1
Q
What are the five main parts of Chapter 4?
A
Security Challenges in Industrial Networks; Standards and Regulations; Attacks on Industrial Networks; Threat Modelling and Taxonomy of Attacks; Landscape of Security Approaches.
2
Q
Why are modern industrial networks more exposed than historical ones?
A
Because recent industrial networks increasingly use COTS technology, Ethernet, IP networking, and connectivity to enterprise networks and remote services.
3
Q
What characterized historical industrial networks?
A
They were often proprietary, vertically integrated, customized, used specialized communication, had very long service lifetimes, and were not designed with security in mind.
4
Q
What does COTS stand for in the ICS context?
A
COTS means commercial-off-the-shelf technologies such as standard operating systems, applications, networking equipment, and IT protocols.
5
Q
Why does COTS increase security risk in ICS?
A
Because widely used standard technologies bring the vulnerabilities of general IT systems into industrial environments.
6
Q
Why does connectivity to enterprise LANs increase ICS risk?
A
Because it improves business visibility and remote access, but also creates paths for attacks to reach control environments.
7
Q
Why is IP networking a major security challenge for ICS?
A
Because many legacy protocols are wrapped in TCP or UDP and most new devices have Ethernet ports, exposing formerly isolated systems to network-based attacks.
8
Q
What simple formula summarizes modern ICS risk in the lecture?
A
COTS + IP + connectivity = many security risks.
9
Q
Why do modern ICS inherit enterprise-network threats?
A
Because modern industrial networks increasingly use the same operating systems, protocols, and network services as enterprise IT.
10
Q
Which classic threats are explicitly mentioned as modern ICS risks?
A
Worms, viruses, DoS and DDoS, unauthorized access, unknown access paths, and unpatched systems.
11
Q
What does the lecture say about vulnerability exploit paths into industrial systems?
A
A large share of publicly disclosed vulnerabilities is exploitable over the network.
12
Q
Why are network-exploitable vulnerabilities especially dangerous in ICS?
A
Because remote exploitation scales easily and can reach critical systems without physical access.
13
Q
Why are legacy industrial devices a security problem?
A
Because many were never designed to provide security features and are hard or impossible to update.
14
Q
Why is legacy industrial communication difficult to protect?
A
Because old protocols and devices often lack native support for authentication, authorization, and encryption.
15
Q
Why are unsecured physical ports dangerous in ICS?
A
Because unauthorized personnel with physical access may directly connect to devices or networks.
16
Q
Why is fragile software a major ICS problem?
A
Because industrial software is often not security-tested and some devices can crash even under simple scans.
17
Q
Why can routine IT scanning itself be a problem in ICS?
A
Because some industrial devices are so fragile that even benign vulnerability scans can trigger denial of service.
18
Q
Why are intentional backdoors especially dangerous in ICS devices?
A
Because vendor-added maintenance shortcuts can provide attackers with direct access paths.
19
Q
Why do modern industrial devices often have more software risk than older ones?
A
Because more complexity, more code, embedded web servers, and unnecessary services increase the attack surface.
20
Q
Why do ICS devices need patching just like IT servers?
A
Because they increasingly run standard software components and therefore accumulate known vulnerabilities.
21
Q
Why are many industrial systems patched late or not at all?
A
Because patches can break ICS functionality, require reboots, void warranties, and need vendor certification and lab testing.
22
Q
Why is rebooting a security-relevant issue in ICS patching?
A
Because rebooting threatens availability, which is a primary operational concern in industrial environments.
23
Q
What is the practical consequence of delayed patching in ICS?
A
Operators often continue using outdated and known-vulnerable software components.
24
Q
Why is the use of anti-virus often limited in industrial systems?
A
Because host security tools can consume resources, interfere with operations, or introduce instability.
25
Why are host-based firewalls often underused in ICS?
Because operators fear side effects, complexity, or disruption of legitimate industrial communication.
26
What is meant by use of insecure protocols in industrial networks?
Many industrial protocols are deployed without authentication, authorization, or encryption.
27
Why are cleartext passwords especially common in industrial protocols?
Because many protocols were designed for isolated environments and never upgraded for modern threat models.
28
Why is machine-to-machine communication an access-control challenge?
Because there is often no user identity, so access control depends on weak device- or network-level assumptions.
29
Why do many industrial devices have poor authorization mechanisms?
Because many protocols support only weak or very limited access control, if any at all.
30
Why is lack of cryptographic support a problem in ICS devices?
Because it prevents adding strong authentication and confidentiality even when operators want them.
31
Why is remote access often a severe ICS weakness?
Because many deployments still rely on insecure remote access methods such as poorly protected modem access or weakly secured maintenance connections.
32
What is meant by insecure network configuration in ICS?
Weak architecture, poor data-flow control, misconfigured security equipment, and missing or badly configured firewalls.
33
Why is an undefined network perimeter dangerous in ICS?
Because unclear boundaries allow unintended access between enterprise and control networks.
34
Why should control networks not carry non-control data?
Because mixing traffic types broadens the attack surface and weakens isolation of control functions.
35
Why are WLAN vulnerabilities relevant in industrial environments?
Because weak authentication or weak link protection can expose control networks wirelessly.
36
Why is vendor access a security problem in ICS?
Because vendors often perform updates or PLC programming and infected vendor laptops can bring malware into the plant.
37
Why are open maintenance ports risky?
Because they offer direct technical entry points that may be forgotten, weakly protected, or abused.
38
Why can partner access become a backdoor?
Because partners often require continuous status access and these channels are frequently poorly secured.
39
Why are unmanned field sites especially vulnerable?
Because they often rely on remote connectivity with weak authentication and authorization and may be physically easier to access.
40
Why is inappropriate use of ICS desktops dangerous?
Because web browsing, email, and unauthorized applications on HMIs or control servers can introduce malware and instability.
41
How can web browsing from an HMI infect an ICS?
Through browser vulnerabilities, malicious downloads, cross-site scripting, or spyware.
42
Why are unauthorized applications on ICS machines risky?
Because apps like messengers, file-sharing tools, games, or media players can interfere with industrial operation.
43
Why is email on control servers dangerous?
Because email clients and attachments can be exploited to deliver malware into the control environment.
44
How can disk storage abuse affect ICS operation?
Storage exhaustion can crash the operating system or reduce system stability.
45
Why is logging and security monitoring essential in ICS?
Because low-profile compromises are hard to detect without logs, scanning data, audits, and monitoring.
46
What happens when ICS have poor or no logging?
Intrusions may go unnoticed, and even when logs exist they are often not reviewed.
47
Why are human factors an ICS security challenge?
Because ICS staff are often not security experts and IT staff are often not ICS experts, so both sides may misunderstand each other's requirements.
48
Why do IT security policies often not fit ICS directly?
Because enterprise security priorities and assumptions can conflict with industrial requirements such as safety, determinism, and availability.
49
Why is workforce aging mentioned as a security issue?
Because retirement of experienced control-systems personnel can reduce institutional knowledge while few young specialists are entering the field.
50
What belongs to a proper ICS security policy framework?
Tailored procedures, enforcement mechanisms, implementation instructions, audits, business continuity or disaster recovery planning, change management, and security training.
51
Why is dedicated change management important in industrial systems?
Because uncontrolled changes can introduce outages, unsafe states, or security weaknesses into critical environments.
52
What is safety in the lecture’s terminology?
Protection of humans and the environment from hazards emanating from a known technical system.
53
What is security in the lecture’s terminology?
Protection of a technical system against in-principle unknown attacks attempted by humans.
54
What kinds of causes are associated with safety problems?
Natural phenomena or human error.
55
What kinds of causes are associated with security problems?
Intentional human attacks.
56
What are typical effects of safety failures?
Material damage, human loss, and environmental impacts.
57
What are typical effects of security failures?
Loss or corruption of information or services.
58
Why should safety and security be designed separately?
Because both have different causes, assumptions, and control goals, and one should not depend entirely on the other.
59
Why is it wrong to downplay security because a safety system exists?
Because safety systems themselves can be disrupted or targeted by cyberattacks.
60
Why should successful safety policy not rely on network security alone?
Because if the network is compromised, safety must still continue to function independently.
61
How do safety and security still need to work together?
They must be coordinated so defenses are implemented correctly and so physical risks that may be attack goals are properly considered.
62
What is the difference between a standard and a regulation?
A standard provides guidance for implementing and managing security controls, while a regulation has legally binding force.
63
What are advantages of standards?
They provide implementation guidance, support uniform deployment, and enable internal audits and external certification.
64
Why can multiple standards create extra work for one organization?
Because different relevant standards may overlap and require coordination of already implemented controls.
65
What is the focus of the ISO/IEC 2700x family?
Management of IT security through information security management systems.
66
What is ISO/IEC 27000 about?
Overview and vocabulary for information security management systems.
67
What is ISO/IEC 27001 about?
Requirements for an information security management system and the basis for certification.
68
What is ISO/IEC 27002 about?
A code of practice for information security controls.
69
What is ISO/IEC 27003 about?
Guidance for implementing an information security management system.
70
What is ISO/IEC 27004 about?
Measurement of information security management.
71
What is ISO/IEC 27005 about?
Information security risk management.
72
How is ISO/IEC 27002 related to ISO/IEC 27001?
Implementing 27002 controls is one possible way to satisfy 27001 requirements.
73
What does planning in ISO/IEC 27001 emphasize?
Risk assessment, risk treatment, and setting information security objectives.
74
What is meant by risk assessment in ISO/IEC 27001 planning?
Identifying assets and threats, analyzing risk levels, and evaluating them against risk acceptance criteria.
75
What is meant by risk treatment in ISO/IEC 27001 planning?
Addressing risks that are currently unacceptable.
76
What is the main idea of BSI IT-Grundschutz?
Instead of performing detailed risk analysis first, it starts from overall hazards and provides concrete implementation guidance.
77
Why is IT-Grundschutz attractive in practice?
Because it avoids overly detailed classification by damage probability and provides a more cookbook-like implementation path.
78
Which BSI standard defines general requirements for an ISMS?
BSI Standard 200-1.
79
Which BSI standard explains how an ISMS can be built?
BSI Standard 200-2.
80
Which BSI standard covers simplified risk analysis?
BSI Standard 200-3.
81
Which BSI standard covers business continuity management?
BSI Standard 200-4.
82
What is ISA/IEC 62443?
A family of international standards specifically focused on ICS security.
83
How is ISA/IEC 62443 related to ISO/IEC 2700x?
It builds on the idea of a security management system while addressing ICS-specific differences from general IT.
84
What are process maturity levels in ISA/IEC 62443?
They indicate fulfillment of process-related requirements.
85
What are security levels in ISA/IEC 62443?
They indicate technical security requirements for systems and devices.
86
What are the four main groups in ISA/IEC 62443?
General, Policies and Procedures, System Layer, and Component Layer standards.
87
What do Component Layer standards in IEC 62443 cover?
Secure development process requirements and technical requirements for ICS products and components.
88
What do System Layer standards in IEC 62443 cover?
System-level requirements including zones, risk assessment, and target security levels for each zone.
89
What do Policies and Procedures Layer standards in IEC 62443 cover?
Topics such as patch information exchange and guidance for development, deployment, and installation of patches.
90
What do General Layer standards in IEC 62443 cover?
Terminology and general concepts used across the standard family.
91
What is Common Criteria?
A framework for specifying, claiming, testing, and evaluating security properties of IT products.
92
What is the Target of Evaluation in Common Criteria?
The product or system that is being evaluated.
93
What is a Protection Profile in Common Criteria?
An implementation-independent set of security requirements for a category of products or systems.
94
What is a Security Target in Common Criteria?
The set of security requirements and specifications used to evaluate a specific identified product or system.
95
What is the Evaluation Assurance Level (EAL)?
A numerical rating from 1 to 7 reflecting fulfilled assurance requirements.
96
What is a key criticism of Common Criteria?
Evaluation is costly and focuses heavily on evaluation documentation rather than the product itself.
97
What is IEC TS 60870-5-7?
A standard defining protocol-specific security extensions for IEC 60870-5-101 and IEC 60870-5-104.
98
What security functions does IEC TS 60870-5-7 add?
Secure authentication between devices, integrity protection of messages, and support for role-based access control and privileges.
99
Which threats does IEC TS 60870-5-7 address?
Device spoofing, modification of messages, and replay attacks.
100
Which threats does IEC TS 60870-5-7 not address?
Traffic analysis, eavesdropping, and denial-of-service attacks.
101
What is a threat?
The potential for a negative security event to occur.
102
What is a threat agent?
The entity that can cause a threat to occur.
103
What is a threat action?
The realization of the threat.
104
What is a vulnerability?
A weakness that enables a threat agent to actualize a threat.
105
Into which three categories can threats be divided?
Natural events, human error, and malicious attacks.
106
Why are attacks on ICS special compared to other targets?
Because they can directly affect safety, physical processes, and critical infrastructure.
107
What is meant by the fan-out of ICS attacks?
A successful attack can affect large numbers of people and multiple services such as electricity, water, or traffic.
108
What are cascading impacts in critical infrastructure?
Failures in one infrastructure, such as electric power, can trigger failures in many other dependent infrastructures.
109
Why can ICS attacks affect national and local functions?
Because they can disrupt first responders, military installations, intelligence systems, or government operations.
110
Which attacker types are highlighted in the lecture?
Insiders, hackers, terrorists, hostile countries, and also script kiddies, organized crime, competitors, and hacktivists.
111
What motivates insiders in ICS attacks?
They may disrupt systems by accident or deliberately, often for revenge.
112
What motivates hackers in ICS attacks according to the lecture?
Profit or bragging rights.
113
What motivates terrorists in ICS attacks?
Cause or ideology.
114
What motivates hostile countries in ICS attacks?
Attacking enemy countries’ systems for strategic purposes.
115
Why are ICS attacks often sophisticated?
Because effective attacks require planning, knowledge, equipment, personnel, time, and money.
116
Why are state-sponsored adversaries especially important in ICS security?
Because they often possess the resources needed for highly capable and persistent attacks.
117
What are three broad high-level consequences of attacks named in the lecture?
Deny access or service, exfiltrate sensitive data, and insert false or malicious commands or code.
118
What may modification of system or application software enable?
Suppression of alarms, clandestine command-and-control channels, and arbitrary changes in control behavior.
119
What can alteration of PLC or controller software cause?
Equipment damage, denial of process control, inefficiency, malfunctions, or shutdown.
120
What is operator spoofing?
Sending misinformation to human operators so they take improper control actions or fail to notice compromise.
121
What are information-theft consequences in ICS?
Loss of sensitive operational data and loss of trade secrets.
122
How can malware impact ICS beyond initial infection?
By creating backdoor control channels, erasing traces, and interfering with normal operations.
123
Why are safety-system attacks particularly severe?
Because disabling fail-safe mechanisms can cause catastrophic plant loss or loss of life.
124
What are secondary attacks in ICS?
Follow-on attacks after an initial breach that spread through the enterprise and increase attacker capabilities or impact.
125
What can attackers do during secondary attacks?
Steal access data, access internal systems, interfere with fieldbus communication, or manipulate network components.
126
What is industrial malware?
A class of malware that can execute on industrial devices or affect industrial operations.
127
Why is much industrial malware called dual-use?
Because many ICS use common COTS hardware and software, so ordinary malware can also affect industrial environments.
128
What makes some industrial malware special-purpose?
It is designed for non-standard CPUs, vendor-specific equipment, industrial operating systems, or industrial protocols.
129
What does malware need in order to affect an ICS device?
An attack vector that loads the malware into the memory of the target device such as a PLC or HMI.
130
What is a blended attack?
An attack that combines multiple malware components and multiple attack vectors to amplify impact, speed, and complexity.
131
What is a buffer overflow attack?
An exploit that moves data beyond program bounds so control flow can be altered or malicious behavior introduced.
132
Why are older industrial devices especially vulnerable to buffer overflows?
Because older 8-bit and 16-bit systems often handle integer and memory bounds weakly.
133
What is a zero-day exploit?
A new exploit or malware instance unknown to defenders and defensive technologies at the time of use.
134
What is ransomware?
Malware that encrypts files until a ransom is paid, usually in digital currency.
135
What is social engineering?
A broad class of attacks that tricks people into bypassing security policies by exploiting human psychology and interaction.
136
Give examples of social engineering in industrial settings.
Help-desk impersonation, vendor impersonation, infected USB drops, phishing emails, and requests for proprietary information.
137
What is direct spoofing?
Manipulating users directly to reveal passwords or important access-control information, for example by phone impersonation.
138
What is spear phishing?
A phishing attack crafted specifically for a company or group based on its interests or context.
139
What is a watering hole attack?
An attack in which the adversary compromises a website that the target group is likely to visit.
140
What is whaling?
Phishing attacks targeting high-value or high-profile individuals in a company.
141
Why are public-facing resources dangerous in ICS environments?
Because Internet services and remote maintenance interfaces provide entry points into industrial networks.
142
Which public-facing services are explicitly named in the lecture?
Typical Internet services such as web and email servers, plus remote maintenance services such as SSH and VPN.
143
How are public-facing resources often exploited?
Through unpatched vulnerabilities or misconfigurations such as missing authentication.
144
Why must internal services also be considered as attack surfaces?
Because once inside, attackers can use internal services to move between network segments.
145
Which real example is given for exploiting public-facing resources?
Havex exploited a vulnerability in a web-based SCADA application.
146
What is a drive-by compromise?
A browser-based infection vector in which a victim visits a compromised website and receives malware or is redirected to a fake page.
147
Why are drive-by compromises useful to attackers?
They can infiltrate a network when no other publicly reachable entry point is available.
148
What are common approaches used in drive-by compromise?
Cross-site scripting and malicious redirects.
149
What can a drive-by compromise achieve?
Credential theft and/or malware delivery.
150
What are hardware additions as an attack vector?
Adding devices such as rogue access points, LAN taps, or malicious management ports to gain unauthorized access.
151
What is rogue node injection?
The insertion of unauthorized devices or fake access points into a network to steal access or disrupt normal communication.
152
Why are unmanned field sites especially vulnerable to hardware attacks?
Because attackers may physically break in and connect directly to the process network.
153
What is a machine-in-the-middle attack?
Intercepting communication between two nodes in order to observe, alter, reroute, or replay traffic.
154
What passive goal can a MitM attack have?
Eavesdropping on messages.
155
What active goals can a MitM attack have?
Modifying, rerouting, replaying, or forging messages.
156
Why can replayed messages still be dangerous even if legitimate?
Because they may be injected at incorrect times and still trigger harmful control actions.
157
Why can MitM attacks succeed even against authenticated or encrypted communication?
Because the attacker may intercept or manipulate the cryptographic key exchange used to establish the secure channel.
158
What is denial-of-service in ICS?
A broad attack category that makes a system or component unavailable or prevents normal functionality.
159
What is distributed denial-of-service?
A DoS attack launched from many machines at once, making it harder to identify and defend against the sources.
160
Why is DoS especially severe in ICS?
Because availability is often more critical than confidentiality in industrial environments.
161
What is Loss of Control (LoC)?
A state in which the control system can no longer exert positive control over the plant or device.
162
What is Loss of View (LoV)?
A state in which operational data is unavailable to operators, often forcing emergency shutdown.
163
Why are HMIs an attractive attack target?
Because an attacker can use standard operator control functions to manipulate the plant without first developing PLC malware.
164
Why are engineering workstations an especially powerful target?
Because they provide access to PLCs and the tools needed to develop or deploy malware.
165
Why are stolen engineering credentials dangerous?
Because they can give attackers full and sometimes remote access to control devices and engineering infrastructure.
166
What is threat modelling?
The procedure of analyzing a system’s objectives and vulnerabilities from an adversary’s perspective to derive preventive or mitigating measures.
167
Why is brainstorming alone a weak threat-modelling method?
Because it is only as complete as the analysts’ imagination and risks circular reasoning.
168
Why can checklist-based threat modelling be insufficient?
Because it depends on checklist completeness and assumes the attacker behaves according to the same checklist.
169
Why is a purely risk-mitigation-oriented approach criticized in the lecture?
Because merely documenting and signing off risks can become ineffective if it does not drive concrete defenses.
170
What does DREAD stand for?
Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
171
What is the goal of DREAD?
To rate and prioritize threats by scoring five categories from 1 to 10.
172
What is a main criticism of DREAD?
The ratings can be inconsistent and subjective.
173
Why is the Discoverability component of DREAD controversial?
Because it can encourage security-through-obscurity thinking.
174
What are common adaptations of DREAD?
Dropping Discoverability or rating it always at the maximum value.
175
What does STRIDE stand for?
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
176
What is STRIDE used for?
Identifying security threats by classifying them into six categories.
177
What is STRIDE-LM?
An extension of STRIDE by Lockheed Martin that adds Lateral Movement.
178
What is the threat-driven approach in the lecture?
An integrated approach that bridges architecture/engineering and operations/analysis and systematically reasons from assets and attack paths.
179
What does the mnemonic 'There are no idle threats, they attack' summarize?
It captures the staged steps of the threat-driven approach from identifying assets and attack surfaces to analysis, triage, and controls.
180
What are the main steps of the threat-driven approach listed in the lecture?
Identify assets, define attack surface, decompose the system, identify attack vectors, list threat actors and objectives, perform analysis and assessment, triage, and define controls.
181
What are TTPs?
Tactics, techniques, and procedures that describe behavior patterns of an attacker.
182
What are tactics in TTP terminology?
The overall goals and general strategies behind an attack.
183
What are techniques in TTP terminology?
The concrete methods used to perform the attack.
184
What are procedures in TTP terminology?
The step-by-step way an attacker carries out an attack, including tools and methods.
185
Why are TTPs useful for threat modelling?
They help identify attack vectors and support analysis and defense against known threat actors.
186
How do tactics and techniques differ?
Tactics describe why an attacker acts; techniques describe how the attacker does it.
187
How do procedures relate to tools and artifacts?
Procedures describe sequential execution, while tools implement parts of the procedure and artifacts indicate that tools or TTPs were present.
188
What is an indicator of compromise (IOC)?
An artifact observed in a network or operating system that likely indicates an intrusion.
189
Why are IOCs useful?
They support detection of intrusion attempts and other malicious activities.
190
What kinds of IOCs are mentioned?
Hash values, IP addresses, domain names, network artifacts, host artifacts, tools, and TTPs.
191
What is the Cyber Kill Chain?
A Lockheed Martin framework that breaks cyberattacks into sequential phases.
192
Why is it called a kill chain?
Because it borrows the military idea of planning and launching an attack as a chain of steps.
193
What are the seven classic Cyber Kill Chain steps?
Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
194
Why is the Cyber Kill Chain useful for defenders?
Because each step can be treated as an opportunity to stop the attack and 'break the chain.'
195
What happens in reconnaissance?
The attacker selects the target and gathers information.
196
What happens in weaponization?
The attacker prepares or selects suitable attack tools.
197
What happens in delivery?
The attack tool is delivered to the victim.
198
What happens in exploitation?
A vulnerability is exploited to gain access.
199
What happens in installation?
Malware or another malicious foothold is installed.
200
What happens in command and control?
A communication channel to the malicious software is established.
201
What happens in actions on objectives?
The attacker executes the intended end goal and maximizes impact.
202
Why is the traditional Cyber Kill Chain not sufficient for ICS-specific attacks?
Because it focuses on IT and enterprise-network intrusion and does not fully capture the OT-specific attack-development phase.
203
What is the ICS Cyber Kill Chain?
An adaptation of the traditional kill chain that models the steps needed for a high-confidence attack on industrial control systems.
204
What are the two stages of the ICS Cyber Kill Chain?
Stage 1: cyber intrusion preparation and execution in IT; Stage 2: ICS attack development and execution in OT.
205
What is the purpose of Stage 1 in the ICS Cyber Kill Chain?
To gain information about the ICS, defeat internal protections, and obtain access to production environments.
206
When can Stage 1 of the ICS Cyber Kill Chain be bypassed?
When ICS components are Internet-facing or attackers already possess sufficient ICS information, for example through a compromised third party.
207
What is the purpose of Stage 2 in the ICS Cyber Kill Chain?
To develop, test, deliver, install or modify, and execute an attack tailored to the specific industrial system and desired impact.
208
Why is testing emphasized in Stage 2 of the ICS Cyber Kill Chain?
Because attackers want a reliable and meaningful effect on the real industrial process.
209
Why does the ICS Cyber Kill Chain separate IT and OT phases?
Because compromise of enterprise IT is often only a preparation step for the real process-level attack in OT.
210
What is MITRE ATT&CK for ICS?
A hierarchical but unordered matrix that maps tactics to techniques and provides procedures, detections, mitigations, and related knowledge for industrial attacks.
211
What is the highest level in the MITRE ATT&CK hierarchy?
Tactics.
212
How are tactics and techniques organized in MITRE ATT&CK?
Each tactic contains multiple techniques.
213
What do procedures represent in MITRE ATT&CK?
Observed tools, protocols, malware strains, and concrete attacker behavior for a technique.
214
What do mitigations represent in MITRE ATT&CK?
Security concepts and technology classes that can prevent a technique from succeeding.
215
What do detections represent in MITRE ATT&CK?
Ways data sources can be used to detect the use of a technique.
216
Why is the ATT&CK matrix not a checklist?
Because covering some or even all listed techniques does not guarantee security, and attackers may use behaviors not in the matrix.
217
Why can MITRE ATT&CK never be complete?
Because adversaries do not necessarily disclose their zero-days or all tactics, techniques, and procedures.
218
How are ATT&CK and the Kill Chain related?
They are complementary: ATT&CK describes attacker behavior in detail, while the Kill Chain describes ordered high-level phases.
219
Why are ATT&CK tactics unordered?
Because adversary goals can change during an operation and not all tactics must occur in a fixed sequence.
220
What is the Initial Access tactic in ATT&CK ICS?
The attacker’s entry vector into the ICS environment.
221
What example technique is given for Initial Access?
Spearphishing Attachment.
222
What is the Execution tactic in ATT&CK ICS?
Executing attack code on a victim system.
223
What example technique is given for Execution?
Graphical User Interface.
224
Why is GUI-based execution relevant in ICS?
Because HMIs often provide interfaces that can be used locally or remotely via VNC or RDP to run commands.
225
What is Privilege Escalation in ATT&CK ICS?
Techniques used to gain higher permissions after initial compromise.
226
What example technique is given for Privilege Escalation?
Exploitation for Privilege Escalation.
227
What is Persistence in ATT&CK ICS?
Techniques that preserve long-term access to a victim system.
228
What example technique is given for Persistence?
System Firmware.
229
Why is firmware persistence dangerous in ICS?
Because firmware updates are often weakly protected and firmware is often unsigned.
230
What is Discovery in ATT&CK ICS?
Reconnaissance of the networked environment after compromise.
231
What example technique is given for Discovery?
Network Sniffing.
232
Why is network sniffing often effective in ICS?
Because industrial traffic is still frequently unencrypted and reveals systems, logins, and communication patterns.
233
What is Evasion in ATT&CK ICS?
Techniques intended to avoid detection.
234
What example technique is given for Evasion?
Indicator Removal on Host.
235
Why is indicator removal especially effective in some ICS environments?
Because logs and measured values often lack strong security protection or integrity checking.
236
What is Lateral Movement in ATT&CK ICS?
Propagation of attacker access to other systems in the network.
237
What example technique is given for Lateral Movement?
Valid Accounts.
238
What is Collection in ATT&CK ICS?
Gathering data from the compromised network to understand system interactions and prepare further actions.
239
What example technique is given for Collection?
Automated Collection.
240
What is Inhibit Response Function in ATT&CK ICS?
Disabling detection or protective responses so attacks can continue unnoticed.
241
What example technique is given for Inhibit Response Function?
Alarm Suppression.
242
Why is alarm suppression especially dangerous in ICS?
Because coordinated suppression of multiple alarms can hide unsafe or malicious process changes.
243
What is Command and Control in ATT&CK ICS?
Establishing a command channel to compromised devices.
244
What example technique is given for Command and Control?
Commonly Used Port.
245
Why is use of commonly used ports helpful for attackers?
Because it makes malicious communication blend in with normal traffic.
246
What is Impair Process Control in ATT&CK ICS?
Taking over or influencing process-control behavior.
247
What example technique is given for Impair Process Control?
Unauthorized Command Message.
248
What is Impact in ATT&CK ICS?
Actions intended to damage the process or assets and affect integrity or availability.
249
What example technique is given for Impact?
Damage to Property.
250
Why is damage to property a core ICS impact tactic?
Because industrial attacks often aim at physical disruption or destruction, not just IT data theft.
251
What is the first step in the landscape of security approaches?
Identification of critical systems.
252
Why is identifying critical systems the first step?
Because you first need to know what must be protected and how important each asset is to reliable overall operation.
253
What questions should asset identification answer?
What should be monitored, how closely, how to segment the network into security zones, and where to place security monitoring.
254
What is network segmentation and isolation of systems?
Separating assets into functional groups so services can be tightly controlled and the exposed attack surface can be reduced.
255
Why are industrial networks well suited for segmentation?
Because they contain many distinct functional groups that do not need to communicate with each other directly.
256
What is defense in depth?
A layered defensive strategy that uses overlapping security mechanisms so one broken control does not collapse the whole defense.
257
Along which dimensions can 'depth' be interpreted?
OSI layers, physical or topological subnetworks and zones, policy layers such as users/roles/privileges, and multiple defensive devices at one point.
258
Why is defense in depth especially appropriate for industrial environments?
Because no single measure is sufficient to protect long-lived, heterogeneous, and operationally critical systems.
259
What is meant by access control in the security-approach landscape?
Identification, authentication, and authorization of users and devices so only permitted entities can access assets.
260
Why does stricter access control help?
Because it makes unauthorized actions and privilege abuse more difficult.
261
What is security monitoring in the Chapter 4 context?
Providing situational awareness to the cybersecurity team by carefully selecting what and how to monitor and how to interpret the data.
262
What is policy or protocol allowlisting?
Explicitly defining the behavior or communication that is allowed or expected and preventing everything else.
263
What is application allowlisting?
Explicitly defining the approved applications and files allowed to run on systems.
264
Why is application allowlisting highly effective against malware?
Because unknown or unauthorized binaries are blocked by default instead of merely detected after execution.
265
What are the three pillars of comprehensive security for industrial networks?
Prevention, Detection, and Response.
266
What belongs to Prevention in the lecture’s model?
Measures that reduce attack risk in advance and minimize possible consequences.
267
What belongs to Detection in the lecture’s model?
Break-in detection, validity checking, plausibility checking, and anomaly detection.
268
What belongs to Response in the lecture’s model?
Containing damage, cleaning systems, and revising the security concept.
269
What are examples of preventive measures from Chapter 4?
Network segmentation and zoning, resource-efficient security mechanisms, retrofitting security into legacy systems, and penetration tests or audits.
270
Why are resource-efficient security mechanisms important in ICS prevention?
Because many industrial devices and networks are constrained and cannot always support full conventional security stacks.
271
What does retrofitting security mean in ICS?
Adding protections to existing insecure systems or protocols, for example by transparently adding TLS or repurposing protocol fields.
272
Why are penetration tests and security audits part of prevention?
Because they identify vulnerabilities and attack methods before real attackers exploit them.
273
What are examples of detection measures from Chapter 4?
Network monitoring, communication-based industrial intrusion detection, state-aware industrial intrusion detection, and honeypots.
274
What is communication-based industrial intrusion detection?
Detection that leverages communication patterns and periodicity typical of industrial traffic.
275
What is state-aware industrial intrusion detection?
Detection that incorporates knowledge of the underlying physical process and expected system state.
276
Why can honeypots help in ICS security?
They simulate industrial systems to learn about attacker behavior and techniques.
277
What are examples of response measures from Chapter 4?
Incident response, network forensics, contextualization, recovery, eradication, and quarantine.
278
Why is contextualization useful during response?
Because augmenting alerts and evidence with additional system context helps prioritize and understand the incident.
279
What is the overall takeaway of Chapter 4?
Industrial networks are poorly equipped for modern security challenges, especially due to Ethernet/IP connectivity and legacy insecure devices and protocols.
Industrial Network Security
flashcards
Decks in class (6)
# Cards
