Typical threat scenarios
This section describes typical threats. However, the list is not exhaustive.
Manipulated boot medium
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | not covered | not covered |
Vendor and integrator-specific attacks | covered | covered | not covered | not covered |
A prepared data storage device is connected to a component and the component is booted from it. This is possible if the boot order in UEFI/BIOS is set to boot from external disks or the attacker is able to change the boot order.
Through the attack an attacker can gain read and write access to all data of the component, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.
Defensive measures:
- BIOS password (BIOS settings)
- Set boot media (BIOS settings)
- Locked control cabinet
Unauthorized PXE boot server
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | covered | not covered |
Vendor and integrator-specific attacks | not covered | not covered | covered | not covered |
Boot from an unauthorized PXE boot server in the internal network. The attack involves execution of code controlled by the attacker.
Through the attack an attacker can gain read and write access to all data of the component, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.
Defensive measures:
- Disable PXE boot (BIOS settings)
Manipulated USB devices
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | covered | not covered | not covered |
Vendor and integrator-specific attacks | covered | covered | not covered | not covered |
If manipulated USB devices are connected, it may be possible for the attacker to execute malicious code on the affected device. In addition, the affected USB device can also be used to steal know-how. For example, any code can be executed by a suitably configured autostart. Unauthorized input can be made or logged by a suitably prepared input device.
Such an attack allows an attacker to gain read and write access to a large number of data relating to the operating system, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.
Defensive measures:
- Disable autostart (Autostart)
- Whitelisting USB devices (USB filter)
- Locked control cabinet
- Disable interfaces in BIOS (BIOS settings)
- Whitelisting for programs
Guessing of weak passwords through local interface
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | not covered | not covered |
Vendor and integrator-specific attacks | covered | covered | not covered | not covered |
Weak passwords such as default passwords or easily guessed passwords can be exploited by local attackers. Like authorized local users, attackers can login with unmodified default passwords.
Such an attack allows an attacker to gain read and write access to a large number of data relating to the operating system, especially configurations and know-how. After such an access has occurred, the entire component must be considered insecure.
Defensive measures:
- Secure passwords
- Set up individual users, no collective accounts
- Minimum rights for users ("Least Privilege"), in particular no administrator rights if not necessary
Theft of data carriers
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | not covered | not covered |
Vendor and integrator-specific attacks | covered | covered | not covered | not covered |
An attacker may gain knowledge of and access to services in the automation system by unauthorized removal of data carriers.
Such an attack allows an attacker to gain read access to a large number of data relating to the operating system, especially access data, configurations and know-how.
Defensive measures:
Handling untrusted emails
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | covered | covered |
Vendor and integrator-specific attacks | not covered | not covered | covered | covered |
Untrusted emails are a typical way to spread malware. In particular, attacks exploit opening of hyperlinks with outdated browsers and email attachments. Sometimes emails are formulated in such a way that they appear to be trustworthy.
A successful attack can execute unauthorized actions that are executed with the privileges of the interacting user.
Defensive measures:
- Do not use control computers for handling emails
- Regular or automatic software updates (Updates)
- Whitelisting for programs
Exploiting known vulnerabilities in outdated software
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | covered | covered | covered | covered |
Vendor and integrator-specific attacks | covered | covered | covered | covered |
Manufacturers release software updates to correct known vulnerabilities. If software that is in use is not updated, broadly based viral attacks can be carried out successfully.
A successful attack can execute unauthorized actions that have an impact in the context of the affected software.
Defensive measures:
- Windows updates (Updates)
- Regular or automatic software updates (Updates)
- Network-based detection mechanisms (IDS/IPS)
- Disabling unneeded services
- Removing components that are no longer needed
Manipulated websites
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | not covered | covered |
Vendor and integrator-specific attacks | not covered | not covered | not covered | covered |
A user is tricked into visiting an untrusted website. A vulnerability in the browser is exploited to execute arbitrary malicious code, or the website is designed in such a way that the user discloses confidential information such as login data.
A successful attack can execute unauthorized actions that are executed with the privileges of the interacting user.
Defensive measures:
- Regular or automatic software updates (Updates)
- Organizational measures for web surfing behavior.
Man-in-the-middle attacks
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | covered | not covered | not covered | not covered |
Vendor and integrator-specific attacks | covered | covered | covered | covered |
When using an insecure network protocol, an attacker can pretend to be the trusted remote station within the reachable network. This allows the information sent via this protocol to be manipulated or intercepted.
A successful attack can lead to unexpected behavior of the services in the automation system.
Defensive measures:
- Network segmentation
- Use of secure network protocols
Unauthorized use of network services
Attack type/attacker | Insider | Local | Internal network | Remote |
|---|---|---|---|---|
Broad, viral attacks | not covered | not covered | covered | covered |
Vendor and integrator-specific attacks | not covered | not covered | covered | covered |
If network services are provided that an attacker can access, this could result in unauthorized actions.
A successful attack can lead to unexpected behavior of the services in the automation system.
Defensive measures:
- Network segmentation
- Use of authenticating network services
- Disabling unneeded services
- Removing components that are no longer needed