Use Cases

Consider a scenario where a cyber-criminal launches a cyber-attack which will have physical impact on the critical infrastructure, in order achieve that he need to access the controller which is connected to field equipment and modify the commands going to the field

• First, tries to gain credentials of an employee using phishing or social engineering of cyber-attacks.
• Launch Reconnaissance on the plant network, to gain access to the devices connected to it.
• Once all information is gathered tries to get access to the operator/engineering workstation which has access to the Controller.
• Once the attacker gain access, he tries to create backdoor access to login whenever required.
• Put the PLC/RTU into programming mode and
• Force the register value or change the state of coil to launch an attack.
• Upload the malicious configuration into PLC/RTU
• Change the firmware of RTU

How PBOSECURE SEIM Integration team helps to detect above cyber-attack

• During Reconnaissance SIEM detect the network scan. SOC analyst gets alert in SIEM dashboard unauthorized source IP is scanning network.
• When attacker tries to create backdoor, all unauthorized user creation is captured in audit logs and same can be seen in SIEM Dashboard.
• When cyber-criminal Change mode of PLC/RTU modes, can be captured from the logs of Engineering workstation, and same can be seen in ICS SIEM Dashboard. At this moment analysts should have alerted the respective incident handler to stop the cyber-attack.
• Next to this cyber-criminal may be launch an cyber-attack like malicious configuration upload, firmware change, force commands, but because of SIEM and incident handling team attempt to cyber-attack is failed