New Blog | Investigating Industrial Control Systems using Microsoft’s ICSpector open-source frame

By maayan_shaul

 

Industrial Control Systems (ICS) security has been a subject of research for many years, spurred, in part, by recent state-sponsored ICS-targeting malware and supply-chain attacks like the ZPMC cranes spying concerns that threaten critical infrastructure. Given the potential harm to thousands of people if water treatment facilities, power plants and nuclear reactors or other systems are breached, the stakes are high. Unfortunately, forensics for ICS devices is not as advanced as in IT environments like Windows and Linux. This can stall forensics investigation when incidents occur. 

 

To overcome this challenge, Microsoft released ICSpector, an open-source framework that facilitates the examination of the information and configurations of industrial programmable logic controllers (PLCs). This framework simplifies the process of locating PLCs and detecting any anomalous indicators that are compromised or manipulated. This can assist you in safeguarding the PLCs from adversaries who intend to harm or disrupt their operations. 

 

Many operational technology (OT) security tools based on network layer monitoring, such as Microsoft Defender for IoT, provide network protection for OT/IoT environments, allowing analysts to discover their devices and respond to alerts on vulnerabilities and anomalous behavior. However, one of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with. This act requires caution, because the PLCs are actively operating vital industrial process. This is where ICSpector can help individuals or facilities perform this task with best practices.

 

Industrial control systems in brief 

Industrial Control Systems (ICS) and Operational Technology (OT) are critical to modern society, powering everything from power grids and water treatment plants to manufacturing facilities and transportation systems. These systems typically rely on a combination of hardware and software components to perform their functions. Programmable logic controllers (PLCs) are used to manage and control the various processes within an industrial environment. As these systems become increasingly digitized and interconnected, they are also becoming more vulnerable to cyberattacks.  

 

Due to their critical role in ensuring the smooth operation of industrial processes, and the physical danger or extreme financial losses that could result if attacked, ICS devices are prime targets of cyberattacks, making ICS security an increasingly critical issue in today's digital landscape. 

 

 

Figure 1: Known ICS-targeted cyberattacks that occurred between 2010 and 2022. (Image from Cyber Signals: Risks to critical infrastructure on the rise)

 

Read the full post here: ​​Investigating Industrial Control Systems using Microsoft’s ICSpector open-source framework