Engineering Workstation Compromise

From attackics
Jump to navigation Jump to search
Engineering Workstation Compromise
ID T0818
Tactic Initial Access
Data Sources File monitoring, API monitoring, Windows event logs
External Contributors Joe Slowik - Dragos
Asset Engineering Workstation


Adversaries may compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks.

An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment.

In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.1

Procedure Examples

  • Stuxnet utilized an engineering workstation as the initial access point for PLC devices.2
  • Triton gained remote access to an SIS engineering workstation.3


  • Authorization Enforcement - All remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
  • Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the Filter Network Traffic mitigation.
  • Antivirus/Antimalware - Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.
  • Encrypt Sensitive Information - Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with.4
  • Network Segmentation - Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks.5
  • Update Software - Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities. 
  • Audit - Integrity checking of engineering workstations can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot.6 It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. 7
  • Filter Network Traffic - Ensure all communication is filtered for potentially malicious content, especially for mobile workstations that may not be protected by boundary firewalls.