Engineering Workstation Compromise

From attackics
Jump to navigation Jump to search
Engineering Workstation Compromise
ID T818
Tactic Initial Access
Data Sources File monitoring, API monitoring, Windows event logs
External Contributors Joe Slowik - Dragos
Asset Engineering Workstation


Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.

An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment.

In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.

Procedure Examples

  • Stuxnet utilized an engineering workstation as the initial access point for PLC devices.1
  • The Triton malware gained remote access to an SIS engineering workstation.2