4.4.1. Virus/worms

A virus is malicious software that installs itself in a hidden way on a computer or equipment and is able to replicate itself from one computer to another. In general, to infect a system, a virus attaches itself to another software. When the latter is executed, the virus is executed and can infect the host machine and attempt to replicate itself. The biological metaphor is adapted to describe the behavior of this type of program. However, to contaminate or replicate, it must be executed via the contaminated software or directly. This can happen automatically, in the case of USB sticks with a self-executing file. Most often, it is the user who runs the program himself, after being misled about the nature of some software or of an attachment.

A worm is a type of virus that spreads over the network, often using a vulnerability to perform remote execution over the network. Nowadays, there is no longer any real distinction between worms and viruses.

4.4.2. Trojan horse

A Trojan horse is software that seems to do one thing, and can, in fact, do it, but embeds malicious software. The analogy to the famous story from Greek mythology is very appropriate: the giant wooden horse, an offering in appearance, actually hid Greek warriors. In the case of computers, the Trojan horse deceives the user and makes sure that the hidden malware is installed on his/her machine. The latter can then perform its hidden actions, for example spying and sending the user’s information to a pirate server.

4.4.3. Logical bomb

A logical bomb is a category of malware that installs itself in a hidden way, in a Trojan horse for example, and triggers actions at a date predefined by the hackers.

4.4.4. Rootkit

A rootkit is malicious software that installs itself in a hidden way, and whose purpose is to provide privileged user access to an attacker, who therefore has almost all the privileges to perform all actions on an operating system.

4.4.5. Spyware

Spyware is software that spies on users and records their activities. As a general rule, it is installed without the user’s knowledge. Spyware can perform a wide range of activities. It can record keystrokes (an action commonly known as keylogging), when the user connects to specific websites. It can record sound and/or image or anything else.

It can use a backdoor to send its information to a hacker server.

4.4.6. Back doors

A backdoor is a hidden feature of a software or operating system that is most often introduced at the time of development and allows access to specific options or bypassing the normal authentication procedure. Originally, the objective was to allow the recovery of lost passwords or simply for entertainment purposes, as was the case with software that displays special animations in the About window when typing a special sequence. With the networking of computer systems, this functionality has become a vulnerability, especially when authentication is hard coded.

In addition, there are many cases where the back door is implanted during manufacture in software, equipment (camera) or telephones for illegal purposes, such as data theft. There are also many malware programs that implement such a feature.

4.4.7. Botnet

A botnet is a network of machines connected to the Internet, each of which executes a “bot”, i.e. robot software responsible for responding to commands or executing predefined actions. Malicious “robot” software is distributed by one of the means mentioned above, such as viruses or emails. They are installed silently on targeted workstations or equipment and wait for orders. The consequences are benign for the user on the surface, however, this makes it possible to build armies of machines equipped with malicious software, the botnet.

These zombie machines, which can be computers or equipment connected to the Internet such as cameras or industrial Internet of Things (IIoTs), are used to carry out other attacks. They can send spam or perform distributed denial of service (DDoS) attacks.

4.4.8. Ransomware

Ransomware is a type of malware that prevents or limits users’ access to their system, either by locking the system screen or by locking users’ files. To recover access, a ransom must be paid. The most modern ransomware families, collectively classified as crypto-ransomware, encrypt certain types of files on infected systems and force users to pay the ransom via certain anonymous online payment methods to obtain a decryption key (cryptocurrency).

4.5.1. Buffer overflow and integer overflow

A buffer overflow attack attempts to place more data in a memory area than it can contain. This can corrupt other variables, block the system, or, when the zone is properly placed, write to the subroutine call stack and cause malicious code to be executed. In Figure 4.5, the variable buffer is a table of four characters, numbered 0 to 3. Writing beyond that is illegal. If no control is performed, writing from buffer (Abshier 2004) to buffer (Pollet 2010) allows to modify the return address, and thus cause the execution of a malicious code that will have previously been loaded at the chosen address. More details can be found in Howard and Leblanc (2002).

There are also vulnerabilities related to integer overflow. These vulnerabilities are often found by random software testing (fuzzing tests). A flaw of this well-known type is related to the Secure SHell (SSH). By sending a frame designed to exploit the flaw, was possible to get connected as “root” (CERT VU#945216 vulnerability).

4.5.2. Attack by brute force

A brute force attack is a trial and error method used by some software to decode encrypted data such as passwords or data encryption keys. Just as a criminal can “break” a safe by trying many possible combinations, a brute force cracking application goes sequentially through all possible combinations of legal characters. Brute force is considered an infallible approach, although it takes a long time. In reality, software programs performing this type of attack combine brute force and a dictionary approach: they will first test the usual passwords, then the dictionary words, then classical variations, before systematically testing all combinations.

Encryption systems are designed so that the time required is such that this method is not feasible on a human scale. However, new means of calculation (quantum computing) could reduce this time. For this reason, some guides require that the authentication system can be updated on equipment, such as the Industrial Internet Consortium’s IIoT good practices described in Chapter 6.

This approach cannot be used directly, as most systems crash after a few attempts. This approach is most often used on encrypted password files that have been previously stolen.

Finally, it should be noted that the effectiveness of this type of attack is closely linked to the strength of the passwords, which must be chosen in a relevant way (ANSSI 2012b).

4.5.3. Attack via a zero day flaw

A “zero day” attack is an attack that exploits vulnerabilities that have not been fixed or made public. Often, this type of attack includes attacks targeting vulnerabilities known to the public but not yet fixed.

Software vulnerabilities can be discovered by hackers, security companies, researchers, government intelligence services, software vendors themselves or users. If discovered by hackers, they can be used to set up attacks also called “exploits”. An exploit will be kept secret for as long as possible. It can be sold on the cybercrime black market.

4.5.4. Side-channel attacks

In general, side-channel attacks use information leaks such as execution time, power consumption or electromagnetic leaks observed during the normal execution of a cryptographic algorithm to infer secret information such as encryption keys (Appendix 1).

It is important to note that the quality of the algorithm is not in question, either its principle or its implementation, rather it is observation of its functioning that allows it to be bypassed. In a way, this method is similar to opening a safe with a stethoscope.

The most well-known approaches (Joye and Olivier 2011) use:

• – consumption analysis, either directly during an encryption operation (single power analysis) or by making repeated observations and using statistical methods (differential power analysis);
• – analysis of computing time (Kocher 1996), for example to validate or invalidate a password;
• – the electromagnetic waves emitted.

The risk associated with this type of attack depends on the physical accessibility of the equipment, which can be easy for an Internet of Things (IoT) device, and the level of integration of the component. It is more complex with a System on a Chip (SoC, section 11.12.4), and countermeasures to smooth consumption are implemented in recent circuits.

4.5.5. Attacks specific to ICS equipment

Equipment such as PLCs are particular computer systems, which can therefore be subject to the same attacks. For example, since many PLCs work with VxWorks, they have vulnerabilities such as the CVE-2015-7599 vulnerability. This, due to a problem of unchecked integers overflow, allows a user to execute arbitrary code or to create a DoS.

However, ICS equipment also has functional vulnerabilities: it is possible, by using “normal” commands in an inappropriate way, to create malfunctions. These commands are, for example, a reset device, sending a malformed request, forcing a stop, synchronizing the clock, etc. It is therefore important to prevent any intrusion into the industrial network in order to avoid the generation of commands of this type.

It is also possible to insert malware into the program sent to the PLC (Govil et al. 2018). This program is written in one of the languages specific to PLCs (Chapter 1), such as the Ladder Language. However, it is possible to insert malicious actions that affect the actions, the measurement values or even create a DoS. Transfers to the PLC are not very secure, so this type of attack should be considered.

Other attacks to consider are those related to the modification of the PLC firmware (Basnight et al. 2013; Schuett et al. 2014).

Another type of attack concerns the OPC/DCOM protocol. The OLE for Process Control (OPC) version is a technique that appeared in 1995 and is not very secure (Chapter 2). OPC allows an attacker to list system properties or exploit vulnerabilities by buffer overflow. The OPC protocol has been replaced by the OPC/UA standard proposed by the OPC Foundation, which is much more secure.

Dragonfly malware has used these vulnerabilities. The Havex module uses the OPC standard to collect information on industrial control devices. It then sends them to the command and control server (C&C) where they are analyzed by hackers.

4.5.6. Attacks on IIoT systems

IIoT-based systems are networked systems in which each node is a more or less sophisticated programmable device. It is subject to the same vulnerabilities as traditional computer equipment.

In addition to traditional attacks, IIoT-based systems are sensitive to specific attacks and can be used as a platform to conduct specific attacks.

Among these specific attacks, we can mention the following:

• – physical attacks, by auxiliary channel, by observing consumption to deduce the keys (section 4.5.4) (Mangard et al. 2007) or to carry out reverse engineering;
• – attacks on energy resources, by preventing the equipment from going into rest mode to exhaust its energy (denial of sleep) (Raymond et al. 2009);
• – attacks on system software, which are complex to update;
• – attacks on network addition and removal features.

These aspects are detailed in Chapter 5, on vulnerabilities.

It should also be noted that the stakes of data attacks may be higher than in the case of traditional ICS. Let us quote, for example:

• – attacks aimed at recovering data to build an image of the activity of a company, a person or a manufacturing process (for example, deducting that a place is occupied from the consumption or switching on of lamps);
• – attacks aimed at modifying data transmitted in order to fraud, such as Spanish electricity meters (Illera and Vidal 2014).

Conversely, IIoT equipment can be used as an attack platform, and because of their large number, they present a significant threat. This is the case when:

• – they are corrupt, to enroll them in a botnet in order to carry out DoS attacks;
• – they are used to saturate the local communication network (radio or Wi-Fi).

In more traditional attacks on IoT devices, malware attempts to modify the firmware, or insert malicious code at boot time. IIoTs are more vulnerable because they are often physically isolated and can be the subject of electronic analyses or reverse engineering.

4.7.1. Man-in-the-middle

The principle of Man-in-the-Middle attacks (MiM or MitM attacks) is to pass communications between two stations through a relay without the knowledge of the two stations in communication (Figure 4.7). This can be done using different techniques:

• – the poisoning of the ARP cache (ARP Cache Poisoning) described in Chapter 2: if both workstations are on the same local network, it is possible, even relatively easy, for the attacker to force the communications to pass through his computer by posing as a “relay” (router, gateway). It is then quite simple to modify these communications;
• – DNS-Spoofing: a DNS server translates a site name (for example www.myscadasupplier.com) into an IP address. The attacker alters the DNS server(s) in order to redirect to it communications for a website;
• – Internet Control Message Protocol (ICMP) redirection: using the ICMP, an attacker can send a fake message to a router to redirect a victim’s data flow to his/her own machine. This option must therefore be blocked in routers.

With this type of attack, an attacker cannot only capture all traffic, including sensitive data such as usernames and passwords, but can also delete connections at will and manipulate content to deceive the victim. This attack works even if the traffic is encrypted, as the attacker can substitute his/her private/public keys when establishing the call.

4.7.2. Denial of service

A DoS attack is an attack designed to prevent a system or service from operating normally. It can exploit a known vulnerability in a specific application or operating system, or use certain vulnerabilities in specific protocols or services. In a DoS attack, the attacker tries to prevent authorized users from accessing either specific information or the computer system or the network itself. This can be accomplished by causing the system to shut down unexpectedly (e.g. by buffer overflow) to cause a cessation of service or by flooding it with requests (e.g. with a botnet).

A DoS attack can also be used in conjunction with other actions to gain unauthorized access to a computer using a MitM attack.

In the context of ICS, a DoS of a system in charge of controlling a physical equipment can have serious consequences, since the physical system continues to evolve over time (it is said to be real time). If the system under attack is the SIS, the security of persons and property may be affected.

A DoS attack conducted by a network of computers or connected objects is called a DDoS (Distributed DoS) attack. It can also be conducted using a TCP/IP vulnerability (SYN flood) (Chapter 2).

4.7.3. Network and port scanning

Computers and equipment connected to a TCP/IP network communicate using ports. There are 65535 TCP and UDP ports that can be opened, i.e. for which the system is ready to open a communication. A number of ports from 1 to 1,023 have a predefined role: for example, port 21 is used for FTP communications, port 80 for the web server. Some of the communication modules ready to accept a communication on one of these ports have vulnerabilities: for example, FTP servers on port 21 may allow anonymous connections. These are of course ideal targets and significant vulnerabilities (Mathew et al. 2014).

During an intrusion attempt, a port scan allows us to know if there is a device at an address, and then to know its functionalities and possible vulnerabilities. The approach of the analysis is often as follows:

• – test to see if the host is active;
• – test to know if the host is behind a firewall;
• – detection of the OS or the type of equipment;
• – port scanning;
• – looking for vulnerabilities.

The intrusion attempt is performed by testing known vulnerabilities on identified ports. For example, for port 80, which is the port used for websites, automatic software sends requests to attempt SQL injections, cross-site scripting attacks or buffer overflow attempts. For port 22, used by SSH, connection attempts can be made by a brute force attack.

The nmap software allows “scanning” a computer network and opens ports. The PLCSCAN utility allows detection of the PLCs present on a network (Figure 4.8).

Detecting port scanning activity is therefore important, as it is a precursor incident that can identify an attempted attack.

4.7.4. Replay attack

A replay attack is an attack that consists of intercepting packets from the network, possibly by a MiM mechanism, and then reusing them to forward them to the recipient. It is not necessary to understand or decipher them.

For example, if a sender sends an encrypted name and password to a recipient to authenticate himself, it is possible for a hacker, by reusing the same sequence, to usurp the sender’s rights.

An attack of this type is possible against certain types of vulnerable PLCs: an attacker with access to the OT network can steal session numbers and add arbitrary commands to stop or restart the PLC.

4.9.1. Social engineering

One of the weakest links in IT system security is the human aspect. In addition to human errors, unintentional (carelessness) or deliberate (conscious non-compliance with the rules), the human user can be a victim of so-called social engineering techniques.

These methods are based on lies, misrepresentation, blackmail or greed. The attacker can, for example, contact a system administrator and pretend to be an authorized user, asking to have a new password. Another common strategy is to pose as a member of a supplier’s staff who needs temporary access to perform emergency maintenance.

These techniques also rely heavily on phishing scams that aim to abuse the “naivety” of users to retrieve their credentials.

There are two types of phishing: mass phishing, using generic emails, and spear phishing, which is carried out after investigation of the target and the company, and can be much more difficult to detect.

Examples of an attack may include the following:

• – the receipt of an email using the company’s logo and colors;
• – a request to perform an operation such as updating personal data or confirming the password;
• – a connection to a fake site identical to that of the company and controlled by the attacker;
• – the recovery by the attacker of the login/passwords (or any other sensitive data) entered by the customer on a fake site.

This site may be an equipment manufacturer site and, for example, provide updates.

Such an attack occurred in early 2018: a fake patch for Meltdown/Specter Patch vulnerabilities attempted to install malware. The emails appeared to come from the German Federal Office for Information Security (BSI), and linked to an imitation site, with an SSL certificate (https:). The site was not official, but tried to encourage users to install the patches, which were actually malware.

4.9.2. Internal fraud

The fact that an authorized user knowingly uses his or her access to harm the security of an organization is called internal fraud. The user may be an employee, a consultant or a subcontractor. This case is to be distinguished from the user who provides their access details, either through negligence or because they has been misled. This problem remains a taboo subject for many companies, while it is increasing significantly (Cole 2017). There are different categories of fraudsters: the occasional fraudster, the recurrent fraudster, the person who is deliberately hired to carry out fraud and group fraud. The problem is particularly important for privileged users such as managers or administrators (Ware et al. 2017).

These attacks are made possible by organizational vulnerabilities:

• – weaknesses in internal control and operational monitoring procedures;
• – permissive management of IT authorizations;
• – lack of segregation of duties and rotation.

Appropriate organizational measures are therefore to be planned.