Exploiting Control Device Vulnerabilities: Attacking Cyber-Physical Water System

Industrial Control Systems (ICS) are transitioning from isolated, custom-built systems to those combining general-purpose computer hosts, wireless networks, and artificial intelligence. An increasing number of vulnerabilities in ICS devices are a major concern since it provides potential adversaries...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Proceedings of the XXth Conference of Open Innovations Association FRUCT S. 270 - 279
Hauptverfasser: Sindhwad, Parul, Kazi, Faruk
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: FRUCT Oy 09.11.2022
Schlagworte:
Buffer overflows
Fault diagnosis
Industrial control
Integrated circuits
Technological innovation
Threat modeling
Wireless networks
ISSN:2305-7254
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Industrial Control Systems (ICS) are transitioning from isolated, custom-built systems to those combining general-purpose computer hosts, wireless networks, and artificial intelligence. An increasing number of vulnerabilities in ICS devices are a major concern since it provides potential adversaries with a simple approach to exploit and attack unpatched ICS systems. This paper investigates attack paths that target unpatched system vulnerabilities and their impact on the ICS, as demonstrated using the Waste Water Treatment Plant (WWTP) testbed. Denial of Service (DoS), Buffer overflow, privilege escalation, and illegal command injection attacks are executed, and their impacts are investigated using CIA and STRIDE threat modeling. The main outcomes of the study are, 1) An update on public advisory CVE-2021-33834 by Moxa. 2) Demonstration of attack on a device with publicly accessible Proof of Concept (POC) of another device using Modbus buffer overflow vulnerability. Finally, various recommendations are provided that can be used for security penetration testing to identify security flaws, as well as directions for product developers to implement security by design.
ISSN:2305-7254
DOI:10.23919/FRUCT56874.2022.9953826