attacker bypassed the failsafe mechanism designed to prevent physical harm |
| Analyst lesson | Safety systems (SIS) are not invulnerable. Monitor safety controller logs for firmware changes |
Colonial Pipeline (2021) — IT-to-OT Disruption (linked to ransomware and DDoS patterns)
| Aspect | Detail |
|---|---|
| Target | Colonial Pipeline — US East Coast fuel supply |
| Method | IT network breached via compromised VPN credentials (single inactive account), ransomware deployed on IT systems |
| Impact | Pipeline shut down for 6 days — not because OT was compromised, but because billing/operational IT was crippled |
| Key technique | IT ransomware causing OT operational impact — no PLC manipulation occurred |
| Analyst lesson | IT-OT convergence means an IT breach can shut down industrial operations without touching a single PLC |
PLC Attacks — Manipulating Industrial Controllers
Programmable Logic Controllers (PLCs) are the brains of industrial automation. They read sensors and control actuators based on a logic program (ladder logic, structured text, function block diagram).
Attack Vectors
| Vector | How It Works | Impact (potential C2 channel) |
|---|---|---|
| Program download | Attacker uploads malicious PLC program (logic change) without authentication | Unsafe process behavior |
| Firmware replacement | Replace PLC firmware with malicious version (persistent — survives reboot) | Long-term control over PLC behavior |
| Runtime manipulation | Modify register values in real time without changing the program | Process disruption without detection |
| Force-point override | Force I/O points to specific values (safety override) | Disable safety interlocks |
| Stop/Start | Stop or start the PLC or specific program blocks | Process halt or unsafe restart |
Authentication Gaps in PLCs (a common insider threat vector)
| Protocol/Interface | Authentication | Notes |
|---|---|---|
| Allen-Bradley CSPv4 | None | Passive discovery and data read possible |
| Siemens S7 (ISO-TSAP) | None in older firmware | Can read/write PLC program without auth |
| Modbus TCP | None | Read/write coils and registers freely |
| Profinet DCP | None | Device identification and configuration |
| DNP3 | Optional (Secure Authentication) | Most deployments have auth disabled |
Detection — PLC Program Change
index=ot sourcetype=plc_log
| search action="program_upload" OR action="firmware_update" OR action="config_change"
| stats count, values(action) as Actions by plc_name, source_ip
| where count > 0
| eval alert = "PLC configuration change on " . plc_name . " from " . source_ip . " — verify authorized"
| table _time, plc_name, source_ip, Actions, count, alertMODBUS Protocol — The Insecure Standard
MODBUS is the most widely deployed industrial protocol. It was designed in 1979 and has no security built in. MODBUS TCP runs on port 502.
MODBUS Function Codes
| Code | Function | Read/Write | Risk |
|---|---|---|---|
| 01 | Read Coils | Read | Low — enumeration |
| 02 | Read Discrete Inputs | Read | Low — enumeration |
| 03 | Read Holding Registers | Read | Medium — process variable enumeration |
| 04 | Read Input Registers | Read | Medium — process variable enumeration |
| 05 | Write Single Coil | Write | High — can start/stop equipment |
| 06 | Write Single Register | Write | High — can change setpoints |
| 15 | Write Multiple Coils | Write | High — mass override |
| 16 | Write Multiple Registers | Write | High — mass setpoint change |
| 22 | Mask Write Register | Write | High — bit-level manipulation |
| 24 | FIFO Queue | Write | Medium — custom firmware or data load |
MODBUS Anomaly Detection
SPL — detect unauthorized MODBUS writes:
index=ot sourcetype=modbus
| search function_code IN (05, 06, 15, 16, 22)
| lookup modbus_device_acl.csv plc_ip, src_ip OUTPUT authorized
| where authorized != "yes"
| eval alert = "UNAUTHORIZED MODBUS WRITE — " . function_name . " (function " . function_code . ") from " . src_ip . " to PLC " . plc_ip . " at register " . register_address
| table _time, src_ip, plc_ip, function_code, function_name, register_address, value, alertSuricata rule — detect MODBUS scanning (and other API-level protocol attacks):
alert tcp any any -> any 502 (msg:"MODBUS — Holding Register Read Scan";
content:"|00 03 00 00 00 06 01|"; offset:0; depth:7;
content:"|03|"; within:1; distance:5;
threshold: type both, track by_src, count 10, seconds 60;
sid:1000001; rev:1;)The Purdue Model — Understanding OT Network Segmentation
The Purdue Enterprise Reference Architecture (PERA) defines levels of industrial network hierarchy:
| Purdue Level | Name | Devices | Security Focus |
|---|---|---|---|
| Level 4-5 | Enterprise IT | ERP, databases, email, DNS | Standard IT security |
| Level 3 | Operations Management | MES, historian, domain controllers, AV servers | OT-IT boundary — DMZ, jump hosts |
| Level 2 | Supervisory Control | HMI, SCADA servers, engineering workstations | Session monitoring, application whitelisting |
| Level 1 | Controllers | PLCs, RTUs, DCS | Read-only access where possible, firmware integrity checks |
| Level 0 | Physical Process | Sensors, actuators, motors, valves, pumps | Physical security, tamper detection |
Where Attacks Happen
Most OT attacks cross levels:
- IT-to-L3: Ransomware enters through IT, reaches Level 3 via shared domain or jump box
- L3-to-L1: Compromised engineering workstation downloads malicious PLC program
- Direct L0: Physical access to sensors or actuators (tampering)
Detection for OT Environments
OT-Specific Detection Rules
| Detection | What It Catches | Data Source |
|---|---|---|
| Unexpected PLC program change | Attacker downloads malicious logic | PLC firmware hash comparison, log review |
| New MODBUS function codes | Unusual write operations to coils or registers | MODBUS transaction logs |
| PLC restarts | Attacker stopping/restarting controllers | Syslog from PLC, network connectivity loss |
| HMI connections from unknown IPs | Attacker accessing HMI without authorization | HMI access logs, network flow |
| OT-IT traffic spike | Data exfiltration from OT to IT | Netflow across OT-IT boundary |
| Engineering tool running on production network | Unauthorized configuration change | Process creation logs on engineering workstations |
| Device firmware hash mismatch | Malicious firmware deployed | Firmware verification script |
SPL — OT-IT Boundary Monitoring
index=ot sourcetype=netflow
| search src_ip=10.0.* OR dst_ip=10.0.*
| search src_ip=172.16.* OR dst_ip=172.16.*
| stats sum(bytes) as total_bytes, count by src_ip, dst_ip, dest_port
| where total_bytes > 1000000
| eval alert = "Large data transfer across OT-IT boundary: " . src_ip . " → " . dst_ip . ":" . dest_port . " — " . round(total_bytes/1024/1024, 2) . " MB"
| table _time, src_ip, dst_ip, dest_port, total_bytes, alert
| sort - total_bytesDefensive Controls
| Control | What It Prevents | Implementation |
|---|---|---|
| OT-IT DMZ | Direct IT-to-OT access | Jump hosts, unidirectional gateways, data diodes |
| Application allowlisting | Unauthorized engineering tools on OT network | Windows AppLocker, Linux fapolicyd |
| Firmware integrity verification | Malicious PLC/RTU firmware | Hash comparison at boot, scheduled verification |
| Network segmentation (Purdue) | Lateral movement between OT levels | Firewalls at each Purdue level boundary |
| Read-only network access | Unauthorized MODBUS/DNP3 writes | Network ACLs block write function codes from non-engineering hosts |
| HMI session recording | Retrospective investigation | Video recording or keystroke logging of HMI sessions |
| Physical access control | Direct tampering with controllers | Locked cabinets, tamper seals, CCTV |
| Incident response for OT | Coordinated response without dangerous actions | Pre-defined OT incident response plan with engineering input |
Related
- Container and Kubernetes Threats — detection and response for T1611, T1525, T1574.002 techniques
- Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques
- Snort and Suricata — detection and response for T1040 techniques
- Network Security Basics — detection and response for T1040, T1046 techniques