Accueil Blog

My work about the Viasat attack analysis featured in the Angelina Tsuboi’s course on Satellite Cybersecurity Foundations hosted on Udemy

0

I’m very proud and honored to be featured in the Angelina Tsuboi’s course on Satellite Cybersecurity Foundations hosted on Udemy. Thank you very much Angelina for mentioning my work about the Viasat cyber attack analysis with the MITRE ATT&CK framework. The article relating my work can be found here.

Angelina mentionned my work about the Viasat attack analysis:

  • I compared the 4 frameworks that can be used for the space sector: MITRE ATT&CK, SPARTA, SPACE-SHIELD and TREKS.
  • I explained why I choose the MITRE ATT&CK Framework
  • I identified Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK matrix that have been used by the hackers
  • I mapped them on the MITRE ATT&CK Navigator in order to have the complete attack chain.

  • I drawn a diagram as a Cyber Kill Chain showing all TTPs mapped on the entire attack life cycle of the Viasat cyber attack.

Thank’s again to Angelina Tsuboi for mentioning my work about the Viasat cyber attack analysis with the MITRE ATT&CK framework. The article relating my work can be found here.

Why Satellite Cybersecurity is critical

The space industry has been expanding rapidly the past few years and this trend is expected to continue as more companies and organizations conduct space-related research and projects. The democratization and demand in the aerospace industry has also encountered bad actors who try to exploit the new technology for malicious purposes. It’s now mandatory to understand the foundations of satellite security and detection methods for common satellite cyber attacks in order to combat this growing threat

About the Satellite Cybersecurity Foundations course on Udemy

The Satellite Cybersecurity Foundations course on Udemy is an intensive course and hands-on CTF workshop.

In this course, you will learn the foundations of satellite cybersecurity and master satellite cybersecurity. You will gain critical skills to defend aerospace systems, covering satellite OSINT, orbital mechanics, signal reverse engineering, TLE analysis, attack simulation, and SPARTA-based defenses. You will learn how to identify vulnerabilities, secure-by-design, and protect satellite infrastructure against modern threats.

In mode details, find below what you’ll learn:

  • Foundations of Satellite Technology: Subsystems, Communications, and Applications
  • OSINT for Satellite Systems, Mission Analysis, and Reading Engineering Specifications
  • Communications & Tracking: Intercepeting and Reverse Engineering Signals
  • Tracking and Orbital Mechanics: TLEs, Propagation Methods, and Visual Tools
  • Interactive CTF Workshop
  • Secure-by-Design Implementation for Satellite Infrastructure

This course is for anyone who is interested in learning about the foundations of satellite security

About course instructor Angelina Tsuboi

Angelina Tsuboi is a Programmer, Security Researcher, and Developer with a passion for satellites, signals intelligence, and scientific research.

She is interested in educating others about the exciting field of aerospace cybersecurity in conjunction with developing open-source programs and research in the field spanning satellites, UAVs, and aircraft.

To know more

The dark side of the DNS or the war of the port 53

0

I am very happy and proud that my article on DNS security has been accepted and published in the last issue of Hakin9 Magazine after being reviewed by the editorial board.

This new issue of Hakin9 Magazine, titled « Dark Web Vol.3 », is an exploratory journey into the shadowy realms of the internet and the cybersecurity challenges that lurk within.

The title of my article is « The dark side of the DNS or the war of the port 53 ».

We are all familiar with classic DNS-based attacks such as DNS Cache Poisoning, DNS Reflexion attack, DNS Amplification attack, DNS Pseudo Random SubDomain (PRSD) attack, DNS NX Domain attack, etc. ….

However, less is known about the techniques and algorithms behind these attacks. And since most modern malware uses DNS in at least one of the 7 stages of the Cyber Kill Chain, the aim of this article is to give a little insight into these techniques and to analyze the most sophisticated DNS-based attacks.

Source de l’image : gbhackers.com

To know more

My cybersecurity review for 2024

0

What an incredible end to 2024. I’ve had some wonderful experiences. I’ve successfully met many challenges in cybersecurity.

I’ve had some incredible opportunities and I’ve been able to do some really interesting things.

I continue my role as ambassador for the Aerospace industry within the « L’Aéro Recrute » program with the support of My Job Glasses and GIFAS – Groupement des Industries Françaises Aéronautiques et Spatiales, to promote the Aerospace, Sace, Defense and Security sector.

I took part of the « Introduction to Cybersecurity in Space Systems » course provided by Tim Fowler during the march summit, The Most Offensive Con that Ever Offensived – Bypass Edition! organized by Antisyphon Training. More here.

My work about the analysis of the Viasat Cyber Attack has been quoted and highlighted by Tim Fowler and Angelina Tsuboi in there courses:

I successfully passed the Certificate of Competence in Zero Trust (CCZT) from the Cloud Security Alliance (CSA). CCZT enables you to understand and implement Zero Trust principles into business planning, enterprise architectures, and technology deployments. More about CCZT.

I was quoted in the following article alongside Gerome Billois (Partner – Cybersecurity and Digital Trust – Wavestone) and Martial Gervaise (Cybersecurity Expert – Former Deputy Director at Orange Group). This article shows how important it’s to have a guideline in your cybersecurity career. This article shows also how it’s important to share whith others. It’s not by staying on your own that you grow the community. It’s by sharing that we collectively increase our skills. Cybersecurity grows when it’s shared.

I was elected as a CyberStar (or SpaceCyberStar) by Yohann BAUZIL. CyberStar is a program that highlights those who work to make cybersecurity a reality on a daily basis, either by sharing their knowledge or by their work.

I was choosen as ethicallyHackingspace(eHs)® h4ck32n4u75™ (Hackernauts) Community Member. Thank’s to William Ferguson for this distinction.

I wrote an article to explain how I used the new MITRE EMB3D™ threat model to identify Siemens PLC vulnerabilities potentially exploited by the Stuxnet worm. On May 13, 2024, MITRE released EMB3D™, a cybersecurity threat model for embedded devices. I carried out the following exercise to test and evaluate this new model.

  • The first step was to identify the properties of the Siemens PLC by analyzing the data sheet.
  • Next, I used the Properties tool to select the properties relevant to Siemens PLCs.
  • Finally, I used the mapping tool to list the threats that represent a viable risk for Siemens PLCs.
  • I checked to confirm that these vulnerabilities have been exploited by the Stuxnet worm.
  • I used the Associated mitigations to propose a list of mitigations to the threats that pose a viable risk to the Siemens S7 series PLC.
  • I finally mapped the associated mitigations with IEC 62443 4-2 framework

I successfully passed the CISM (Certified Information Security Manager) from ISACA. You can view my experience and tips after successfully passed this amazing certification here.

This journey has been both challenging and rewarding, filled with extensive study and deep dives into security governance, incident management, risk management and information security programs.

I’m proud to have achieved this important milestone in my career. I look forward to leveraging these skills and expertise to drive impactful security initiatives and contribute to the community.

I wrote an article on how to model an attack on an Industrial Control Systems (ICS). In this article, I explain why attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence.

Then, I describe that attacks on OT and ICS systems are modeled by the ICS Cyber Kill Chain and the MITRE ATT&CK for ICS Matrix described below.

I am very happy and proud that my article on DNS security has been accepted and published in the last issue of Hakin9 Magazine after being reviewed by the editorial board.

This new issue of Hakin9 Magazine, titled « Dark Web Vol.3 », is an exploratory journey into the shadowy realms of the internet and the cybersecurity challenges that lurk within.

The title of my article is « The dark side of the DNS or the war of the port 53 ». To know more here.

=========

I’d like to thank everyone who has followed me, encouraged me and supported me.

I hope all the information I share with you is interesting and helps you keep up to date and learn more.

But stay tuned because 2025 promises to be just as incredible and intense.

Until then, take care.

My experience and tips after successfully passed the CISM (Certified Information Security Manager) from ISACA

0

🌟 I’m thrilled to share that I’ve earned the CISM (Certified Information Security Manager) from ISACA. You can view my achievement on Credly.

🌍 This journey has been both challenging and rewarding, filled with extensive study and deep dives into security governance, incident management, risk management and information security programs.

🚀 I’m proud to have achieved this important milestone in my career. I look forward to leveraging these skills and expertise to drive impactful security initiatives and contribute to the community.

💡 Achieving the Certified Information Security Manager (CISM) certification is about much more than adding a line to your resume. It transforms how you approach, communicate, and prioritize security solutions with a business-centric mindset. After completing CISSP from ISC2, it’s clear that CISM has been one of the most impactful certifications, giving me a structured approach with business priorities always top of mind.

🏢 The exam itself wasn’t necessarily tougher than CISSP. The approach is different, though. But the CISM exam can be very tricky as not all questions have a strictly correct answer. Most of the questions are subjective. Often, it’s a case of choosing the most correct answer or the least wrong answer. Thinking like a manager or understanding the business context/requirements will help you choose the correct answer.

« Success is not the destination; it’s the incredible journey of pushing your limits, embracing challenges, and celebrating every small achievement all the way.”

💼 No certification can replace actual work experience and knowledge obtained from getting your hands dirty. At the same time, certification prep can help in expanding your knowledge.

👉 What do I notice every time I take a certification :
– The quality of my work has improved
– I am more engaged with my work
– I am faster at performing my job
– I have decreased errors in my work

The CISM Mindset:

  • Think like an Information Security Manager
  • Human life is always the most important
  • Everything we do supports the mission of the business
  • Metrics allow control objectives to be met
  • IS Governance = Board of directors
  • IS Program = Board of directors or equivalent gov body
  • Dialogue is a KEY
  • Involve stakeholder in collaborative dialogue, understand their needs, face-to-face
  • Security addendum = terms and conditions – NOT additions
  • It’s generally accepted that CISO reports to COO (not to CEO)
  • A problem statement describes the problem in business terms
  • A problem statement has 2 parts
    • the description of possible events
    • the optic that the organization is negligent
  • Always to align with the business
  • Always choose a collaborative approach

About CISM materials:

I especially thank Thor Pedersen. All materials he provides on Udemy are truly amazing :

  • CISM Video Boot Camp 2024 (Domain 1-2-3-4)
  • All domains 150 Question CISM 2024 (Serie #1, #2, #3, #4) ==> 4x 150 = 600 questions

My others ressources and materials:

  • All-in-One (AIO) CISM Bundle Second Edition by Peter Gregory including
  • AIO CISM Exam Guide (including end-of-chapter questions)
  • AIO CISM Practice Exams (300 questions
  • Free access to CISM TotalTester : Online practice tests (325 questions)
  • Free CISM Quick Review Guide (40 pages)
  • ISACA online QAE (Question, Answer and Explanations) : around 1200 questions

🙏 Good luck to everyone who is revising for the CISM exam or to those who will attempt the CISM exam soon. It isn’t impossible.

How to model an attack on an Industrial Control Systems (ICS)

1

Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence.

The figure below is showing an example of OT/IT convergence.

Attacks on OT and ICS systems are modeled by the ICS Cyber Kill Chain and the MITRE ATT&CK for ICS Matrix described below.

ICS Cyber Kill Chain

Published by SANS in 2015 by Michael Assante and Robert M. Lee as an adaptation of the traditional cyber kill chain developed by Lockheed Martin analysts as it applied to ICSs.

The ICS Cyber Kill Chain details the steps an adversary must follow to perform a high‐confidence attack on the ICS process and/or cause physical damage to equipment in a predictable and controllable way.

ICS Cyber Kill Chain has Two stages:

  • Stage 1 : Cyber Intrusion Preparation and Execution – « IT »
  • Stage 2 : ICS Attack Developpement and Execution – « OT »

ICS Cyber Kill Chain mapped to the ICS Zoned Architecture

ICS Zoned Architecture (left) : This is the Purdue Model for ICS Security

Cyber Kill Chain for Industrial Control Systems (right) : This is an ICS Attack as Cascading Events

The ICS Cyber Kill Chain is a powerful approach for Neutralizing a Cyber Attack reducing ICS cyber risk. Security Engineering has the challenge to Kill the Kill Chain

ICS Cyber Kill Chain applied to STUXNET

The figure below is the ICS Cyber Kill Chain applied to STUXNET

About the MITRE ATT&CK for ICS Matrix

To go futhermore convergence of IT and OT, and the concept of ICS (Industrial Control System), you can also have a look on the MITRE ATT&CK for ICS Matrix.

The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.

The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page)

Mapping of Stuxnet attack on the ATT&CK for ICS matrix

Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »

Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)

Threat modeling on OT, ICS and embedded systems

MITRE released in May 2024, the EMB3D™ model, a Cybersecurity Threat Model dedicated for Embedded Devices.

EMB3D is aligned with and expands on several existing models, including Common Weakness EnumerationMITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.

To go furthermore

Space and Satellites Security Conferences at DEF CON 32 (and a little bit Aviation Security)

0

The videos from the Def Con 32 conference held in Las Vegas from August 8th to 11th are now online. Perfect for keeping busy during the long winter evenings ahead.

I have made a small selection of hashtag#cybersecurity topics on Space and Satellites.

Enjoy watching!

Small Satellite Modeling and Defender Software – Kyle Murbach

Abstract : This talk is meant to inform the next generation in aerospace cybersecurity by discussing our major research milestones, relevant findings, lessons learned, and areas of concern relating to the overall cybersecurity posture of small satellite systems.

Breaking the Beam:Exploiting VSAT Modems from Earth – Lenders, Willbold, Bisping

Abstract : Our presentation at DEF CON is part of a project that has three parts.

  • In the first part, we focus on the inherent security issues in current VSAT system practices. This work will be appear in May at ACM WiSec 2024.
  • The second part deals with the systematic evaluation of wireless signal injection attacks using a software-defined radio. This work will appear in August at Usenix Security 2024.
  • The third part of the project deals with reverse-engineering of the software and network stack of satellite modems and the development of exploits that can be injected over the air through the antenna dish of a VSAT terminal from the ground. This part shall be presented at DEF CON this year.

Analyzing the Security of Satellite Based Air Traffic Control -Martin Strohmeier

Abstract : Automatic Dependent Surveillance – Contract (ADS-C) is a satellite-based aviation datalink application used to monitor aircraft in remote regions. It is a crucial method for air traffic control to track aircraft where other protocols such as ADS-B lack connectivity. Even though it has been conceived more than 30 years ago, and other legacy communication protocols in aviation have shown to be vulnerable, ADS-C’s security has not been investigated so far in the literature. We conduct a first investigation to close this gap.

Bridging Space and Medicine – Fernando De La Peña Llaca

Abstract : In the vast expanse of space, holographic teleportation—a futuristic blend of holography and teleportation—has revolutionized astronaut communication. Imagine beaming a lifelike 3D image of yourself across light-years. Now, consider its potential in medicine: remote surgeries, expert consultations, and training—where distance dissolves, and expertise transcends borders. Buckle up; holoconnect is our cosmic ticket to healing!

Ground Control to Major Threat Hacking the Space Link Extension Protocol – Andrzej Olch

Abstract : Space missions have increasingly been the subject in the context of security breaches and satellite hacks. The majority of discussions revolve around direct communication and access to spacecraft through means such as Software Defined Radio. However, the reality is that this approach isn’t practical for most adversaries, as it requires substantial resources and is easily detectable due to the power and radio frequencies required to command a spacecraft. Instead, adversaries might shift their focus away from the Space Segment and opt for a more practical approach, such as accessing and exploiting the Ground Segment vulnerabilities and flaws in order to gain control over spacecraft.

From Theory to Reality Demonstrating the Simplicity of SPARTA Techniques – Randi Tinney

Abstract : Demonstrating the transition from theorized space cyber attacks to practical proof of concepts. The presentation will utilize a simple yet effective attack, a man-in-the-middle attack, on the ground infrastructure to demonstrate how many SPARTA techniques and sub-techniques can be performed against a spacecraft from the ground infrastructure. By illustrating the significant impact of this simplified concept, we aim to emphasize the urgent need for enhanced cybersecurity measures throughout the entire lifecycle of space missions and break the inherit trust between the ground and spacecraft.

GPS spoofing it’s about time, not just position – Ken Munro

Abstract : Talking to pilots and operators, an important aspect of GPS spoofing and jamming is being missed from the narrative in the media. We know about position spoofing, that’s a given. What doesn’t appear to be getting much attention is the effect of time spoofing.

Below are not space but aviation security talks

How I Developed a Low Cost Raspberry Pi Based Device for ADS B Spoof – Angelina Tsuboi

The device receives ADS-B information from the antenna and the software-defined radio, which is then passed into a Convolutional Neural Network written with Python to detect whether or not the aircraft is spoofed. I trained the neural network on a dataset of valid ADS-B signals as well as a generated spoofed set of aircraft signals, to teach Fly Catcher how to detect and flag any suspicious ADS-B signals. It does this by checking for discrepancies in the signal’s characteristics, such as its location, velocity, and identification.

The Interplay between Safety and Security in Aviation Systems – Lillian Ash Baker

Abstract : Safety has been at the forefront of Civil Aviation since the formalization of DO-178, Software Considerations in Airborne Systems and Equipment Certification, in 1981. However, times have changed since then and we live in a world with seemingly limitless connectivity. DO-356A, Airworthiness Security Methods and Considerations, forms the cybersecurity bedrock in which aviation systems are designed and implemented. In this talk, participants will learn about how Safety and Security is applied to system design and how they interact with one another. Design Assurance Levels (DAL) and Security Assurance Levels (SAL) concepts are presented and explained what their purpose is. This talk is designed to appeal to the general cybersecurity community by introducing fundamentals of Safety analyses and discussing how Safety and Security interact with one another.

RF Attacks on Aviation’s Defense Against Mid-Air Collisions – G. Longo, V. Lenders

Abstract : Aviation’s Traffic Collision Avoidance System (TCAS) II has been touted as a foolproof safety net since its introduction in the 1980s. But what if we told you that this supposedly impenetrable system can be compromised? For years, attacks on TCAS have been mere theoretical exercises, foiled by an (accidental) built in security feature. That is, until now. In this presentation, we’ll reveal the first working RF attacks on TCAS II, demonstrating how to hijack collision avoidance displays and create fake Traffic Advisories (TAs) and Resolution Advisories (RAs). We’ll walk you through the technical challenges of building the necessary tooling using commercial off-the-shelf hardware.

Navigating the Turbulent Skies of Aviation Cyber Regulation – M. Weigand, S. Wagner

Abstract : This combination presentation and panel discussion will surface the policy and technical challenges associated with securing civil aviation, bringing together perspectives from government, industry, and aviation cybersecurity companies. Given the continued growth in civil aviation and impending regulation in the United States of America and Europe, this talk will describe the key technical challenges and the resulting policy challenges that should be addressed to keep civil aviation secure.

 

Very proud to receive the certificate of completion : « Introduction to Cybersecurity in Space Systems » with Tim Fowler

1

I’m very proud to receive the following certificate of completion for having successfully completed the training course : « Introduction to Cybersecurity in Space Systems » with Tim Fowler.

This training course took place at « The Most Offensive Con that Ever Offensived – Bypass Edition » event organized by Antisyphon Training from 13 to 15 March, 2024.

« Introduction to Cybersecurity in Space Systems » was a course designed to expose cybersecurity professionals to the concepts and implementations of space systems including the ramification and impacts security can have on a mission.

In this course each element was broken down into its most basic components and we had the opportunity to look at how proper security can be applied; what tradeoffs must be made and many of the operational constraints governing every design decision.

This course walked students through each of the segments that make up a space system, the subsystems that comprise a spacecraft, and ways that each need to be defended from attacks.

This course also included multiple hands-on labs that will walk students through the process of implementing a custom ground station solution, a virtual satellite with simulated subsystems, and executing simulated attacks against both.

At the completion of this course, I have now a fundamental knowledge and understanding of space systems, how and where security can be implemented and I have a set of tools, I can use to further their knowledge and experience.

First of all, I want to congratulate Antisyphon Training and Tim Fowler for the high-quality of this training.

My first impressions is that the slides have a high-quality. I noticed that Tim’s terminology is very precise. This shows Tim’s great experience and expertise. The labs was very practical and simulate reality. The lab environment was very comprehensive and highly technical.

In conclusion, I’m really happy and proud to have had this unique opportunity to follow Tim’s training.

It gave me access to unique content of great value. Tim had the opportunity to demonstrate his great expertise and experience on the subject.

I definitely recommend to follow this course to someone who want to increase its knowledge in space systems cybersecurity.

To know more about « Introduction to Cybersecurity in Space Systems » with Tim Fowler.

Find below my certificate of completion

How I used MITRE EMB3D™ Threat Model to identify Siemens PLC vulnerabilities exploited by Stuxnet worm

1

Introduction

In this article, I will show how I used the MITRE EMB3D™ Threat Model to identify vulnerabilities in SIEMENS PLCs that were exploited by the Stuxnet worm to sabotage the Iran’s nuclear centrifuges.

About the MITRE EMB3D™ Threat Model

EMB3D™ is a Cybersecurity Threat Model release by MITRE in May 2024 and dedicated for Embedded Devices.

EMB3D is aligned with and expands on several existing models, including Common Weakness EnumerationMITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.

Coming in the next release of EMB3D in Summer 2024, each threat description will include a set of Foundational, Intermediate, and Leading mitigations. These mitigations will provide guidance on what technical mechanisms can best prevent or reduce the risk of that threat.

For each threat, EMB3D will suggest technical mechanisms that vendors should build into the device to mitigate the given threat. EMB3D is a comprehensive framework for the entire security ecosystem—device vendors, asset owners, security researchers, and testing organizations.

To know more about the MITRE EMB3D™ Cybersecurity Threat Model for Embedded Devices, check our article here.

About the Stuxnet attack

Stuxnet is a highly sophisticated worm discovered in 2010, believed to be developed jointly by the United States and Israel. It targeted supervisory control and data acquisition (SCADA) systems, particularly those used in Iran’s nuclear program. Stuxnet specifically aimed at disrupting uranium enrichment processes by sabotaging centrifuges, demonstrating the potential of cyber weapons to physically damage critical infrastructure. Its complex code and ability to spread rapidly made it one of the most advanced and impactful cyber weapons ever deployed.

Stuxnet attack overview

Stuxnet specifically targeted industrial process control systems manufactured by Siemens, including programmable logic controllers (PLCs). It exploited vulnerabilities in the software and communication protocols used by these systems to infiltrate and take control of the PLCs. Once infected, the PLCs could be manipulated to disrupt the operation of the centrifuges used in the Iranian nuclear program.

What is STEP 7 in Siemens PLC and how does Siemens PLC work

STEP 7 is a software platform developed by Siemens for programming and configuring its programmable logic controllers (PLCs). It is part of the Totally Integrated Automation (TIA) Portal, which provides a comprehensive suite of tools for automation tasks, including PLC programming, human-machine interface (HMI) design, and more.

Siemens PLCs are industrial control devices used to automate processes in various industries, such as manufacturing, energy, and transportation. They consist of hardware components, such as the CPU (central processing unit), input/output modules, and communication modules, which interface with sensors, actuators, and other devices in the physical environment.

The PLC’s operation is based on a programmed logic controller, which executes a control program created using software like STEP 7. The program defines the behavior of the PLC in response to inputs from sensors and other sources. When inputs change, the PLC processes this information according to the program’s logic and produces outputs to control actuators, machinery, or other devices.

  • More about the Siemens STEP 7 software platform here.
  • More about programming with STEP 7 here (PDF).

About Siemens S7-300 PLC

Iran’s nuclear centrifuges were using Siemens S7-300 and S7-400 PLCs.

Siemens S7-300 PLC
Siemens S7-400 PLC

To identify the main features and device properties of the Siemens S7 series PLC, I used the following datasheets (PDF) :

  • More about the S7-300 Module data here (PDF)
  • More about the S7-400 Module data here (PDF)

Identifying properties of the Siemens embedded device

What I consider as an embedded device is the STEP7 Workstation and the Siemens S7 series PLCs.

Device Property #1

Siemens S7-300 PLC does not include a traditional operating system (OS) or kernel in the same sense as a general-purpose computer. Instead, it operates using firmware that is specifically designed for real-time control tasks. This firmware is tightly integrated with the hardware of the PLC and is optimized for deterministic and reliable operation in industrial environments.

So, in the EMB3D™ Device Properties tool / System Software, I checked PID-23 – Device includes OS/kernel

Device Property #2

Applications and softwares are present and running on Siemens PLCs. These softwares are used for programming and configuring the PLC to perform specific control tasks. In the case of Siemens PLCs, the programming software is typically part of the Totally Integrated Automation (TIA) Portal suite, which includes tools like STEP 7 for programming.

Programmers use this application-level software to create control logic using programming languages such as ladder logic, function block diagram (FBD), or structured text. Once the control program is developed, it is downloaded to the PLC, where it runs directly on the PLC’s firmware.

This application-level software allows users to define the behavior of the PLC, specify how inputs should be processed, define control logic, and configure outputs to interact with the physical environment. It also provides tools for debugging, monitoring, and maintaining the PLC program during operation.

So, in the EMB3D™ Device Properties tool / Application Software, I checked PID-31 – Application-level software is present and running on the device

Device Property #3

Siemens PLCs, including the S7-300 series, have the ability to deploy custom programs created using engineering software or integrated development environments (IDEs). Siemens provides programming software such as STEP 7 (part of the TIA Portal suite) for developing custom control logic programs.

So, in the EMB3D™ Device Properties tool / Application Software, I checked PID-321 – Device includes ability to deploy custom programs from engineering software or IDE

Device Property #4

Siemens PLCs do include system function blocks, which are pre-defined blocks of logic that perform specific tasks within the PLC’s firmware. These function blocks are provided by Siemens as part of the PLC’s programming environment and are used for various system-level tasks, such as reading system information, manipulating data blocks, managing communication protocols, and performing other administrative functions.

So, in the EMB3D™ Device Properties tool / Application Software, I checked PID-3231 – Device includes ability to run custom/external programs as native binary without a confined/restricted environment

Siemens PLCs Properties to Threats Mapping

The following table is mapping the Device Properties to a list of Threats the Siemens S7 series PLCs may be exposed to because it incorporates those properties and features.

System Software
Device Properties Threats
PID-23 Device includes OS/kernel TID-218 Operating System Susceptible to Rootkit
TID-202 Exploitable System Network Stack Component
Application Software
Device Properties Threats
PID-31 Application-level software is present and running on the device TID-301 Applications Binaries Modified
PID-32 Device includes the ability to deploy custom or external programs TID-302 Install Untrusted Application
PID-321 Device includes ability to deploy custom programs from engineering software or IDE TID-303 Excessive Trust in Offboard Management/IDE Software
PID-3231 Device includes ability to run custom/external programs as native binary without a confined/restricted environment TID-305 Program Executes Dangerous System Calls

Threat Heat Map for Siemens PLCs

The following tables represent a list of threats that pose a viable risk to the Siemens S7 series PLC.

SIEMENS S7-300 / S7-400 PLCs Heat Map
System Software Application Software
TID-218 TID-301 TID-303
TID-202 TID-302 TID-305

Threats exploited by the Stuxnet worm

It’s confirmed that the following threats have been exploited by the Stuxnet worm. « It means that the threat modeling we have done is accurate. »

System Software
Device Properties Threats
PID-23 Device includes OS/kernel TID-218 Operating System Susceptible to Rootkit
TID-202 Exploitable System Network Stack Component
Application Software
Device Properties Threats
PID-31 Application-level software is present and running on the device TID-301 Applications Binaries Modified
PID-32 Device includes the ability to deploy custom or external programs TID-302 Install Untrusted Application
PID-321 Device includes ability to deploy custom programs from engineering software or IDE TID-303 Excessive Trust in Offboard Management/IDE Software
PID-3231 Device includes ability to run custom/external programs as native binary without a confined/restricted environment TID-305 Program Executes Dangerous System Calls

Associated mitigations

The following table represents a list of associated mitigations to the threats that pose a viable risk to the Siemens S7 series PLC.

System Software
Threats Associated mitigations
Foundational Intermediate Leading
TID-218 Operating System Susceptible to Rootkit MID-001 – Software Only Bootloader Authentication MID-002 – Hardware-backed Bootloader Authentication
MID-009 – Operating System-based Runtime Integrity Check
MID-003 – Periodic/Continuous Integrity Measurement and Remote Attestation
Application Software
TID-301 Applications Binaries Modified MID-001 – Software Only Bootloader Authentication MID-002 – Hardware-backed Bootloader Authentication
MID-009 – Operating System-based Runtime Integrity Check
MID-003 – Periodic/Continuous Integrity Measurement and Remote Attestation
TID-303 Excessive Trust in Offboard Management/IDE Software MID-041 – Cryptographically Signed Vendor-supplied Programs
MID-042 – Device Checks Consistency Between Binary/Running Code and Textual Code
TID-305 Program Executes Dangerous System Calls MID-012 – OS-based Access Control Mechanisms MID-014 – Sandboxing
MID-015 – Containerization

Associated mitigations with IEC 62443 4-2 Mappings

System Software

Threats Associated mitigations
Foundational Intermediate Leading
TID-218 Operating System Susceptible to Rootkit MID-001 – Software Only Bootloader Authentication

•EDR / HDR / NDR 3.14 – Integrity of the boot process

MID-002 – Hardware-backed Bootloader Authentication

•EDR / HDR/ NDR 3.14 – Integrity of the boot process

MID-009 – Operating System-based Runtime Integrity Check

•CR 3.4 – Software and information integrity

MID-003 – Periodic/Continuous Integrity Measurement and Remote Attestation

•CR 3.4 – Software and information integrity

Application Software

TID-301 Applications Binaries Modified MID-001 – Software Only Bootloader Authentication

•EDR / HDR / NDR 3.14 – Integrity of the boot process

MID-002 – Hardware-backed Bootloader Authentication

•EDR / HDR/ NDR 3.14 – Integrity of the boot process)

MID-009 – Operating System-based Runtime Integrity Check

•CR 3.4 – Software and information integrity

MID-003 – Periodic/Continuous Integrity Measurement and Remote Attestation

•CR 3.4 – Software and information integrity

TID-303 Excessive Trust in Offboard Management/IDE Software MID-041 – Cryptographically Signed Vendor-supplied Programs

•CR 3.4 – Software and information integrity

MID-042 – Device Checks Consistency Between Binary/Running Code and Textual Code

•CR 3.4 – Software and information integrity

TID-305 Program Executes Dangerous System Calls MID-012 – OS-based Access Control Mechanisms

•CR 2.1 – Authorization Enforcement

MID-014 – Sandboxing

•SAR / EDR / HDR / NDR 3.2 – Protection from malicious code

MID-015 – Containerization

•SAR / EDR / HDR / NDR 3.2 – Protection from malicious code

•CR 3.4 – Software and information integrity

Modeling an attack on an Industrial Control Systems (ICS)

To model an attack on an Industrial Control Systems (ICS), it’s recommanded to use an offensive model.

There are two offensive models dedicated to Industrial Control Systems (ICS):

  • The MITRE ATT&CK for ICS matrix
  • The ICS Cyber Kill Chain

To know more how to model an attack on an Industrial Control Systems (ICS) but also about the MITRE ATT&CK for ICS matrix and the ICS Cyber Kill Chain, go to out entire and complete article on this subject here.

Mapping of Stuxnet attack on the MITRE ATT&CK for ICS matrix

Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »

Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)

ICS Cyber Kill Chain applied to STUXNET

The figure below is the ICS Cyber Kill Chain applied to STUXNET.

MITRE Releases EMB3D™ – A Cybersecurity Threat Model for Embedded Devices

2

Collaborative framework provides common understanding to mitigate cyber threats to critical infrastructure

MCLEAN, Va. & BEDFORD, Mass., May 13, 2024–(BUSINESS WIRE)–The EMB3D Threat Model is now publicly available at https://emb3d.mitre.org. The model provides a cultivated knowledge base of cyber threats to embedded devices, providing a common understanding of these threats with the security mechanisms required to mitigate them. The model is the result of a collaborative effort by MITRE, Niyo Little Thunder Pearson, Red Balloon Security, and Narf Industries.

“The diverse perspectives and invaluable insights shared have fortified our approach, ensuring a robust and effective solution to address the evolving challenges in embedded device security.”

EMB3D model strengthened by peer reviews from infrastructure industries

After the model garnered significant interest for peer review across diverse industries, numerous organizations piloted the threat model, offering invaluable feedback. The EMB3D team appreciates the interest and feedback from vendors and integrators across many industries, including energy, water, manufacturing, aerospace, health, and automotive, as well as researchers and threat tool vendors. This ongoing collaborative effort has been instrumental in refining and enhancing the model’s content and usability. The team looks forward to continued collaboration to strengthen the ability of the model to enable « secure by design. »

« Our framework’s strength lies in the collaborative efforts and rigorous review process across industries, » said Yosry Barsoum, vice president and director, Center for Securing the Homeland at MITRE. « The diverse perspectives and invaluable insights shared have fortified our approach, ensuring a robust and effective solution to address the evolving challenges in embedded device security. »

Leveraging established models to strengthen embedded device security

EMB3D aligns with and expands on several existing models, including Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.

For each threat, EMB3D suggests technical mechanisms that vendors should build into the device to mitigate the given threat. EMB3D is a comprehensive framework for the entire security ecosystem—device vendors, asset owners, security researchers, and testing organizations.

Associated mitigations

Each threat includes mitigation guidance, these often have varying efficacies and challenges with their implementations.

Mitigation tiers are intended to help device vendors/OEMs better understand how to assess the challenge of deploying mitigations and better strategize and prioritize efforts to add additional mitigations or technologies to address threats.

ISA/IEC 62443-4-2 Mappings

ISA is the International Society of Automation. ISA/IEC 62443 is the applicable standard for cybersecurity of OT and ICS (IACS).

Each associated mitigation is mapped with the ISA/IEC 62443-4-2.

An evolving framework for a dynamic threat landscape

EMB3D is intended to be a living framework, where new threats and mitigations are added and updated as new threat actors emerge and security researchers discover new categories of vulnerabilities, threats, and security defenses. EMB3D is a public, community resource where all information is openly available and the security community can submit additions and revisions.

For more information, visit https://emb3d.mitre.org.

About MITRE

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation. Learn more at mitre.org.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240513302654/en/

Contacts

Sarah Lytle, media@mitre.org

Hacktivism Goes Orbital: Investigating NB65’s Breach of ROSCOSMOS

0

In March of 2022, Network battalion 65 (NB65), a hacktivist affiliate of Anonymous, publicly asserted its successful breach of ROSCOSMOS’s satellite imaging capabilities in response to Russia’s invasion of Ukraine.

NB65 disseminated a series of primary sources as substantiation, proclaiming the incapacitation of ROSCOSMOS’s space-based vehicle monitoring system and doxing of related proprietary documentation.

Despite the profound implications of hacktivist incursions into the space sector, the event has garnered limited attention due to the obscurity of technical attack vectors and ROCOSMOS’s denial of NB65’s allegations.

Through analysis of NB65’s released primary sources of evidence, this paper uncovers the probable vulnerabilities and exploits that enabled the alleged breach into ROSCOSMOS’s ground and space segment. Additionally, this paper highlights lessons learned and the consequences this event has for the global aerospace community.

The authors of this paper are : Rajiv Thummala and Gregory Falco

You can download the document here : https://arxiv.org/abs/2402.10324

Derniers articles

My work about the Viasat attack analysis featured in the Angelina Tsuboi’s course on Satellite Cybersecurity...

0
I’m very proud and honored to be featured in the Angelina Tsuboi's course on Satellite Cybersecurity Foundations hosted on Udemy. Thank you very much...

The dark side of the DNS or the war of the port 53

0
I am very happy and proud that my article on DNS security has been accepted and published in the last issue of Hakin9 Magazine...

My cybersecurity review for 2024

0
What an incredible end to 2024. I’ve had some wonderful experiences. I’ve successfully met many challenges in cybersecurity. I've had some incredible opportunities and I've...

My experience and tips after successfully passed the CISM (Certified Information Security Manager) from...

0
🌟 I'm thrilled to share that I've earned the CISM (Certified Information Security Manager) from ISACA. You can view my achievement on Credly. 🌍 This...

How to model an attack on an Industrial Control Systems (ICS)

1
Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence. The figure below is showing an example of OT/IT convergence. Attacks on OT...

Articles les plus lus

Cartographie des acteurs étatiques du cyber en France

0
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...

Qu’est-ce que le grand Commandement De l’Espace (CDE) créé par la France pour la...

1
Le Commandement De l’Espace (CDE) a été créé par arrêté le 3 septembre 2019. Il succède au Commandement interarmées de l’espace (CIE). Il rassemble...

Cartographie des services spécialisés de la communauté du renseignement (1er et 2ème cercle)

0
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...

Cartographie des acteurs français et européens de la cybersécurité satellitaire et spatiale

1
La France est leader de la politique spatiale en Europe. Elle met en oeuvre des projets innovants et performants avec en permanence de nouveaux...

Etude sur la cybersécurité des systèmes spatiaux : menaces, vulnérabilités et risques

4
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...

Popular posts

Cartographie des acteurs étatiques du cyber en France

0
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...

Qu’est-ce que le grand Commandement De l’Espace (CDE) créé par la France pour la...

1
Le Commandement De l’Espace (CDE) a été créé par arrêté le 3 septembre 2019. Il succède au Commandement interarmées de l’espace (CIE). Il rassemble...

Cartographie des services spécialisés de la communauté du renseignement (1er et 2ème cercle)

0
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...

Cartographie des acteurs français et européens de la cybersécurité satellitaire et spatiale

1
La France est leader de la politique spatiale en Europe. Elle met en oeuvre des projets innovants et performants avec en permanence de nouveaux...

Etude sur la cybersécurité des systèmes spatiaux : menaces, vulnérabilités et risques

4
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...