Connect with us

Hi, what are you looking for?



Reconnaissance in Industrial Networks: What You Don’t See Can Hurt You

Organizations that operate Industrial Control Systems (ICS) understand the critical nature of these assets and have led all business sectors in the  use of strong physical security controls. But ICS were built with process uptime and high availability in mind before cyber criminals were a threat. Today, cyber security in ICS is far behind IT security standards.

Organizations that operate Industrial Control Systems (ICS) understand the critical nature of these assets and have led all business sectors in the  use of strong physical security controls. But ICS were built with process uptime and high availability in mind before cyber criminals were a threat. Today, cyber security in ICS is far behind IT security standards. This poses real risks to plant operations, personnel, the environment and the community in general.

Most cyber attacks on industrial networks begin with a thorough reconnaissance phase designed to gather as much intelligence as possible on human, network and protocol information, as well as information about the manufacturing process, industrial applications, and potential vulnerabilities.

Anatomy of the Reconnaissance Phase 

Industrial (OT) Network VisibilityA typical reconnaissance mission begins with identifying an initial target that will facilitate the intrusion into the organization. This can be accomplished using well known techniques such as social engineering, email phishing, etc. It is not uncommon to find unpatched workstations running legacy operating systems such as Windows XP in these operational environments. As a result, attackers can inject malicious code into these systems with relative ease to remotely access and compromise them. The attackers simply need a single point of entrance to get started.

Once inside the network, attackers can gain an understanding of the control process or look for system features that can be exploited to obtain access to critical assets, such as engineering workstations and controllers. Information gathering sometimes last for months, as attackers roam the network undetected.

ICS Reconnaissance Detection 

The leading obstacle to detecting reconnaissance activity in industrial networks is lack of visibility. Unlike IT environments where network monitoring solutions and audit trails are a standard best practice, most ICS environments lack these capabilities. Monitoring network activity in ICS environments is a challenge due to the usage of different protocols:

The communication of process data (tags, set points, etc.) between the operators and the industrial machines (I/Os) takes place over standard industrial data-plane protocols such as MODBUS, PROFINET, and DNP3. Since they are known, and well documented, it is relatively easy to monitor them. However, monitoring these protocols will not help detect reconnaissance activities.

Advertisement. Scroll to continue reading.

ICS reconnaissance, like network scans and attempts to read the logic of a controller, takes place over control-plane engineering protocols. Unlike the well known data-plane protocols, the control-plane protocols are often proprietary and vendor specific. As such, most of them are unnamed and undocumented which makes them difficult to monitor. To make matters worse, engineering activities related to critical ICS assets, like reading or changing controller logic, re-configurations, and firmware upload/download aren’t monitored or logged. 

Full Visibility is Critical for Discovering Reconnaissance

This lack of visibility into control-plane activities means that reconnaissance operations can go undiscovered for long periods of time. However, that’s not the only reason control-plane activities should be monitored. Even more concerning is the fact that malicious control-plane activity can result in far more perverse attacks than those executed from the data-plane given the potential for deploying altered control logic to a controller. Altering the control logic of a PLC, RTU or DCS can trigger a catastrophic event that could be nearly impossible to stop by operators. Organizations that only monitor data-plane network traffic do not have a complete view of ICS activity. 

Full visibility and control of control-plane activity is required to maintain the security and safety of the ICS. The critical role engineering workstations play in deploying logic to controllers makes this visibility a key factor in preventing a cyber attack while also facilitating operational efficiencies.

Early Detection is the Key 

In order to mitigate the risks associated with reconnaissance, industrial organizations need early detection of suspicious activity like unauthorized network scans, attempts to read information from controllers and other unsanctioned control-plane activity. Providing operational engineers and cyber security personnel with complete visibility into the control-plane will enable them to detect and respond to suspicious activities to minimize or eliminate threats before operational disruptions can occur.

Related: Learn More at the Singapore ICS Cyber Security Conference 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.