Emulating Adversary Actions in the OT Environment in Power Plant – Substation
Environment
IT & OT
Sector
Energy
A Power Plant is designed to generate a substantial amount of electricity to meet the growing energy demands. With multiple high-capacity reactors/turbines, each capable of producing significant megawatts of electricity, the plant is engineered to operate efficiently even in challenging environmental conditions, ensuring a reliable energy supply.
A power plant plays a critical role in powering the region, aiming to meet a large portion of the area’s electricity needs while actively contributing to reducing carbon emissions and supporting sustainability goals.
Substation Environments
Information Technology (IT)
- IT infrastructure in nuclear plants includes secure, redundant communication networks for internal and external data transmission.
- Highly reliable data centers and storage solutions manage the vast amounts of monitoring and control data.
- Stringent cybersecurity measures, such as advanced firewalls and intrusion detection systems, protect against cyber threats.
Internet of Things (IoT)
- IoT devices like sensors and actuators monitor and control physical processes such as cooling systems and reactor operations.
- IoT technologies enable predictive maintenance by tracking equipment condition and predicting failures, reducing downtime and enhancing safety.
- IoT sensors monitor environmental factors like radiation levels and temperature to ensure compliance with safety standards.
Operational Technology (OT)
- Operational Technology (OT) in power plants includes hardware and software systems for monitoring, controlling, and ensuring safe operations.
- OT systems include control systems, safety instrumentation, protection systems, and monitoring systems.
- These systems work together to maintain stability, ensure safety, and optimize performance per regulatory standards.
Lab Components
Motors
3 DC motors for turbine and substation simulations.
Limit Switch
Detect the presence or absence of an object
Raspberry Pi
Model 4B with 8GB RAM
PLC
Aenean massa. Cum sociis natoque penatibus et magnis dis aenean.
Networking
Industrial Network Switch with 8 Gigabit Ethernet ports and 2 SFP Ports.
.
Relays & Power Supply
24V 4-channel relay, 12V DC Supply, 24V DC Supply for electrical controls.
Connective Impact Framework
- The PLC, as an edge device, controls the substation, and turbine processes
- Lights will blackout if the turbine RPM falls below a certain threshold value.
- Lights will also blackout if the substation contact is open.
Scenario
Compromise of Plant Turbine
Red Team Objectives
- Deploy a rubber ducky to gain initial access to the power plant network and inject the Simatic Smackdown malware.
- Use the malware to disable or manipulate the PLC controlling the power plant systems, causing operational disruptions.
Blue Team Objectives
- Monitor network ports and endpoints for unauthorized devices and unexpected USB activity to prevent initial access.
- Continuously monitor the devices for signs of malware activity or unusual behavior,
Learning Outcomes
Learn the operational aspects and vulnerabilities in a turbine control system.
Mitre ATT&CK Coverage
Reconnaissance
T1595 - Active Scanning (Identify PLC and network devices)
T1590 - Gather Victim Network Information
T1590 - Gather Victim Network Information
Initial Access
T1200 - Hardware Additions (Rubber Ducky for initial network access)
Execution
T1059 - Command and Scripting Interpreter (Run Simatic Smackdown malware)
T1106 - Native API (Control Siemens PLC via malware)
T1106 - Native API (Control Siemens PLC via malware)
Persistence
T1053 - Scheduled Task/Job (Maintain malware persistence on device)
Privilege Escalation
T1068 - Exploitation for Privilege Escalation (Modify PLC settings with elevated access)
Defense Evasion
T1070 - Indicator Removal on Host
T1562 - Impair Defenses (Disable PLC to stop power generation)
T1562 - Impair Defenses (Disable PLC to stop power generation)
Discovery
T1046 - Network Service Scanning
Collection
T1025 - Data from Information Repositories (Monitor PLC and network data)
Command and Control
T1071 - Application Layer Protocol (Maintain malware control over PLC)
Exfiltration
T1048 - Exfiltration Over Alternative Protocol (Extract PLC status and operational data)
Impact
T1499 - Endpoint Denial of Service (Disrupt power generation by stopping PLC)