Engineering Workstation Compromise
|Engineering Workstation Compromise|
|Data Sources||File monitoring, API monitoring, Windows event logs|
|External Contributors||Joe Slowik - Dragos|
Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.
An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment.
In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.
- Stuxnet utilized an engineering workstation as the initial access point for PLC devices.1
- The Triton malware gained remote access to an SIS engineering workstation.2
- Authorization Enforcement - All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
- Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.
- Antivirus/Antimalware - Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.
- Encrypt Sensitive Information - Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with.3
- Limit Hardware Installation - Enforce system policies or physical restrictions to limit hardware such as USB devices on workstations.
- Network Segmentation - Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks.4
- Update Software - Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.
- Audit - Integrity checking of engineering workstations can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot.5 It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. 6
- Filter Network Traffic - Ensure all communication is filtered for potentially malicious content, especially for mobile workstations that may not be protected by boundary firewalls.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
- National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved September 17, 2020.
- North America Transmission Forum. (2019, December). NATF Transient Cyber Asset Guidance. Retrieved September 25, 2020.
- Emerson Exchange. (n.d.). Increase Security with TPM, Secure Boot, and Trusted Boot. Retrieved September 25, 2020.
- National Security Agency. (2016, February). Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems. Retrieved September 25, 2020.