Attackers
Classification according to the position of an attacker
Attackers can be divided into four classes according to their access to a system:
Class | Description |
|---|---|
Insider attackers | Attackers who want to perform certain actions on the automation system. The intention is to carry out damaging actions for which the attackers are not authorized. In addition, such attackers have access to private information, e.g. passwords, which they need to perform authorized actions. |
Local attackers | Attackers who have direct access to components of the automation system. This class also includes local attackers who can access some components directly via hardware interfaces or change the network topology in different places. |
Attackers in the internal network | Attackers who control devices on the internal network. Such attackers are generally unable to change the network topology and can only use existing services in the network. |
Attackers from an external network | Attackers who can only execute actions through interfaces that are connected to the internet, for example. With successful attacks on internal components, these attackers can escalate to attackers in the internal network. |
Assumptions
For all attackers it must be assumed that:
- they can receive public information such as documentation from the internet or via service calls;
- they are able to acquire any products available on the public market and to prepare targeted attacks by analyzing such products;
- they have significant computing power at their disposal, for example by renting computing time from a cloud provider.
The occasionally promoted categorization according to the motivation of an attacker is generally not expedient, as it involves a number of assumptions and speculations.
The classification helps when creating security analyses, but it should be noted that a real attacker has by all means various capabilities in several categories.