Threats and attacks
A threat refers to a potential risk or vulnerability that could be exploited. Threats can be of various kinds, such as software vulnerabilities or human error. They represent the possibility that damage could occur.
An attack, on the other hand, is a targeted action in which a threat is actually exploited to cause damage. Examples of attacks are malware infections, phishing attacks or denial of service attacks. Attacks are specific events that compromise the security of a system.
There are different types of attacks and their risks for industrial plants. The most common types of attacks and their assessable risk are listed below. This should serve as a guide to assess risks more easily and initiate countermeasures.
Types of attacks
It should be noted that anyone, both customers and attackers, have access to the freely accessible documentation and service options for obtaining information. The login data contained therein and mechanisms for resetting it can also be misused by attackers to compromise systems.
Attacks from the external network
This is an attack from an external network such as the Internet. An attacker gains access to the automation system via a freely accessible interface or a publicly used service.
Attacks from the internal network
Access to the local network infrastructure is possible by infecting a system located in the network or by infiltrating a third-party system into the internal network. This would make it possible to use the internal services and interfaces for an attack.
Local attacks with access
Attacks by people with direct access to the system. A direct attack is possible through direct access to the hardware or indirectly via the system's network infrastructure.
Local attacks by "insiders"
This is an attack that comes from "inside". A person with regular access rights to the system obtains login data and passwords that do not correspond to their authorization level. This gives them unauthorized access to carry out malicious actions.
Categories of attacks
Attacks can be grouped into different categories:
Viral attacks
Viral attacks make use of widespread vulnerabilities and infect other accessible devices in the network infrastructure.
These attacks are directed against several devices and are intended to render systems unusable or to generate profits for the attacker through blackmail. In this category of attack, data is encrypted using "ransomware", for example.
A compromise of several systems is achieved, for example, by delaying the takeover. The initialization takes place days or even weeks after the initial penetration of the malware and the encryption of the data then takes effect on all infected systems simultaneously.
Hardware-/Manufacturer-specific attacks
Hardware/manufacturer-specific attacks are usually directed against lesser-known vulnerabilities in products whose interfaces or configurations are known and are sometimes openly documented in manuals, FAQs or support databases.
Configuration interfaces as well as console interfaces or simple web server functions are targeted here and become the point of attack.
System-specific attacks
System or operator-specific attacks target specific systems or system parts in order to cause damage as selectively as possible. These types of attacks are usually difficult to detect and require a great deal of effort on the part of the attacker. In most cases, attack combinations of a viral and physical nature are used, adapted with detailed background knowledge.
This type of attack is often not intended for widespread use and mainly affects critical infrastructures.