Typical threat scenarios

Manipulated boot medium

A prepared data storage device is connected to a component and the component is booted from it. This is possible if the boot order in UEFI/BIOS is set to boot from external disks or the attacker is able to change the boot order.

Through the attack an attacker can gain read and write access to all data of the component, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.

Defensive measures:

• BIOS password (BIOS settings)
• Set boot media (BIOS settings)
• Locked control cabinet

Unauthorized PXE boot server

Boot from an unauthorized PXE boot server in the internal network. The attack involves execution of code controlled by the attacker.

Through the attack an attacker can gain read and write access to all data of the component, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.

Defensive measures:

• Disable PXE boot (BIOS settings)

Manipulated USB devices

If manipulated USB devices are connected, it may be possible for the attacker to execute malicious code on the affected device. In addition, the affected USB device can also be used to steal know-how. For example, any code can be executed by a suitably configured autostart. Unauthorized input can be made or logged by a suitably prepared input device.

Such an attack allows an attacker to gain read and write access to a large number of data relating to the operating system, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.

Defensive measures:

• Disable autostart (Autostart)
• Whitelisting USB devices (USB filter)
• Locked control cabinet
• Disable interfaces in BIOS (BIOS settings)
• Whitelisting for programs

Guessing of weak passwords through local interface

Weak passwords such as default passwords or easily guessed passwords can be exploited by local attackers. Like authorized local users, attackers can login with unmodified default passwords.

Such an attack allows an attacker to gain read and write access to a large number of data relating to the operating system, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.

Defensive measures:

• Secure passwords
• Set up individual users, no collective accounts
• Minimum rights for users ("Least Privilege"), in particular no administrator rights if not necessary

Theft of data carriers

An attacker may gain knowledge of and access information for services in an automation system via unauthorized removal of data carriers.

An attack like this allows an attacker to gain read access to a large amount of data related to the operating system, especially access data, configurations, knowledge and other sensitive private data.

An attacker could also try to gain access to sensitive data by stealing the storage media after it has been disposed of.

Defensive measures:

• File encryption
• Locked control cabinet
• Secure data destruction

Extraction of sensitive data from discarded material

An attacker can gain access to discarded material which contains sensitive data on storage media.

An attack like this allows an attacker to gain read access to a large amount of data related to the operating system, especially access data, configurations, knowledge and other sensitive private data.

Defensive measures:

• File encryption
• Secure data destruction

Handling untrusted emails

Untrusted emails are a typical way to spread malware. In particular, attacks exploit opening of hyperlinks with outdated browsers and email attachments. Sometimes emails are formulated in such a way that they appear to be trustworthy.

A successful attack can execute unauthorized actions that are executed with the privileges of the interacting user.

Defensive measures:

• Do not use control computers for handling emails
• Regular or automatic software updates (Updates)
• Whitelisting for programs

Exploiting known vulnerabilities in outdated software

Manufacturers release software updates to correct known vulnerabilities. If software that is in use is not updated, broadly based viral attacks can be carried out successfully.

A successful attack can execute unauthorized actions that have an impact in the context of the affected software.

Defensive measures:

• Windows updates (Updates)
• Regular or automatic software updates (Updates)
• Network-based detection mechanisms (IDS/IPS)
• Disabling unneeded services
• Removing components that are no longer needed

Manipulated websites

A user is tricked into visiting an untrusted website. A vulnerability in the browser is exploited to execute arbitrary malicious code, or the website is designed in such a way that the user discloses confidential information such as login data.

A successful attack can execute unauthorized actions that are executed with the privileges of the interacting user.

Defensive measures:

• Regular or automatic software updates (Updates)
• Organizational measures for web surfing behavior.

Man-in-the-middle attacks

When using an insecure network protocol, an attacker can pretend to be the trusted remote station within the reachable network. This allows the information sent via this protocol to be manipulated or intercepted.

A successful attack can lead to unexpected behavior of the services in the automation system.

Defensive measures:

• Network segmentation
• Use of secure network protocols

Unauthorized use of network services

If network services are provided that an attacker can access, this could result in unauthorized actions.

A successful attack can lead to unexpected behavior of the services in the automation system.

Defensive measures:

• Network segmentation
• Use of authenticating network services
• Disabling unneeded services
• Removing components that are no longer needed