Critical infrastructure

ICS/SCADA Wireless Attacks

Satyam Singh
July 29, 2020 by
Satyam Singh

Introduction

Wireless communication has gained attention in the industrial environment. Many organizations have moved from wired networks to wireless in order to provide IT networks with hassle-free connectivity. Wireless technology allows the user to connect to the network from almost anywhere.

Connectivity makes wireless networks prone to attack. This article will look at wireless attacks on the industrial control systems (ICS) environment which often lead to disruption of operations.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Wireless attacks in ICS

Inadequate authentication

Loopholes that allow attacks on ICS and ICS components are created through the weak implementation of a wireless network. For example, using a wireless access point with open authentication on an operational technology (OT) setup may allow anyone within the wireless range to connect to the network. This vulnerability could lead to attacks.

Inadequate data protection

Eavesdropping is possible when a wireless access point has open authentication. Sniffing passing data is a passive attack that is difficult to detect when it occurs at open authentication access points. Sniffing an OT setup can collect significant amounts of sensitive information, like readings from sensors and commands to the actuator. This data helps an attacker to understand the OT setup and plan further attacks.

Man-in-the-middle (MITM)

MITM attacks may allow an adversary to sniff and modify the data passing between master and slave, PLCs, HMI and so on. This can have a negative impact on OT operations. 

Let’s take an example of a rogue access point. In this type of attack, an attacker who is able to identify a legitimate AP to which wireless components are connected can create a rogue/dummy access point with the same name and increased transmission power. Due to greater power/strength in the signal, the endpoints are connected to the rogue AP. This allows an attacker to perform a MiTM attack.

Denial of service

We know how important it is to have continuous communication between the components in the ICS environment. Most of the operations are performed in real-time based on the data received from the various components. In this case, if the network goes down or if the components are not able to get the data due to loss in connectivity, there can be interruptions in operation or at worst there can be a negative impact on how devices are working. 

An attacker with greater antenna power can create a lot of spoofed authentication packets and send it to the AP which may result in resource exhaustion. Due to this, the AP can’t serve legitimate clients. Another example is where an attacker can send a huge number of deauthentication packets to deauthenticate the client with wireless AP. Due to this the other components may not be able to receive the data.

Use of weak encryption mechanisms

A lot of wireless AP uses weak or default encryption like WEP or WPA. Wired Equivalent Privacy (WEP) is prone to key-cracking attacks where attackers after capturing a specific amount of packet can brute force the key. Similarly, Wi-Fi protected access (WPA) encryption is prone to a dictionary-based brute-force attack. ICS setups using weak encryption like WEP or WPS or WPA or WPA2 personal can be attacked to gain unauthorized access to the ICS network.

Weak segregation

Many a time, the companies dealing with IT and OT fail to restrict the access between the two. Due to weak segregation or firewall rules, the guest AP or AP used in IT can be used to reach the OT environment. Guest AP uses open authentication which may allow an attacker to easily become a part of the network and access OT components.

To summarize the various wireless attacks in ICS:

Name Description

WEP shared key cracking WEP key cracking to gain access to the ICS network

WPS key cracking WPS key cracking to gain access to the ICS network

WPA-PSK key cracking Capturing the wireless handshake to brute-force the PSK

RF jamming Transmitting signal on the same frequency as the target AP to perform DoS

802.11 beacon flood Broadcasting counterfeit beacon frame to perform DoS

Evil twin AP Create a rogue AP and perform MiTM attack in ICS operations

Open authentication Sniffing the wireless traffic to steal ICS data

Conclusion

Wireless technology has widely spread in IT and OT. With an increase in wireless usage, attacks related to wireless have increased too. Communications between various components can be sniffed or modified. An advisory may connect to the network and control the wireless network and devices. 

A wireless implementation should have security objectives like confidentiality, authentication, access control, data integrity and availability.

Learn ICS/SCADA Security Fundamentals

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

 

Sources

  1. Tai-hoon Kim, "Integration of Wireless SCADA through the Internet," International Journal of Computers and Communications, 2010
  2. Tom Bartman and Kevin Carson, "Securing Communications for SCADA and Critical Industrial Systems," Sensible Cybersecurity for Power Systems: A Collection of Technical Papers Representing Modern Solutions, 2018
  3. Communication network dependencies for ICS/SCADA Systems, Enisa (download)
Satyam Singh
Satyam Singh

Satyam is an Informational Security Professional, currently working as a Tech Specialist and Team Lead at Paladion Networks. He has 5.5 years of practical experience in this domain, with the main area of interest in Web and Mobile Application, Network Penetration Testing, Vulnerability Assessment and Infrastructure Security.