ICS/SCADA Penetration Testing

Lorem ipsum dolor sit amet, consectetur adipisicing elit sed do eiusmod tempor incididunt ut labore et dolore magna.

THREATS, TACTICS AND PROCEDURES TTP

MITRE’S ATT&CK®

ICS/SCADA Pen Test

Initial Access to ICS/SCADA

1. Data Historian Compromise.
2. Drive-by Compromise.
3. Engineering Workstation Compromise.
4. Exploit Public-Facing Application.
5. External Remote Services.
6. Internet Accessible Devices.
7. Replication Through Removable Media.
8. Spear-Phishing Attachment.
9. Supply Chain Compromise.
10. Wireless Compromise.





Execution – ICS/SCADA

1. Change Program State
2. Command-Line Interface (CLI).
3. Execution through API.
4. Graphical User Interface (GUI).
5. Man-in-the-Middle (MiTM) Attacks.
6. Program Organisation Units.
7. Project File Infection.
8. Scripting.
9. User Execution.

Persistence – ICS/SCADA

1. Hooking.
2. Module Firmware.
3. Program Download
4. Project File Infection.
5. System Firmware.
6. Valid Accounts.





Evasion – ICS/SCADA

1. Exploitation for Evasion.
2. Indicator Removal on Host.
3. Masquerading.
4. Rogue Master Device.
5. Rootkits.
6. Spoof Reporting Message.
7. Utilise/Change Operation Mode.

Discovery – ICS/SCADA

1. Control Device Identification.
2. I/O Module Discovery.
3. Network Connection Enumeration.
4. Network Service Scanning.
5. Network Sniffing.
6. Remote System Discovery.
7. Serial Connection Enumeration.





Lateral Movement – ICS/SCADA

1. Default Credentials.
2. Exploitation of Remote Services.
3. External Remote Services.
4. Program Organisation Units.
5. Remote File Copy.
6. Valid Copy.

Collection – ICS/SCADA

1. Automated Collection.
2. Data from Information Repositories.
3. Detect Operating Mode.
4. Detect Program Mode.
5. I/O Image.
6. Location Identification.
7. Monitor Process State.
8. Point and Tag Identification.
9. Program Upload.
10. Role Identification.
11. Screen Capture.





Command and Control – ICS/SCADA

1. Commonly Used Port.
2. Connection Proxy.
3. Standard Application Layer Protocol.

Inhibit Response Function – ICS/SCADA

1. Activate Firmware Update Mode.
2. Alarm Suppression.
3. Block Command Message.
4. Block Reporting Message.
5. Block Serial COM.
6. Data Destruction.
7. Denial of Service.
8. Device Restart or Shutdown.
9. Manipulate I/O Image.
10. Modify Alarm Settings.
11. Modify Control Logic.
12. Program Download.
13. Rootkit.
14. System Firmware.
15. Utilise/Change Operating Mode.





Impair Process Control – ICS/SCADA

1. Brute Force I/O.
2. Change Program State.
3. Masquerading.
4. Modify Control Logic.
5. Modify Parameter.
6. Modify Firmware.
7. Program Download.
8. Rogue Master Device.
9. Service Stop.
10. Spoof Reporting Message.
11. Unauthorised Command Message.

Impact – ICS/SCADA Breach

1. Damage to Property.
2. Denial of Control.
3. Denial of View.
4. Loss of Availability.
5. Loss of Control.
6. Loss of Productivity and Revenue.
7. Loss of Safety.
8. Loss of View.
9. Manipulation of Control.
10. Manipulation of View.
11. Theft of Operational Information.

