The notion that physical attacks can be transposed through the cyber realm was considered Hollywood-esque and a joke until a few years ago. However, the current nature of attacks that are carried out on industrial and nuclear facilities, such as the Stuxnet attack, has made this fear a tangible reality and has put cybersecurity, in relation to critical infrastructure, on the radar. With the increasing significance of Industrial Control Systems (ICS) cybersecurity, it's necessary to understand how ICS infrastructure attacks operate and the threats related to them.

In this chapter, we will focus on introducing the technical groundwork and practical procedures for securing critical cyber and physical infrastructures, along with their underlying architecture. Such infrastructure includes public services utilities such as power grids, water and energy systems, transportation and air traffic control systems, telecommunication networks, medical and healthcare infrastructure, financial, banking, and government, and strategic and public infrastructures and assets.

The following topics will be covered in this chapter:

• Critical infrastructure and prominent exploitation
• Penetration testing IoT networks and reverse engineering firmware
• Exploiting VoIP networks and defense mechanisms

Technical requirements

To get the most out of this chapter, you need to familiarize yourself with the following topics:

• SCADA/ICS topology and past attacks such as Stuxnet
• Roles of ISACs in sectoral security initiatives
• Internet of Things (IoT), Universal Asynchronous Receiver/Transmitter (UART), and Voice over Internet Protocol (VoIP) components and their basic frameworks

Critical infrastructure and prominent exploitation 

Critical infrastructure represents cyber or physical resources that are of paramount importance to a nation due to their direct and inherent dependency. With the evolution of technology, cyber warfare has become a reality in today's global conflicts. 

Today, we are surrounded by ICSes that impact our daily lives. This system includes services such as water treatment, water control systems, electricity and power grids, public transport, oil and natural gas, medical and pharmaceutical setups, and manufacturing, among many others. In the future, as we move toward smart cities, cars, and houses, ICS and IoT are going to play a key role.

With the wide usage of ICS in modern technological enhancements, a significant amount of attention is being paid to the industry by both security researchers and threat actors. This has resulted in an increase in the number of vulnerabilities being disclosed each year. According to a report published by Dragos, experts analyzed 438 ICS vulnerabilities that were reported in 212 security advisories. They found that 26% of the advisories were related to zero-day flaws.

The following graph by the ICS Cyber Emergency Response Team is another example that shows how the number of ICS vulnerabilities is increasing year after year:

Over the last few years, ICS has been subjected to various advanced attacks. For example, Stuxnet was used in one of the most widely known ICS attacks, which targeted Iran's nuclear program. It aimed to physically destroy the centrifuges.

Since 2015, there have been many reports pertaining to attacks focused on Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA), and ICS in order to affect manufacturing industries, among others. With each passing day, such attacks and the sophistication of these attacks will only see a rise.

So, how are these attacks actually carried out and can we defend ourselves against them? Of course! The upcoming subsections will take you through some of the attack frameworks and vulnerable points that will help us create a solid defense.

Attack frameworks toward ICS industries

Cyber attacks on ICS vary in terms of certain parameters such as risk and impact based on the Tactics, Techniques, and Procedures (TTPs) of the threat actor. Threat actors today are evolving their techniques more toward targeting systems via large threat campaigns instead of through single pinpointed intrusion attempts.

A typical threat campaign consists of a methodological approach toward cyberattacks with a step-by-step approach via different stages of the attack life cycle and well-calibrated techniques for efficiency and effectiveness. Understanding which phase an attacker is at and the techniques that they are using can help blue teams respond appropriately and stop the threat actor in its tracks. The following are specific attack frameworks that can assist in understanding and defending against attacks more efficiently.  

The cyber kill chain

The cyber kill chain was formulated in 2011 by Lockheed Martin. It aims at assisting in the process of effectively detecting and responding to advance cyber intrusions. Just like most cybersecurity frameworks today, the cyber kill chain was based upon the military kill chain concept, which has been translated to fit into IT. 

Although the cyber kill chain is not a direct fit for the kind of ICS attacks that we see today, it can serve as a baseline for creating a more aligned framework for them. The following diagram shows the steps that can be carried out at different phases to mitigate an advanced cyber intrusion attack:

In order to craft a precise and sophisticated working exploit, which may demonstrate advanced techniques such as persistent, silent data exfiltration, or the disruption of services, we need to have deep knowledge of how the ICS system works and understand its technical architecture and inner workings. Acquiring this knowledge allows an attacker to get the lay of the land and create attack tactics that will surpass the security mechanisms in the environment so that they can get deeper access. A two-stage attack is initiated to achieve this:

• In the first stage of an attack, the focus is on reconnaissance, which is essential in order to understand the lay of the land. Intelligence pertaining to the target environment, the services that are running, and the potential technical architecture are important in estimating the security mitigation in place that needs to be circumvented.
• In the second stage, the threat actors utilize what they've learned from the first stage to craft specific attacks against the target environment.

Next, we'll look at information sharing and analysis centers.

Information sharing and analysis centers

Since most national critical infrastructures and their services face significant cyber threats, there is a large demand in terms of cybersecurity. In recent times, a strong engagement model has been created in various countries that take public-private partnerships into account. This aims to protect sectors that are critical to the functioning of a nation, such as energy, water, financial research, and many more.

These industries are crucial in day-to-day public life and have dedicated Information Sharing and Analysis Centers (ISACs), which focus on threat impacts specifically for their respective sectors and industry and share intelligence with the members of the ISAC. The following table summarizes the various industries and their corresponding ISACs. Although we will not be discussing each ISAC in detail, you can visit their websites to find out more:

Concern for cybersecurity is increasing day by day as more and more digital transformation in such sectors is opening them up to cyberattacks. A reason that warrants special focus on these sectors is the direct impact on the social life of a nation's population if such services are disrupted. The other factor is that, today, adversarial nations often target the critical infrastructure of another nation to deter them politically instead of getting into direct conflict as this is a more subtle option. Hence, establishing a comprehensive security framework and patching all related systems systematically is gaining importance when it comes to increasing the cyber resilience of such systems.

Some of the major cybersecurity issues and problems that are faced by critical infrastructures are as follows:

• Outdated systems, networks, and hardware
• Lack of security skills/talent and awareness
• Lack of security by design
• A large number of interconnected devices
• Increased complex cyber threats and campaigns

Traditionally, owners of digitized infrastructures typically focus their energy and efforts on improving the efficiency of the system rather than on the security aspect of it.

Understanding the threat landscape

Several reports in the past have uncovered that most discovered vulnerabilities have been present for more than 10 years. This opens a huge gap in the security posture of these products and systems, which might be exploited by attackers who could have known these loopholes and have been potentially exploiting them silently for years, going undetected. 

In recent times, security researchers have demonstrated that malware can be used to control the systems of a water treatment plant. Subsequently, such malicious code can be used by threat actors to disrupt the services being used by the plants, thus impacting the population. This is just one of many such malware that has been developed by researchers to show the kind of impact and implications that unfixed vulnerabilities and a lack of a coherent security strategy and enforcement in the ICS sector can result in. Therefore, while we strive toward digital transformation and integrating technology into various aspects of our industries, it is equally as important to focus on the secure nature of these innovations and protect them on an ongoing basis with security road-mapping and cyclic evaluation.

The best way to move toward a more secure environment is to accept that threats are going to evolve and that attacks will come in all shapes and forms. We need to look from the attacker's perspective, similar to black-box testing, in order to understand which aspects may be attacked and how threat actors might aim at targeting the environment. We need to focus on creating an integrated security platform that has deep and wide visibility of all our assets and can be alerted in case any anomaly is detected so that we can respond in a timely fashion.

Every information technology infrastructure has a dedicated network of its own that is used for its business operations. Every IT component connected to the internet is vulnerable to attacks; the only system that is 100% secure is the one that is shut down. Throughout the years, we have seen examples where threat actors have broken into a retail organization via the store's air conditioning system, which was an internet-connected control system. This led them to the corporate network where they processed their store's credit card payments, which further resulted in a huge data breach. This is a great example of why network segmentation and containing data are important. 

However, the question remains, why was the targeted Heating, Ventilation, and Air Conditioning (HVAC) system not segregated from the payment system network? The potential that could be provided from it being derived from a connecting network is understandable, so averting inter-connected systems is not a practical solution. However, attention should be paid to how such system interactions are (securely) designed by keeping in mind how they impact the risk posture and open the larger network or environment to cyber threats coming from the internet. We should also deploy mitigating controls to account for any threats that are there as part of such integrations and test them to validate the efficiency and effectiveness of those controls. 

This is why embedding security into the network planning and designing phase is very important when it comes to building a strong, fundamental base, upon which further improvements can be made with ease. There should also be a focus on having human-operated or manual modes overriding significant controls that might be altered in such critical infrastructures in case of a cyber attack.

Now that we've looked at the various frameworks that can be adopted to protect ICS industries, let's shift our focus and look at some vulnerabilities.

Top threats and vulnerable points in ICS industries

Since we've already looked at how an adversary can plan and initiate an attack against ICS industries, let's take a look at the Top 10 cybersecurity attacks that are performed on ICS networks, as well as the most vulnerable points for ICS attacks:

• ICS insider
• Targeted ransomware
• Zero-day
• APT attacks
• Compromised vendor websites
• Vendor backdoor
• Malware
• Hardware supply chain
• Vulnerabilities exploitation
• Nation-state crypto compromise

Each of these attacks can be benchmarked based on the level of sophistication involved and the impact that they have on the target environment. Sophistication shows key insight involving the attack, such as the tools and techniques being used that are common and prevalent or are unique to this attack.

This, in turn, shows the technical capability of the threat actor and the resources that are used to develop the threat. This may range from the infrastructure that's used to launch and cover the attack, to the infrastructure that's used to test and fine-tune how the attack works and test its effectiveness.

Well-known critical infrastructure exploitation examples

To understand the impact that cyber threats have on critical infrastructure and the kind of damage that they can cause, it is important to take a look at some of the recent attacks that the world has seen in this regard. The following examples will help you become familiar with their depth and breadth:

• An ex-employee of a water company took control over a plant in Australia using their corporate-issued device, causing significant sewage spillage.
• In the time frame between 2006-11, there have been various threat campaigns originating from China that have specifically targeted utility companies. Their aim was to gain control and access to critical controls and data. 
• In 2008, a teenager from Poland was able to derail trains by exploiting a weakness in the rail control system.
• In 2010, Stuxnet came to light, which had caused the uranium centrifuges of an Iranian nuclear plant to fail. The attack was targeted on the Programmable Logic Controllers (PLCs), which ultimately rendered the nuclear plant nonoperational.
• In 2011, threat actors associated with Dragonfly were linked to various threat campaigns that were targeting organizations from energy and utility verticals in the US and Europe. This involved utilizing spear-phishing emails, compromising websites to collect user credentials, and backdooring software libraries that are used by ICS providers that manufacture PLC devices.

• 2016 saw a busy year with attacks on ICS and SCADA systems across the globe. Ukraine suffered a power blackout due to a series of cyberattacks impacting major power plants across the nation. The attack propagation occurred via malware being spread, which was initially introduced via phishing emails. 
• In 2017, another cyberattack campaign focused on Ukraine occurred that disrupted the transportation industry. Airports and subway infrastructure systems were targeted, which hampered public transportation and the services that were rendered by them.
• 2017 also saw the emergence of WannaCry, which severely impacted the functioning of various industries and sectors, including 16 hospitals in the United Kingdom, disrupting medical services.
• In 2017, Saudi Arabia also saw the advent of cyberattacks focused on oil, gas, and utility verticals in the form of a new malware known as Triton (by exploiting a vulnerability in Windows OS). This was used to gain control of the safety instrumented system. The malware was created and configured for ICS.

With that, you should now be aware of the risk that threat actors pose toward ICS industries, as well as a few frameworks that can be taken to mitigate them. Next, we will take a look at the process of penetration testing an IoT network and how security engineers and threat actors reverse engineer firmware.  

Penetration testing IoT networks and reverse engineering firmware

In this section, we will take a look at what IoT is and the various security aspects associated with it. As with any new technological advancement, IoT is also susceptible to security threats. In the past few years, we have seen interest and development from the security community toward standardizing the IoT segment; however, improvements still need to be made.

In this section, we will take a look at the security issues that affect IoT, such as hardcoded passwords, lack of security by design, and so on, as well as the proposed solutions that can help make it more secure. We will also look at UARTs and understand how they function, along with different attributes of firmware and reasons for reverse engineering them. 

Introduction to IoT network security

IoT is an evolving concept that consists of home appliances, vehicles, and other electronically embedded sensors and software that enables connectivity among these applications to collect, analyze, and process data for desired outcomes. In principle, it's an augmentation of the internet that enables interconnectivity based upon RFID, GPS, and other such sensors. 

As such, an IoT environment is built on the following components:

• Network/intercommunication
• Application
• Firmware/operating system
• Hardware

IoT is considered an extension of the conventional internet, where the idea is to be able to establish connectivity between different applications and objects in the real world for a seamless experience for the user. IoT consists of three major layers, as follows:

• Application layer: This facilitates application services to the user.
• Network layer: This is responsible for providing interconnectivity between devices and processing the data that's exchanged.  
• Perception layer: This enables data to be collected from physical sensors for processing. 

There are also five layered architectures, which includes additional layers such as business, transport, and processing, as shown in the following diagram:

No matter which layers approach we look at, there are individual vulnerabilities and protocol flaws that can be exploited by threat actors. Hence, we need to ensure that adequate protection is placed at each layer and that defense in depth is enforced. Some of the major aspects that should be taken into consideration are as follows:

• IoT network and hardware security
• Secure development and designing
• Authentication, PKI, and digital certificates
• Encrypting data
• Secure API implementation
• Identity and access management
• Vulnerability and patch management
• Security analytics

Once you've shored up your basic security, you can test your infrastructure and also your IoT network for vulnerabilities. When testing an IoT network for threats, security professionals should familiarize themselves with architectures such as ARM, SuperH, MIPS, and PowerPC, as well as communication protocols such as ZigBee, Near Field Communication, and Software Defined Radio so that they understand the system.

An IoT pen tester must meet the following skill requirements and methodologies in order to find and fix security issues in an IoT network:

• Determine the used protocols that may be at risk.
• Find issues and vulnerabilities in web applications.
• Find and backdoor test interfaces.
• Familiarity with Linux, QNX, and VxWorks.
• Ability to conduct application decompiling and execute reverse engineering to determine whether the application is vulnerable to attacks.

Some useful general techniques you can use to secure an IoT network are as follows:

• Create a separate subnet dedicated only to the IoT devices.
• Keep all devices updated.
• Disable Universal Plug and Play (UPnP) options for IoT devices.
• Check for vulnerabilities in the vendors that provided the devices.

The following diagram shows the various areas that must be kept in mind when pen testing:

IoT refers to a big network of devices that communicate with each other. Though this connection probably brings game-changing benefits, it doesn't come without problems regarding security, such as high-risk vulnerabilities.

Security challenges for IoT

Compared to the conventional internet, IoT has specific vulnerable attributes because of its three-layered approach. Also, the dependencies on various integrated products and applications expand the threat landscape and cause more loopholes. Thus, standard security mitigations are not adequate for IoT.

In the three-layered structure that we discussed, each layer has inherent security challenges, most of which pertain to traditional networking issues. For example, the perception layer is susceptible to attacks such as eavesdropping, cloning, and spoofing. The network layer can face attacks such as DDoS, data tampering, and sniffing. Similarly, the application layer can be attacked using SQL injection, cross-site scripting, and so on.

In order to tackle such attacks, an IoT security assessment should focus on the following aspects:

• Application
• Infrastructure
• Device firmware
• Wireless protocol
• Cloud services
• Embedded devices

Besides the steps we've just discussed, penetration testing or pen testing is another excellent way in which IoT can be secured. We'll learn more about this next.

Penetration testing for IoT networks

As you might be aware, pen testing is an authorized attack that's performed on a network to understand just how secure the network is. A penetration testing engagement for an IoT network should include the following stages as part of this approach:

• Reconnaissance  
• Evaluation
• Exploitation
• Reporting

Let's take a look at each of these individually. 

Reconnaissance 

This is the primary stage where each of the layers is looked at to collect information pertaining to their attributes. The following information can be gathered at each layer:

• Perception layer: It is essential to collect information that focuses on the attributes and characteristics of the nodes, their range, communication protocol, type, topology, and so on. Tools such as Nmap, Nessus, Hardware Bridge, and OpenVas can be used. 
• Network layer: It is essential to collect information pertaining to the network type, connectivity, security mitigations, and so on.
• Application layer: It is essential to collect information pertaining to the applications such as the ports, access controls, and services being used.

Next, we'll look at the evaluation stage.

Evaluation

In the evaluation stage, information that was collected in the previous stage is evaluated to estimate the possible attack tactics and techniques that might be used by a threat actor. There are many industry-recognized frameworks that can be used to benchmark these evaluation metrics. However, it is recommended to tweak these metrics based on their suitability for the business for better correlation and contextualization. 

Exploitation

This is the stage where the actual attack will take place based on the evaluation that was performed in the previous stage. Attacks such as the ones discussed previously will be tested across the network to validate the possibility of the attacks and the impact they will have on the target environment. We need to utilize various tools such as IoTSeeker, the Hardware Bridge API, Aircrack-ng, Metasploit, password crackers, w3af, and SEToolkit to conduct penetration testing exercises.

Reporting

Once all the preceding stages have been completed, we create a consolidated report to translate our findings and observations, as well as the recommended security mitigations. The report structure should contain an executive summary that talks about security issues and recommendations at a very high level from a domain perspective for executive or senior leadership. The latter part should have a technical aspect with the proof of the exploitation attached to it to show how it was conducted. This allows the technical team to review it.

Now that we've covered all the foundational IoT technologies, let's work on setting up an IoT pen testing lab.

Setting up an IoT pen testing lab

Due to the suite of technologies that are employed by IoT devices, several tools are required for the software and hardware portions of testing. There is a mix of paid commercial tools, as well as free tools that we will use. Some upfront purchasing will be required for hardware and radio analysis tools. There are modest licensing fees for web application proxy tools, but we will try to keep the price tag as low as possible and offer free tools where possible.

Software tool requirements

Firmware software tools

Mostly, firmware analysis platforms and tools are open source and supported by the community. The following are a number of firmware software tools that can analyze firmware images, disassemble images, and be attached to firmware processes during runtime:

• Binwalk
• Firmadyne
• Firmwalker
• firmware-mod-toolkit
• Firmware analysis toolkit
• GDB
• Radare2
• Binary Analysis Tool (BAT)
• QEMU
• IDA Pro (optional)

Web application software tools

For web application testing, the most common tools of the trade are Burp Suite and the OWASP Zed Attack Proxy (ZAP). Burp Suite has a free and pro version available for a modest price. ZAP is completely free and open source, which may be a good alternative to keep costs low. Additional plugins or add-ons may be used to help with web service and API testing.

Unfortunately, to install plugins with Burp Suite, a pro license is required. All the tools listed here are cross-platform as they are either Java-based or within your browser: 

• Burp Suite
• OWASP ZAP
• REST Easy Firefox plugin
• Postman Chrome extension

Now, let's look at the platforms and tools for advanced testing.

Platforms and tools for advanced testing

In this section, we'll take a look at some of the tools and platforms that you can use to test these networks. These are complementary to the platforms we've already discussed:

• Infection Monkey: Infection Monkey can be used to check the cloud infrastructure running on Google Cloud, AWS, Azure, and so on. It's open source and can be used with Docker, Debian, and Windows. You can use it for automated attack simulations such as credential theft, misconfiguration, compromised assets, and so on.
• NeSSi2: This is another open source platform based on the JIAC framework that can be used to run network analysis, profile-based automated attacks, test intrusion detection algorithms, and much more.
• CALDERA: This is an adversary emulation tool that leverages the MITRE ATT&CK matrix to conduct evaluations.
• foreseeti: This is another brilliant platform that can be utilized to build network/test models, simulate real-time attacks, and generate reports with meaningful insights. 
• AttackIQ: This is a platform that provides an enriching experience for both the red and blue teams. It also utilizes the MITRE ATT&CK matrix to provide clarity on the attack simulations and helps with mapping tactics and techniques. 

Some other notable mentions include SCYTHE, XM Cyber, Randori, and Picus. Check them all out and give each one a try. You will only be able to find the right fit for your organization and use case by testing them in your environment and gathering results that you can compare.

UART communication

UART is a hardware component that's used for serial communication. It is a half-duplex, asynchronous, serial protocol that enables communication between two nodes.

Next, we will take a look at the attributes around firmware reverse engineering and exploitation.

Firmware reverse engineering and exploitation

Firmware reverse engineering is a technique that has been employed by software testers and security professionals to better understand how a device works, as well as to identify vulnerabilities that can be leveraged by the attackers to manipulate the hardware.

Today, almost all devices that we find in our surroundings are powered by firmware. This ranges from a wide variety of products and appliances, including cars, televisions, smartphones, medical appliances, and fridges. The technical architecture of these embedded devices is quite different from what we traditionally see in our home personal computers. They use a variety of interfaces for inter-communication such as Bluetooth, UART, Wi-Fi, infrared, Zigbee, and so on. Hence, the risk of them being attacked is very high.

To make them secure, reverse engineering can be carried out on IoT firmware. This includes the following steps:

1. Extracting the firmware: IoT devices need to be updated from time to time based on the new updates that are pushed by the provider. A large number of these updates are sent over the air in an encrypted format, due to which a threat actor or security professional can capture the firmware update and begin the process of reverse engineering it. 
2. Reverse engineering: Once the firmware is in possession, the next step is to use a reverse engineering tool such as IDA Pro or Binary Ninja to break it down. You will need a sound knowledge of assembly code to proceed further and examine and analyze all the functions and components of the firmware such as the kernel, filesystem, and boot loader and the inner workings of the firmware. 
3. Hunting for security flaws: This is the most important phase as this is where we check for the presence of loopholes and flaws in the firmware components, such as hardcoded passwords and encryption keys, that can enable the actor to exploit the firmware.

Reverse engineering is employed for a variety of different reasons. Today, as part of security practice, we often come across requirements such as malware analysis, cryptographic algorithms, application testing, and review, as well as encryption where reverse engineering is utilized to detect vulnerabilities or security flaws and help us fix them. For example, in the case of malicious code such as ransomware or malware, we reverse engineer the code to understand the activities conducted by them in order to set up mitigations that will help prevent such exploitations and create detection signatures for them.

With this, we've finished looking at how we can use pen testing and reverse engineering to keep our network secure. In the next section, we will shift our focus to the VoIP network, how threat actors exploit it, and the various mitigations that you, as a security professional, can implement to secure your network.

Exploiting VoIP networks and defense mechanisms

VoIP is a digital communication medium used to exchange voice and multimedia content over an Internet Protocol (IP). VoIP has traditionally been used to connect to the Private Branch Exchange (PBX), which is a private telephone network used within a company or organization. However, the term is now being used to refer to IP telephony. With the increasingly widespread usage of VoIP in personal and professional engagements, it has gained the attention of threat actors and security researchers.

In this section, we will discuss some of the common threat vectors that impact VoIP and the defense mechanisms that can be implemented to mitigate those threats. 

VoIP threat landscape

VoIP is an amalgamation of different technologies that form the platform that's used to deliver voice interaction capabilities over the internet, including IM applications, VoIP phones, and other such services.

The following diagram shows the framework of a corporate VoIP network that consists of many devices, such as the SIP phone, router, and so on, that are linked to the internet:

Let's dig deeper into the topic of VoIP.

VoIP phone classifications

VoIP phone classifications are split into two sections:

• Equipment-based: An equipment-based VoIP telephone resembles a customary hard-wired or cordless phone and incorporates comparative highlights. It can also send phone messages, and perform call conferencing.
• Programming-based: Software-based IP telephones, also known as softphones, are programming customers that are introduced on a PC or cell phone. The softphone UI frequently resembles a phone with a touchpad and an amplifier associated with a PC or cell phone to make a call. Clients can make calls through their PC or cell phone on the off chance that they have worked in the receiver and speaker.

Pros and cons of VoIP

Nowadays, VoIP is the preferred option for communication due to its cost efficiency, compatibility, ease of use, and service quality compared to the traditional mediums. The advantages of using VoIP are as follows:

• Flexibility
• Costless
• Portability
• Integration options
• Productivity improvement

VoIP has a few downsides to it as well. The cons of using VoIP are as follows:

• Bandwidth and power-dependent
• Less secure
• Weak reliability
• Not the perfect quality of voice

As with any technology, there's a security aspect that we also need to account for. In this case, VoIP is susceptible to attacks such as DoS, spoofing, man-in-the-middle, and so on. Next, we will try to understand some of these issues and the countermeasures we can use to deal with them.

Analyzing VoIP security issues

As we discussed earlier, VoIP networks are vulnerable to various security threats. In this section, we will discuss these threats and the components that threat actors often target and should be evaluated as part of a VoIP security assessment.

First, we should focus on the security of the underlying base platform that the VoIP services are running on, such as Windows or Linux OS. Next are the various components that make up the VoIP network, such as voice terminals, firewalls, switches, and routers. Following this, we have the actual application and hardware being used, as provided by the VoIP service provider, which may contain different sub-components that may be vulnerable.

The crux of the matter is to measure all these aspects across the CIA triad and place adequate measures for them. For example, a lack of confidentiality can result in the loss of critical data being disclosed to an unauthorized party. Integrity can be compromised if data is altered and availability can result in service disruption, as shown in the following diagram:

The major prominent threats pertaining to VoIP technology will be briefly discussed next.

Vishing

Also known as voice phishing, this is a malicious technique used by threat actors to spoof the details of the call, such as the caller ID. This is a tactic used for malicious intent, where the threat actor impersonates a trusted entity and employs social engineering or other techniques to gain confidential information from the target user. 

Denial of Service (DoS)

As seen in traditional network attacks, DoS is a tactic used by an attacker to disrupt the services of the target user or organization. This may cause temporary or long-term disruption based on the tactic and intensity of the attack. This is one of the most common attacks that's seen across VoIP services.

Several mitigations can be employed to defend against DoS attacks, including blacklisting known malicious counterparts, enforcing authentication, and assessing the network's design, as well as deploying DoS mitigation solutions such as Myra and Northforge. DoS attacks pose perhaps the greatest threat to enterprise VoIP systems, and hence it's important to ensure adequate mitigations against.

Eavesdropping

Eavesdropping is a tactic used by threat actors to intercept the communication between the sender and the receiver. This can lead to the disclosure of critical information, hence impacting the confidentiality aspect of communication. Some mitigations that can be employed include utilizing secure hardware and software, ensuring physical security controls to the networking room and other sensitive areas, enforcing the encryption of VoIP traffic, and so on.

Moving forward, we will take a look at the different attacks that take place on VoIP networks and their countermeasures.

Besides the ones we've discussed, other commonly observed VoIP attacks include impersonation and identity spoofing, signal protocol tampering, repudiation attacks, registration hijacking an SIP, malformed messages, and SIP command, to name a few. From time to time, attacks such as flooding, replay attacks, and physical attacks on VoIP infrastructure have also been observed.

Now that we understand the different attack scenarios, we will take a look at how to mitigate such attacks.

Countermeasures and defense vectors

Some of the mitigations and countermeasures that need to be enforced should be focused on protecting the network infrastructure and user data. One of the largely accepted countermeasures is implementing an 802.1x protocol standard for port authentication. This ensures that any device that is connected to the network is authenticated. The main defense mechanisms of VoIP are as follows:

• Signaling protocols protections
• Transport protocols protections
• Secret key protections

The signaling protocols and their defenses include H.235, a security framework that deals with integrity, privacy, and authentication. Besides that, there's also S/MIME, IPsec, Secure Real-Time Protocol (SRTP), and so on. Key management is another important aspect when securing VoIP. In the context of VoIP environments, we can take a look at Multimedia Internet Keying (MIKEY) and the Zimmermann Real-Time Transport Protocol (ZRTP).

VoIP has turned into a key empowering innovation for media correspondence on the IP system. Moreover, the internet open system practically wipes out geographic impediments for setting telephone calls. Notwithstanding, VoIP utilizes the current IP system and, in this way, acquires its security flaws. To consider the threats that are identified with VoIP, we should comprehend basic VoIP engineering and present barrier instruments, as well as the potential dangers and assaults on VoIP systems. 

The following table outlines the top attacks and their countermeasures:

Before we conclude, there are also a few platforms we can use for VoIP monitoring and security. Let's quickly take a look.

Top platforms for VoIP monitoring and security

Some of the most frequently used tools and platforms that can be used to test the security and overall posture of a VoIP network are as follows:

• SolarWinds VoIP and Network Quality Manager
• Paessler PRTG Network Monitor
• VoIPmonitor
• ExtraHop

Summary

In this chapter, we discussed the different threats that are faced by industrial control systems, prominent attacks in the recent past, the cyber kill chain, and threats pertaining to IoT and VoIP, as well as how to mitigate them. We took a deep dive into the attack framework for the ICS industry, which has helped us understand the different types of attack tactics that are used against the ICS environment and what deployments we can ensure are in place in order to detect and mitigate such attacks. Then, we learned about the key penetration testing approaches that we should focus on and utilize while assessing them for threats. This provided us with a fundamental understanding of the security loopholes that are exploited by threat actors and what we need to fix. We also looked at how to assess VoIP for threats, as well as various mitigation techniques that can be employed to secure this. 

In the next chapter, we will talk about network digital forensics and understand the key approaches and platforms we can use for this. We will also look at deep stats and big data analytics-based forensics, as well as intelligent forensics.

Questions

The following is a list of questions so that you can test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. Which of the following is NOT considered a VoIP protocol?
   • SIP
   • SS7
   • H.225 call signaling
   • H.225 RAS

2. What are the best genuine advantages for a modern VoIP office handset such as those from Cisco or Polycom?
   • Easy phone access to emails
   • Better than POTS call quality
   • Support for Unified Communication (UC) to email, voicemail, instant messaging, video chat, and more
   • Automatic access to POTS when internet access fails

3.  Which of the following encryption methods or algorithms is used in Skype communication?
   • AES
   • DES
   • SHA
   • None of the above
4. What can be made functional to diverse aspects of software development and hardware improvement activities?
   • Reverse hacking
   • Cracking
   • Reverse engineering
   • Social engineering
5. Which of the following activities is a valid aspect of reverse engineering firmware?
   • Cracking the trial version of the product to make it a full version
   • Removing the product key insertion step
   • Jumping the code for premium facilities
   • Determining the vulnerabilities in the product
6. Attacks against the session initiation protocol can be mitigated via what?
   • TLS
   • VLAN
   • IPSec
   • VPN
7. Which of the following is incorrect with respect to UART?
   • UART is a simple full-duplex, asynchronous, serial protocol.
   • UART supports simple communication between two equivalent nodes.
   • Any node in UART can initiate communication.
   • The two lanes of communication in UART are completely independent.

Further reading

To expand on what you have learned in this chapter, visit the following links:

• RSA Conf. ICS Attack: https://www.rsaconference.com/writable/presentations/file_upload/tech-f02-intelligence-driven-industrial-security-with-case-studies-in-ics-attacks-final.pdf
• Implementing the Dragos Platform to Solve ICS Cybersecurity Challenges in the Electric Industry: https://dragos.com/wp-content/uploads/Dragos-Challenges-In-The-Electric-Industry-Case-Study.pdf
• Threat Landscape for Industrial Automation Systems: https://ics-cert.kaspersky.com/reports/2018/03/26/threat-landscape-for-industrial-automation-systems-in-h2-2017/
• Penetration Testing for Internet of Things and Its Automation: https://www.researchgate.net/publication/330881119_Penetration_Testing_for_Internet_of_Things_and_Its_Automation/link/5c633cdf299bf1d14cc1f1f4/download
• SCADA hacker's toolset: https://scadahacker.com/tools.html
• IoT device penetration testing: https://owasp.org/www-chapter-pune/IoT_Device_Pentest_by_Shubham_Chougule.pdf
• How to Conduct an IoT Pen Test: https://www.networkworld.com/article/3198495/how-to-conduct-an-iot-pen-test.html
• Pen test IoT: 10 Hardware and Software tests: https://www.vaadata.com/blog/pentest-iot-10-hardware-software-tests/
• UART Presentation: http://students.iitk.ac.in/eclub/assets/lectures/summer12/uart.pdf
• UART Communications: http://www.circuitbasics.com/basics-uart-communication/
• Reversing Secrets of Reverse Engineering: https://www.foo.be/cours/dess-20122013/b/Eldad_Eilam-Reversing__Secrets_of_Reverse_Engineering-Wiley(2005).pdf
• Attacks on VoIP networks and Countermeasures: https://www.ajol.info/index.php/wajiar/article/viewFile/128074/117625
• Mitigating SIP attacks: https://docs.oracle.com/cd/E95618_01/html/sbc_scz810_security/GUID-1AAADEA4-DB4E-4D95-916C-2EA9AE7DD7B5.htm
• For more information on VoIP attacks and countermeasures, you can take a look at the SANS paper at  https://www.sans.org/reading-room/whitepapers/voip/paper/1701, and the book titled Hacking VoIP: Protocols, Attacks, and Countermeasures by Himanshu Dwivedi.